selinux-policy/policy-rawhide-contrib.patch
2017-11-24 18:20:55 +01:00

125371 lines
3.5 MiB

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..bea575523
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc578..e948aef59 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,47 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
+
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908e4..ee0c55969 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,42 @@
-## <summary>Automated bug-reporting tool.</summary>
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+########################################
+## <summary>
+## abrt stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_stub',`
+ gen_require(`
+ type abrt_t;
+ ')
+')
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## ABRT daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`abrt_basic_types_template',`
+ gen_require(`
+ attribute abrt_domain;
+ ')
+
+ type $1_t, abrt_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
######################################
## <summary>
@@ -21,6 +59,25 @@ interface(`abrt_domtrans',`
######################################
## <summary>
+## Execute abrt_dump_oops in the abrt_dump_oops_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_dump_oops_domtrans',`
+ gen_require(`
+ type abrt_dump_oops_t, abrt_dump_oops_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+')
+
+######################################
+## <summary>
## Execute abrt in the caller domain.
## </summary>
## <param name="domain">
@@ -40,7 +97,7 @@ interface(`abrt_exec',`
########################################
## <summary>
-## Send null signals to abrt.
+## Send a null signal to abrt.
## </summary>
## <param name="domain">
## <summary>
@@ -58,7 +115,7 @@ interface(`abrt_signull',`
########################################
## <summary>
-## Read process state of abrt.
+## Allow the domain to read abrt state files in /proc.
## </summary>
## <param name="domain">
## <summary>
@@ -71,12 +128,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
')
########################################
## <summary>
-## Connect to abrt over an unix stream socket.
+## Connect to abrt over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -116,8 +174,7 @@ interface(`abrt_dbus_chat',`
#####################################
## <summary>
-## Execute abrt-helper in the abrt
-## helper domain.
+## Execute abrt-helper in the abrt-helper domain.
## </summary>
## <param name="domain">
## <summary>
@@ -130,15 +187,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
')
########################################
## <summary>
-## Execute abrt helper in the abrt
-## helper domain, and allow the
-## specified role the abrt helper domain.
+## Execute abrt helper in the abrt_helper domain, and
+## allow the specified role the abrt_helper domain.
## </summary>
## <param name="domain">
## <summary>
@@ -163,8 +218,7 @@ interface(`abrt_run_helper',`
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache files.
+## Read abrt cache
## </summary>
## <param name="domain">
## <summary>
@@ -172,15 +226,56 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
+interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache content.
+## Append abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write inherited abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Manage abrt cache
## </summary>
## <param name="domain">
## <summary>
@@ -193,7 +288,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
- files_search_var($1)
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +295,7 @@ interface(`abrt_manage_cache',`
####################################
## <summary>
-## Read abrt configuration files.
+## Read abrt configuration file.
## </summary>
## <param name="domain">
## <summary>
@@ -218,9 +312,29 @@ interface(`abrt_read_config',`
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
+####################################
+## <summary>
+## Dontaudit read abrt configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_dontaudit_read_config',`
+ gen_require(`
+ type abrt_etc_t;
+ ')
+
+ files_search_etc($1)
+ dontaudit $1 abrt_etc_t:dir list_dir_perms;
+ dontaudit $1 abrt_etc_t:file read_file_perms;
+')
+
######################################
## <summary>
-## Read abrt log files.
+## Read abrt logs.
## </summary>
## <param name="domain">
## <summary>
@@ -258,8 +372,7 @@ interface(`abrt_read_pid_files',`
######################################
## <summary>
-## Create, read, write, and delete
-## abrt PID files.
+## Create, read, write, and delete abrt PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -276,10 +389,52 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+## <summary>
+## Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Execute abrt server in the abrt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_systemctl',`
+ gen_require(`
+ type abrt_t;
+ type abrt_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, abrt_t)
+')
+
#####################################
## <summary>
-## All of the rules required to
-## administrate an abrt environment,
+## All of the rules required to administrate
+## an abrt environment
## </summary>
## <param name="domain">
## <summary>
@@ -288,39 +443,174 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the abrt domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`abrt_admin',`
gen_require(`
- attribute abrt_domain;
- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+ type abrt_t, abrt_etc_t;
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
+ type abrt_unit_file_t;
')
- allow $1 abrt_domain:process { ptrace signal_perms };
- ps_process_pattern($1, abrt_domain)
+ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 abrt_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, abrt_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
+
+ abrt_systemctl($1)
+ admin_pattern($1, abrt_unit_file_t)
+ allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+## <summary>
+## Execute abrt-retrace in the abrt-retrace domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_domtrans_retrace_worker',`
+ gen_require(`
+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+## <summary>
+## Manage abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_manage_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
')
+
+#####################################
+## <summary>
+## Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+
+#####################################
+## <summary>
+## Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_cache_retrace',`
+ gen_require(`
+ type abrt_retrace_cache_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write abrt sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`abrt_dontaudit_write_sock_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Transition to abrt named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_filetrans_named_content',`
+ gen_require(`
+ type abrt_tmp_t;
+ type abrt_etc_t;
+ type abrt_var_cache_t;
+ type abrt_var_run_t;
+ ')
+
+ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f070f..c23bb4b86 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
#
## <desc>
-## <p>
-## Determine whether ABRT can modify
-## public files used for public file
-## transfer services.
-## </p>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(abrt_anon_write, false)
@@ -37,87 +36,99 @@ attribute abrt_domain;
attribute_role abrt_helper_roles;
roleattribute system_r abrt_helper_roles;
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
init_daemon_domain(abrt_t, abrt_exec_t)
type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
type abrt_etc_t;
files_config_file(abrt_etc_t)
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
+type abrt_var_lib_t;
+files_type(abrt_var_lib_t)
+
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+domain_obj_id_change_exemption(abrt_dump_oops_t)
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
role system_r types abrt_handle_event_t;
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
application_domain(abrt_helper_t, abrt_helper_exec_t)
role abrt_helper_roles types abrt_helper_t;
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
-
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
type abrt_retrace_cache_t;
files_type(abrt_retrace_cache_t)
type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+abrt_basic_types_template(abrt_watch_log)
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-type abrt_upload_watch_t, abrt_domain;
-type abrt_upload_watch_exec_t;
+abrt_basic_types_template(abrt_upload_watch)
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
+
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# abrt local policy
#
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
+# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+allow abrt_t abrt_var_cache_t:file map;
+# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+kernel_read_all_proc(abrt_t)
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
+kernel_read_software_raid_state(abrt_t)
kernel_request_load_module(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
+# needed by docker BZ #1194280
+kernel_read_net_sysctls(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory(abrt_t)
+dev_write_kmsg(abrt_t)
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
@@ -176,29 +199,46 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
fs_read_fusefs_files(abrt_t)
+fs_mmap_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
+fs_getattr_nsfs_files(abrt_t)
-auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t)
logging_read_generic_logs(abrt_t)
+logging_mmap_journal(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
+init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
+miscfiles_dontaudit_write_generic_cert_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
@@ -206,15 +246,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
- apache_read_module_files(abrt_t)
+ apache_read_modules(abrt_t)
')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(abrt_t)
- ')
')
optional_policy(`
@@ -222,6 +258,37 @@ optional_policy(`
')
optional_policy(`
+ container_stream_connect(abrt_t)
+')
+
+optional_policy(`
+ kdump_read_crash(abrt_t)
+')
+
+optional_policy(`
+ lvm_dontaudit_rw_lock_dir(abrt_t)
+')
+
+optional_policy(`
+ mta_send_mail(abrt_t)
+ mta_manage_home_rw(abrt_t)
+')
+
+optional_policy(`
+ mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+ pcp_read_lib_files(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -234,18 +301,25 @@ optional_policy(`
')
optional_policy(`
+ puppet_read_lib(abrt_t)
+')
+
+# to install debuginfo packages
+optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
rpm_manage_log(abrt_t)
rpm_manage_pid_files(abrt_t)
+ rpm_read_tmp_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
')
-optional_policy(`
- sendmail_domtrans(abrt_t)
-')
+# to run mailx plugin
+#optional_policy(`
+# sendmail_domtrans(abrt_t)
+#')
optional_policy(`
sosreport_domtrans(abrt_t)
@@ -253,9 +327,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
+optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+ xserver_read_log(abrt_t)
+')
+
+optional_policy(`
+ udev_read_db(abrt_t)
+')
+
#######################################
#
-# Handle-event local policy
+# abrt-handle-event local policy
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +352,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
+optional_policy(`
+ unconfined_domain(abrt_handle_event_t)
+')
+
########################################
#
-# Helper local policy
+# abrt--helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +371,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +380,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
auth_use_nsswitch(abrt_helper_t)
+logging_send_syslog_msg(abrt_helper_t)
+
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +401,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
')
#######################################
#
-# Retrace coredump policy
+# abrt retrace coredump policy
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +437,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +455,11 @@ optional_policy(`
#######################################
#
-# Retrace worker policy
+# abrt retrace worker policy
#
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +478,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
sysnet_dns_name_resolve(abrt_retrace_worker_t)
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
+ mock_manage_lib_files(abrt_t)
+')
+
########################################
#
-# Dump oops local policy
+# abrt_dump_oops local policy
#
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search setuid setgid };
+allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
+allow abrt_dump_oops_t self:process {setfscreate setcap};
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
files_search_spool(abrt_dump_oops_t)
manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+kernel_read_debugfs(abrt_dump_oops_t)
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
+kernel_read_security_state(abrt_dump_oops_t)
+
+auth_read_passwd(abrt_dump_oops_t)
+
+corecmd_getattr_all_executables(abrt_dump_oops_t)
+corecmd_exec_bin(abrt_dump_oops_t)
+
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
domain_use_interactive_fds(abrt_dump_oops_t)
+domain_signull_all_domains(abrt_dump_oops_t)
+domain_read_all_domains_state(abrt_dump_oops_t)
+domain_getattr_all_domains(abrt_dump_oops_t)
+
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(abrt_dump_oops_t)
+')
+files_manage_non_security_dirs(abrt_dump_oops_t)
+files_manage_non_security_files(abrt_dump_oops_t)
+
+fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
+fs_getattr_nsfs_files(abrt_dump_oops_t)
+
+selinux_compute_create_context(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
+
+init_read_var_lib_files(abrt_dump_oops_t)
+
+optional_policy(`
+ sssd_read_public_files(abrt_dump_oops_t)
+ sssd_stream_connect(abrt_dump_oops_t)
+')
+
+optional_policy(`
+ xserver_exec(abrt_dump_oops_t)
+')
#######################################
#
@@ -404,25 +569,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
+auth_read_passwd(abrt_watch_log_t)
+auth_use_nsswitch(abrt_watch_log_t)
+
domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+optional_policy(`
+ gnome_list_home_config(abrt_watch_log_t)
+')
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
#######################################
#
# Upload watch local policy
#
+allow abrt_upload_watch_t self:capability { dac_read_search chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+abrt_dbus_chat(abrt_upload_watch_t)
+
corecmd_exec_bin(abrt_upload_watch_t)
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
tunable_policy(`abrt_upload_watch_anon_write',`
- miscfiles_manage_public_files(abrt_upload_watch_t)
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(abrt_upload_watch_t)
')
#######################################
@@ -430,10 +630,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a92..068271030 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9ab0..554177cd2 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`accountsd_systemctl',`
+ gen_require(`
+ type accountsd_t;
+ type accountsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 accountsd_unit_file_t:file read_file_perms;
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an accountsd environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`accountsd_admin',`
gen_require(`
type accountsd_t;
+ type accountsd_unit_file_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms };
+ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 accountsd_t:process ptrace;
+ ')
+
accountsd_manage_lib_files($1)
+
+ accountsd_systemctl($1)
+ admin_pattern($1, accountsd_unit_file_t)
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
index 3593510d8..15ce4ef6c 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -11,17 +15,21 @@ gen_require(`
type accountsd_t;
type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
########################################
#
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_read_search setuid setgid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
dev_read_sysfs(accountsd_t)
files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
+userdom_dontaudit_create_admin_dir(accountsd_t)
+userdom_dontaudit_manage_admin_dir(accountsd_t)
+
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
@@ -66,9 +76,16 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
+optional_policy(`
policykit_dbus_chat(accountsd_t)
')
optional_policy(`
xserver_read_xdm_tmp_files(accountsd_t)
+ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
')
diff --git a/acct.if b/acct.if
index 81280d008..bc4038b45 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
########################################
## <summary>
+## Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`acct_dontaudit_list_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
## All of the rules required to
## administrate an acct environment.
## </summary>
@@ -103,9 +121,13 @@ interface(`acct_admin',`
type acct_t, acct_initrc_exec_t, acct_data_t;
')
- allow $1 acct_t:process { ptrace signal_perms };
+ allow $1 acct_t:process { signal_perms };
ps_process_pattern($1, acct_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 acct_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, acct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 8b9ad83c5..f4f24864b 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
-domain_use_interactive_fds(acct_t)
-
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
auth_use_nsswitch(acct_t)
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
-miscfiles_read_localization(acct_t)
-
userdom_dontaudit_search_user_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
index 8d42c97ae..2377f8f82 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.fc b/afs.fc
index 8926c1696..206ea16fd 100644
--- a/afs.fc
+++ b/afs.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
/etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/usr/afs(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+
/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
@@ -10,6 +12,10 @@
/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
diff --git a/afs.if b/afs.if
index 3b41be699..97d99f979 100644
--- a/afs.if
+++ b/afs.if
@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
########################################
## <summary>
+## Read AFS config data
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`afs_read_config',`
+ gen_require(`
+ type afs_config_t;
+ ')
+
+ read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
+########################################
+## <summary>
## Read and write afs cache files.
## </summary>
## <param name="domain">
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
interface(`afs_admin',`
gen_require(`
attribute afs_domain;
- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
type afs_ka_db_t, afs_vl_db_t, afs_config_t;
type afs_logfile_t, afs_cache_t, afs_files_t;
')
- allow $1 afs_domain:process { ptrace signal_perms };
- ps_process_pattern($1, afs_domain)
+ allow $1 afs_t:process signal_perms;
+ ps_process_pattern($1, afs_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 afs_t:process ptrace;
+ ')
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 90ce63748..9855b3b11 100644
--- a/afs.te
+++ b/afs.te
@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
# afs client local policy
#
-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
+allow afs_t self:capability { dac_read_search sys_admin sys_nice sys_tty_config };
allow afs_t self:process { setsched signal };
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket { accept listen };
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
logging_send_syslog_msg(afs_t)
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t)
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local")
-allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db")
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
+optional_policy(`
+ kerberos_read_config(afs_bosserver_t)
+')
+
########################################
#
# fileserver local policy
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { kill dac_read_search chown fowner sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
seutil_read_config(afs_kaserver_t)
@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+sysnet_read_config(afs_ptserver_t)
+
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
allow afs_domain self:udp_socket create_socket_perms;
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb947..fbe187fe1 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
type aiccu_var_run_t;
')
- allow $1 aiccu_t:process { ptrace signal_perms };
+ allow $1 aiccu_t:process signal_perms;
ps_process_pattern($1, aiccu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aiccu_t:process ptrace;
+ ')
+
aiccu_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 5d2b90e04..7374df0b9 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
corenet_tcp_sendrecv_generic_node(aiccu_t)
-
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
-files_read_etc_files(aiccu_t)
+
+auth_read_passwd(aiccu_t)
logging_send_syslog_msg(aiccu_t)
-miscfiles_read_localization(aiccu_t)
+optional_policy(`
+ gnome_dontaudit_search_config(aiccu_t)
+')
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
')
optional_policy(`
+ pcscd_stream_connect(aiccu_t)
+')
+
+optional_policy(`
sysnet_dns_name_resolve(aiccu_t)
sysnet_domtrans_ifconfig(aiccu_t)
')
diff --git a/aide.if b/aide.if
index 01cbb67df..94a4a2406 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
- allow $1 aide_t:process { ptrace signal_perms };
+ allow $1 aide_t:process signal_perms;
ps_process_pattern($1, aide_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aide_t:process ptrace;
+ ')
+
aide_run($1, $2)
files_list_etc($1)
diff --git a/aide.te b/aide.te
index 03831e6e5..93a15b5de 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
role aide_roles types aide_t;
type aide_log_t;
@@ -23,23 +24,39 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_read_search fowner ipc_lock sys_admin };
+allow aide_t self:process signal;
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
+dev_read_rand(aide_t)
+dev_read_urand(aide_t)
+
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+ prelink_domtrans(aide_t)
+')
optional_policy(`
seutil_use_newrole_fds(aide_t)
')
+
+optional_policy(`
+ sssd_stream_connect(aide_t)
+')
diff --git a/aisexec.if b/aisexec.if
index a2997fa57..861cebdf9 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
- allow $1 aisexec_t:process { ptrace signal_perms };
+ allow $1 aisexec_t:process signal_perms;
ps_process_pattern($1, aisexec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aisexec_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 4e4f06364..808e067e8 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
corenet_all_recvfrom_unlabeled(aisexec_t)
corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
logging_send_syslog_msg(aisexec_t)
-miscfiles_read_localization(aisexec_t)
-
userdom_rw_unpriv_user_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)
@@ -105,6 +104,11 @@ optional_policy(`
')
optional_policy(`
+ corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
rhcs_rw_dlm_controld_semaphores(aisexec_t)
rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 000000000..aeb1888a7
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 000000000..7abe946d4
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+## Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Read and write the ajaxterm pty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_rw_ptys',`
+ gen_require(`
+ type ajaxterm_devpts_t;
+ ')
+
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ajaxterm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process signal_perms;
+ ps_process_pattern($1, ajaxterm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ajaxterm_t:process ptrace;
+ ')
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 000000000..a95a4adf3
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 33d9d3111..58bf1829a 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index ca8d8cf3b..053a30ad4 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
+ alsa_filetrans_home_content($1)
')
########################################
@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
########################################
## <summary>
-## Create objects in user home
-## directories with the generic alsa
-## home type.
+## Read Alsa lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`alsa_filetrans_home_content',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
gen_require(`
type alsa_home_t;
+ type alsa_etc_rw_t;
+ type alsa_var_lib_t;
')
- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
')
########################################
## <summary>
-## Read Alsa lib files.
+## Execute alsa server in the alsa domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
gen_require(`
- type alsa_var_lib_t;
+ type alsa_t;
+ type alsa_unit_file_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, alsa_t)
')
#########################################
diff --git a/alsa.te b/alsa.te
index 4b153f179..9a0043caa 100644
--- a/alsa.te
+++ b/alsa.te
@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)
+type alsa_lock_t;
+files_lock_file(alsa_lock_t)
+
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
########################################
#
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
+manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
+files_lock_filetrans(alsa_t, alsa_lock_t, file)
+
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
+kernel_signal(alsa_t)
corecmd_exec_bin(alsa_t)
@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
-files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
-miscfiles_read_localization(alsa_t)
-
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbca3..e5c9f45b8 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
index 519051c7d..96bbc0825 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
type amanda_t;
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
+type amanda_tmpfs_t;
+files_tmpfs_file(amanda_tmpfs_t)
+
type amanda_amandates_t;
files_type(amanda_amandates_t)
@@ -59,8 +65,8 @@ optional_policy(`
# Local policy
#
-allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:capability { chown dac_read_search setuid kill sys_admin };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
@@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir })
+
can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
kernel_read_kernel_sysctls(amanda_t)
@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
-corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
@@ -130,6 +145,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
+storage_write_scsi_generic(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t)
# Recover local policy
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
logging_search_logs(amanda_recover_t)
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a707..8aa684917 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
')
-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c90..18ef0772c 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
files_search_spool($1)
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ allow $1 amavis_spool_t:dir list_dir_perms;
')
########################################
@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
########################################
## <summary>
+## Read and write amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_rw_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## amavis lib files.
## </summary>
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
')
- allow $1 amavis_t:process { ptrace signal_perms };
+ allow $1 amavis_t:process signal_perms;
ps_process_pattern($1, amavis_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 amavis_t:process ptrace;
+ ')
+
amavis_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index 91fa72ae1..11a55da57 100644
--- a/amavis.te
+++ b/amavis.te
@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
type amavis_t;
type amavis_exec_t;
init_daemon_domain(amavis_t, amavis_exec_t)
+init_nnp_daemon_domain(amavis_t)
type amavis_etc_t;
files_config_file(amavis_etc_t)
@@ -39,14 +40,14 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
########################################
#
# Local policy
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_read_search setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
-corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_sendrecv_razor_client_packets(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_sysfs(amavis_t)
@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
domain_dontaudit_read_all_domains_state(amavis_t)
files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
files_search_spool(amavis_t)
fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
tunable_policy(`amavis_use_jit',`
- allow amavis_t self:process execmem;
+ allow amavis_t self:process execmem;
',`
- dontaudit amavis_t self:process execmem;
+ dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(amavis_t)
')
optional_policy(`
@@ -173,6 +182,10 @@ optional_policy(`
')
optional_policy(`
+ nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
postfix_read_config(amavis_t)
postfix_list_spool(amavis_t)
')
diff --git a/amtu.te b/amtu.te
index 16d0d66eb..60abfd080 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
index b098089d0..fe35bebfd 100644
--- a/anaconda.fc
+++ b/anaconda.fc
@@ -1 +1,13 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/libexec/rpm-ostreed -- gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
+/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
+/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7e1..76d93294d 100644
--- a/anaconda.if
+++ b/anaconda.if
@@ -1 +1,132 @@
## <summary>Anaconda installer.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run install.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_install',`
+ gen_require(`
+ type install_t, install_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, install_exec_t, install_t)
+')
+
+########################################
+## <summary>
+## Execute install in the install
+## domain, and allow the specified
+## role the install domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`anaconda_run_install',`
+ gen_require(`
+ type install_t;
+ type install_exec_t;
+ attribute_role install_roles;
+ ')
+
+ anaconda_domtrans_install($1)
+ roleattribute $2 install_roles;
+ role_transition $2 install_exec_t system_r;
+
+ optional_policy(`
+ rpm_transition_script(install_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute preupgrade in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_exec_preupgrade',`
+ gen_require(`
+ type preupgrade_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, preupgrade_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run preupgrade.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_preupgrade',`
+ gen_require(`
+ type preupgrade_t, preupgrade_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
+')
+
+########################################
+## <summary>
+## Read preupgrade lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`anaconda_read_lib_files_preupgrade',`
+ gen_require(`
+ type preupgrade_data_t;
+ ')
+
+ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage preupgrade lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`anaconda_manage_lib_files_preupgrade',`
+ gen_require(`
+ type preupgrade_data_t;
+ ')
+
+ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ files_search_var_lib($1)
+')
diff --git a/anaconda.te b/anaconda.te
index aa44abfe4..9e76516c2 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+type install_t;
+type install_exec_t;
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
+type preupgrade_t;
+type preupgrade_exec_t;
+application_domain(preupgrade_t, preupgrade_exec_t)
+role system_r types preupgrade_t;
+
+type preupgrade_data_t;
+files_type(preupgrade_data_t)
+
########################################
#
# Local policy
@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
optional_policy(`
rpm_domtrans(anaconda_t)
@@ -53,3 +74,55 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
+
+########################################
+#
+# Local policy
+#
+
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
+systemd_dbus_chat_logind(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(install_t)
+')
+
+optional_policy(`
+ iscsid_run(install_t, install_roles)
+')
+
+optional_policy(`
+ mount_run(install_t, install_roles)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(install_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(install_t)
+')
+
+optional_policy(`
+ seutil_run_setfiles_mac(install_t, install_roles)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(install_t)
+')
+
+
+########################################
+#
+# Local policy
+#
+
+manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+
+optional_policy(`
+ unconfined_domain_noaudit(preupgrade_t)
+')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 000000000..219f32db0
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,44 @@
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 000000000..36251b926
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,325 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## antivirus domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+interface(`antivirus_domain_template',`
+ gen_require(`
+ attribute antivirus_domain;
+ ')
+
+ typeattribute $1 antivirus_domain;
+
+ kernel_read_system_state($1)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run antivirus program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`antivirus_domtrans',`
+ gen_require(`
+ type antivirus_t, antivirus_exec_t;
+ ')
+
+ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+## Execute antivirus program without a transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_exec',`
+ gen_require(`
+ type antivirus_exec_t;
+ ')
+
+ can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+## <summary>
+## Connect to run antivirus program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_stream_connect',`
+ gen_require(`
+ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to append
+## to antivirus log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_append_log',`
+ gen_require(`
+ type antivirus_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 antivirus_log_t:dir list_dir_perms;
+ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+## <summary>
+## Read antivirus configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_read_config',`
+ gen_require(`
+ type antivirus_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Search antivirus db content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_search_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+## Read antivirus db content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_read_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+## <summary>
+## Read and write antivirus db content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_rw_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+## <summary>
+## Manage antivirus db content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_manage_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+## <summary>
+## Manage antivirus pid content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_manage_pid',`
+ gen_require(`
+ type antivirus_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+## <summary>
+## Read antivirus state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`antivirus_read_state_clamd',`
+ gen_require(`
+ type antivirus_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+## <summary>
+## Execute antivirus server in the antivirus domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`antivirus_systemctl',`
+ gen_require(`
+ type antivirus_t;
+ type antivirus_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 antivirus_unit_file_t:file read_file_perms;
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an antivirus programs environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the clamav domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`antivirus_admin',`
+ gen_require(`
+ attribute antivirus_domain;
+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+ type antivirus_initrc_exec_t, antivirus_unit_file_t;
+ ')
+
+ allow $1 antivirus_t:process signal_perms;
+ ps_process_pattern($1, antivirus_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 antivirus_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 antivirus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ antivirus_systemctl($1)
+ admin_pattern($1, antivirus_unit_file_t)
+ allow $1 antivirus_unit_file_t:service all_service_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, antivirus_conf_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, antivirus_db_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, antivirus_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, antivirus_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, antivirus_tmp_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 000000000..547ee89dd
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,275 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow antivirus programs to read non security files on a system
+## </p>
+## </desc>
+gen_tunable(antivirus_can_scan_system, false)
+
+## <desc>
+## <p>
+## Determine whether antivirus programs can use JIT compiler.
+## </p>
+## </desc>
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+init_nnp_daemon_domain(antivirus_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_read_search chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_bind_all_unreserved_ports(antivirus_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
+files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
+ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+ allow antivirus_domain self:process execmem;
+ allow antivirus_domain self:process execmem;
+',`
+ dontaudit antivirus_domain self:process execmem;
+ dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+ apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+ antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+ cron_system_entry(antivirus_t, antivirus_exec_t)
+ cron_use_fds(antivirus_domain)
+ cron_use_system_job_fds(antivirus_domain)
+ cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+ dcc_domtrans_client(antivirus_domain)
+ dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+ exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+ mta_read_config(antivirus_domain)
+ mta_read_queue(antivirus_domain)
+ mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ mysql_stream_connect(antivirus_domain)
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+ postfix_read_config(antivirus_domain)
+ postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+ pyzor_domtrans(antivirus_domain)
+ pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+ razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+ snmp_manage_var_lib_dirs(antivirus_domain)
+ snmp_manage_var_lib_files(antivirus_domain)
+ snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_exec(antivirus_domain)
+ spamassassin_exec_client(antivirus_domain)
+ spamassassin_read_lib_files(antivirus_domain)
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc353..966c2f3e6 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,218 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/local/nagios/sbin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+')
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb4851f..3628a384f 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## <summary>Various web servers.</summary>
+## <summary>Apache web server</summary>
########################################
## <summary>
-## Create a set of derived types for
-## httpd web content.
+## Create a set of derived types for apache
+## web content.
## </summary>
## <param name="prefix">
## <summary>
@@ -11,120 +11,233 @@
## </summary>
## </param>
#
-template(`apache_content_template',`
+template(`apache_user_content_template',`
gen_require(`
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_user_content_type;
')
- ########################################
- #
- # Declarations
- #
-
- ## <desc>
- ## <p>
- ## Determine whether the script domain can
- ## modify public files used for public file
- ## transfer services. Directories/Files must
- ## be labeled public_content_rw_t.
- ## </p>
- ## </desc>
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- files_type(httpd_$1_content_t)
-
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
- files_type(httpd_$1_htaccess_t)
-
- type httpd_$1_script_t, httpd_script_domains;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
- type httpd_$1_rw_content_t, httpdcontent; # customizable
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
- files_type(httpd_$1_rw_content_t)
+ #This type is for webpages
+ type $1_content_t; # customizable;
+ typeattribute $1_content_t httpd_user_content_type;
+ typealias $1_content_t alias httpd_$1_script_ro_t;
+ files_type($1_content_t)
+
+ # This type is used for .htaccess files
+ type $1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute $1_htaccess_t httpd_user_content_type;
+ files_type($1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type $1_script_t, httpd_script_type;
+ domain_type($1_script_t)
+ role system_r types $1_script_t;
+
+ kernel_read_system_state($1_script_t)
+
+ # This type is used for executable scripts files
+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
+ typeattribute $1_script_exec_t httpd_user_content_type;
+ domain_entry_file($1_script_t, $1_script_exec_t)
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_user_content_type;
+ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
+ typeattribute $1_ra_content_t httpd_user_content_type;
+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+ files_type($1_ra_content_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow $1_script_t $1_content_t:dir search_dir_perms;
+
+ can_exec($1_script_t, $1_script_exec_t)
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+ allow $1_script_t $1_content_t:dir list_dir_perms;
+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
- files_type(httpd_$1_ra_content_t)
+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
- ########################################
- #
- # Policy
- #
+ ')
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ tunable_policy(`httpd_enable_cgi',`
+ allow $1_script_t $1_script_exec_t:file entrypoint;
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
+ ')
+')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`apache_content_template',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_content_type;
')
+ #This type is for webpages
+ type $1_content_t; # customizable;
+ typeattribute $1_content_t httpd_content_type;
+ typealias $1_content_t alias httpd_$1_script_ro_t;
+ files_type($1_content_t)
+
+ # This type is used for .htaccess files
+ type $1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute $1_htaccess_t httpd_content_type;
+ files_type($1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type $1_script_t, httpd_script_type;
+ domain_type($1_script_t)
+ role system_r types $1_script_t;
+
+ kernel_read_system_state($1_script_t)
+
+ # This type is used for executable scripts files
+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
+ typeattribute $1_script_exec_t httpd_content_type;
+ domain_entry_file($1_script_t, $1_script_exec_t)
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_content_type;
+ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
+ typeattribute $1_ra_content_t httpd_content_type;
+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+ files_type($1_ra_content_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow $1_script_t $1_content_t:dir search_dir_perms;
+
+ can_exec($1_script_t, $1_script_exec_t)
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+ allow $1_script_t $1_content_t:dir list_dir_perms;
+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
- ')
+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
- can_exec(httpd_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
- ')
+ allow $1_script_t $1_script_exec_t:file entrypoint;
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
- ')
+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
+
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
')
')
########################################
## <summary>
-## Role access for apache.
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving new type names.
+## </summary>
+## </param>
+## <param name="oldprefix">
+## <summary>
+## The prefix to be used for deriving old type names.
+## </summary>
+## </param>
+#
+template(`apache_content_alias_template',`
+ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
+ typealias $1_script_t alias httpd_$2_script_t;
+ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
+ typealias $1_content_t alias httpd_$2_content_t;
+ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
+ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
+')
+
+########################################
+## <summary>
+## Role access for apache
## </summary>
## <param name="role">
## <summary>
@@ -133,47 +246,61 @@ template(`apache_content_template',`
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
#
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+ apache_exec_modules($2)
+ apache_filetrans_home_content($2)
tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
@@ -184,7 +311,7 @@ interface(`apache_role',`
########################################
## <summary>
-## Read user httpd script executable files.
+## Read httpd user scripts executables.
## </summary>
## <param name="domain">
## <summary>
@@ -204,7 +331,7 @@ interface(`apache_read_user_scripts',`
########################################
## <summary>
-## Read user httpd content.
+## Read user web content.
## </summary>
## <param name="domain">
## <summary>
@@ -224,7 +351,27 @@ interface(`apache_read_user_content',`
########################################
## <summary>
-## Execute httpd with a domain transition.
+## Manage user web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_user_content',`
+ gen_require(`
+ type httpd_user_content_t;
+ ')
+
+ allow $1 httpd_user_content_t:dir manage_dir_perms;
+ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
+## Transition to apache.
## </summary>
## <param name="domain">
## <summary>
@@ -241,27 +388,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
-########################################
+######################################
## <summary>
-## Execute httpd server in the httpd domain.
+## Allow the specified domain to execute apache
+## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
gen_require(`
- type httpd_initrc_exec_t;
+ type httpd_exec_t;
')
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ can_exec($1, httpd_exec_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to execute apache suexec
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_exec_suexec',`
+ gen_require(`
+ type httpd_suexec_exec_t;
+ ')
+
+ can_exec($1, httpd_suexec_exec_t)
')
#######################################
## <summary>
-## Send generic signals to httpd.
+## Send a generic signal to apache.
## </summary>
## <param name="domain">
## <summary>
@@ -279,7 +446,7 @@ interface(`apache_signal',`
########################################
## <summary>
-## Send null signals to httpd.
+## Send a null signal to apache.
## </summary>
## <param name="domain">
## <summary>
@@ -297,7 +464,7 @@ interface(`apache_signull',`
########################################
## <summary>
-## Send child terminated signals to httpd.
+## Send a SIGCHLD signal to apache.
## </summary>
## <param name="domain">
## <summary>
@@ -315,8 +482,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
-## Inherit and use file descriptors
-## from httpd.
+## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
## <summary>
@@ -334,8 +500,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd unnamed pipes.
+## Do not audit attempts to read and write Apache
+## unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -348,13 +514,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -367,13 +552,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
type httpd_t;
')
- dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd TCP sockets.
+## Do not audit attempts to read and write Apache
+## TCP sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -391,8 +576,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
-## Create, read, write, and delete
-## all httpd content.
+## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
## <summary>
@@ -417,7 +601,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
-## Set attributes httpd cache directories.
+## Allow domain to set the attributes
+## of the APACHE cache directory.
## </summary>
## <param name="domain">
## <summary>
@@ -435,7 +620,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
-## List httpd cache directories.
+## Allow the specified domain to list
+## Apache cache.
## </summary>
## <param name="domain">
## <summary>
@@ -453,7 +639,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
-## Read and write httpd cache files.
+## Allow the specified domain to read
+## and write Apache cache files.
## </summary>
## <param name="domain">
## <summary>
@@ -471,7 +658,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
-## Delete httpd cache directories.
+## Allow the specified domain to delete
+## Apache cache dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -489,7 +677,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
-## Delete httpd cache files.
+## Allow the specified domain to delete
+## Apache cache.
## </summary>
## <param name="domain">
## <summary>
@@ -507,49 +696,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
-## Read httpd configuration files.
+## Allow the specified domain to search
+## apache configuration dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`apache_read_config',`
+interface(`apache_search_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir list_dir_perms;
- read_files_pattern($1, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ allow $1 httpd_config_t:dir search_dir_perms;
')
########################################
## <summary>
-## Search httpd configuration directories.
+## Allow the specified domain to read
+## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`apache_search_config',`
+interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir search_dir_perms;
+ allow $1 httpd_config_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## httpd configuration files.
+## Allow the specified domain to manage
+## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -570,8 +761,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
-## Execute the Apache helper program
-## with a domain transition.
+## Execute the Apache helper program with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -608,16 +799,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
- attribute_role httpd_helper_roles;
+ type httpd_helper_t;
')
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
+')
+
+########################################
+## <summary>
+## dontaudit attempts to read
+## apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_dontaudit_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
## </summary>
## <param name="domain">
## <summary>
@@ -639,7 +852,8 @@ interface(`apache_read_log',`
########################################
## <summary>
-## Append httpd log files.
+## Allow the specified domain to append
+## to apache log files.
## </summary>
## <param name="domain">
## <summary>
@@ -657,10 +871,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
+#######################################
+## <summary>
+## Allow the specified domain to write
+## to apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_write_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ allow $1 httpd_log_t:file write;
+')
+
########################################
## <summary>
-## Do not audit attempts to append
-## httpd log files.
+## Do not audit attempts to append to the
+## Apache logs.
## </summary>
## <param name="domain">
## <summary>
@@ -678,8 +911,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## httpd log files.
+## Allow the specified domain to manage
+## to apache var lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -687,20 +920,21 @@ interface(`apache_dontaudit_append_log',`
## </summary>
## </param>
#
-interface(`apache_manage_log',`
+interface(`apache_manage_lib',`
gen_require(`
- type httpd_log_t;
+ type httpd_var_lib_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
- manage_files_pattern($1, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Write apache log files.
+## Allow the specified domain to manage
+## to apache log files.
## </summary>
## <param name="domain">
## <summary>
@@ -708,19 +942,21 @@ interface(`apache_manage_log',`
## </summary>
## </param>
#
-interface(`apache_write_log',`
+interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
+ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+ manage_files_pattern($1, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
########################################
## <summary>
-## Do not audit attempts to search
-## httpd module directories.
+## Do not audit attempts to search Apache
+## module directories.
## </summary>
## <param name="domain">
## <summary>
@@ -738,7 +974,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
-## List httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
## </summary>
## <param name="domain">
## <summary>
@@ -746,17 +983,19 @@ interface(`apache_dontaudit_search_modules',`
## </summary>
## </param>
#
-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
gen_require(`
type httpd_modules_t;
')
- allow $1 httpd_modules_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
-## Execute httpd module files.
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
## </summary>
## <param name="domain">
## <summary>
@@ -764,19 +1003,19 @@ interface(`apache_list_modules',`
## </summary>
## </param>
#
-interface(`apache_exec_modules',`
+interface(`apache_list_modules',`
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
- can_exec($1, httpd_modules_t)
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
-## Read httpd module files.
+## Allow the specified domain to execute
+## apache modules.
## </summary>
## <param name="domain">
## <summary>
@@ -784,19 +1023,19 @@ interface(`apache_exec_modules',`
## </summary>
## </param>
#
-interface(`apache_read_module_files',`
+interface(`apache_exec_modules',`
gen_require(`
type httpd_modules_t;
')
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ allow $1 httpd_modules_t:dir list_dir_perms;
+ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+ can_exec($1, httpd_modules_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run httpd_rotatelogs.
+## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
@@ -809,13 +1048,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
+#######################################
+## <summary>
+## Execute httpd_rotatelogs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
+ ')
+
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+## <summary>
+## Execute httpd system scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_exec_sys_script',`
+ gen_require(`
+ type httpd_sys_script_exec_t;
+ ')
+
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
+')
+
########################################
## <summary>
-## List httpd system content directories.
+## Allow the specified domain to list
+## apache system content files.
## </summary>
## <param name="domain">
## <summary>
@@ -829,13 +1105,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## httpd system content files.
+## Allow the specified domain to manage
+## apache system content files.
## </summary>
## <param name="domain">
## <summary>
@@ -844,6 +1121,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
@@ -855,32 +1133,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_files',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
########################################
## <summary>
-## Execute all httpd scripts in the
-## system script domain.
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+## Execute all web scripts in the system
+## script domain.
## </summary>
## <param name="domain">
## <summary>
@@ -888,10 +1232,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1252,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd system script unix
-## domain stream sockets.
+## Do not audit attempts to read and write Apache
+## system script unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -916,7 +1266,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
type httpd_sys_script_t;
')
- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
')
########################################
@@ -941,7 +1291,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
-## script domain. Add user script domains
+## script domain. Add user script domains
## to the specified role.
## </summary>
## <param name="domain">
@@ -954,6 +1304,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -966,7 +1317,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
-## Read httpd squirrelmail data files.
+## Allow the specified domain to read
+## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
@@ -979,12 +1331,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
## <summary>
-## Append httpd squirrelmail data files.
+## Allow the specified domain to append
+## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
@@ -1002,7 +1355,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
-## Search httpd system content.
+## Search apache system content.
## </summary>
## <param name="domain">
## <summary>
@@ -1015,13 +1368,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
- files_search_var($1)
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
## <summary>
-## Read httpd system content.
+## Read apache system content.
## </summary>
## <param name="domain">
## <summary>
@@ -1041,7 +1393,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
-## Search httpd system CGI directories.
+## Search apache system CGI directories.
## </summary>
## <param name="domain">
## <summary>
@@ -1059,8 +1411,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
-## Create, read, write, and delete all
-## user httpd content.
+## Create, read, write, and delete all user web content.
## </summary>
## <param name="domain">
## <summary>
@@ -1071,18 +1422,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
- type httpd_user_htaccess_t, httpd_user_script_exec_t;
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
')
- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
')
########################################
## <summary>
-## Search system script state directories.
+## Search system script state directory.
## </summary>
## <param name="domain">
## <summary>
@@ -1100,7 +1454,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
-## Read httpd tmp files.
+## Allow the specified domain to read
+## apache tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -1117,10 +1472,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+## <summary>
+## Dontaudit attempts to read and write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
## <summary>
-## Do not audit attempts to write
-## httpd tmp files.
+## Dontaudit attempts to write
+## apache tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -1133,7 +1507,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1142,6 +1516,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
+## Execute CGI in the specified domain.
+## </p>
+## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
-## All of the rules required to
-## administrate an apache environment.
+## Execute httpd server in the httpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_systemctl',`
+ gen_require(`
+ type httpd_t;
+ type httpd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, httpd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
## </summary>
## <param name="domain">
## <summary>
@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_keytab_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_unit_file_t;
')
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+ allow $1 httpd_t:process signal_perms;
+ ps_process_pattern($1, httpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
- admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+
+ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ apache_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+## Transition to apache named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+## <summary>
+## Allow any httpd_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_entrypoint',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+ allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
+## Execute a httpd_exec_t in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`apache_exec_domtrans',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Transition to apache home content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
+
+########################################
+## <summary>
+## Read apache pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_pid_files',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## httpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dbus_chat',`
+ gen_require(`
+ type httpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 httpd_t:dbus send_msg;
+ allow httpd_t $1:dbus send_msg;
+ ps_process_pattern(httpd_t, $1)
+')
+
+########################################
+## <summary>
+## Delete the httpd tmp.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_tmp',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ allow $1 httpd_tmp_t:file unlink;
+')
+
+########################################
+## <summary>
+## Allow httpd noatsecure
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_noatsecure',`
+ gen_require(`
+ type httpd_t;
+ ')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
index 6649962b6..b7ac74501 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
-## <p>
-## Determine whether httpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_pam.
-## </p>
+## <p>
+## Dontaudit Apache to search dirs.
+## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
## <desc>
-## <p>
-## Determine whether httpd can use built in scripting.
-## </p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
## </desc>
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
## <desc>
-## <p>
-## Determine whether httpd can check spam.
-## </p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
## </desc>
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and modules
-## can connect to the network using TCP.
-## </p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
+gen_tunable(httpd_manage_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to run IPA helper.
+## </p>
+## </desc>
+gen_tunable(httpd_run_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and modules
-## can connect to cobbler over the network.
-## </p>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
## </desc>
gen_tunable(httpd_can_network_connect_cobbler, false)
## <desc>
-## <p>
-## Determine whether scripts and modules can
-## connect to databases over the network.
-## </p>
+## <p>
+## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
## <desc>
-## <p>
-## Determine whether httpd can connect to
-## ldap over the network.
-## </p>
+## <p>
+## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
## <desc>
-## <p>
-## Determine whether httpd can connect
-## to memcache server over the network.
-## </p>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_memcache, false)
## <desc>
-## <p>
-## Determine whether httpd can act as a relay.
-## </p>
+## <p>
+## Allow httpd to act as a relay
+## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
-## <p>
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
## <desc>
-## <p>
-## Determine whether httpd can send mail.
-## </p>
+## <p>
+## Allow http daemon to connect to mythtv
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_mythtv, false)
+
+## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
## </desc>
gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-## </p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
## </desc>
gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
-## Determine wether httpd can use support.
-## </p>
+## <p>
+## Allow Apache to communicate with sssd service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_dbus_sssd, false)
## <desc>
-## <p>
-## Determine whether httpd can act as a
-## FTP server by listening on the ftp port.
-## </p>
+## <p>
+## Allow httpd cgi support
+## </p>
## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
-## Determine whether httpd can traverse
-## user home directories.
-## </p>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
## </desc>
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
-## Determine whether httpd gpg can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_can_connect_ftp, false)
## <desc>
-## <p>
-## Determine whether httpd can execute
-## its temporary content.
-## </p>
+## <p>
+## Allow httpd to connect to the ldap port
+## </p>
## </desc>
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_can_connect_ldap, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-## </p>
+## <p>
+## Allow httpd to read home directories
+## </p>
## </desc>
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
-## Determine whether httpd can connect
-## to port 80 for graceful shutdown.
-## </p>
+## <p>
+## Allow httpd to read user content
+## </p>
## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_read_user_content, false)
## <desc>
-## <p>
-## Determine whether httpd can
-## manage IPA content files.
-## </p>
+## <p>
+## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
## </desc>
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_run_stickshift, false)
+
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-## </p>
+## <p>
+## Allow Apache to run preupgrade
+## </p>
## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_run_preupgrade, false)
## <desc>
-## <p>
-## Determine whether httpd can read
-## generic user home content files.
-## </p>
+## <p>
+## Allow Apache to query NS records
+## </p>
## </desc>
-gen_tunable(httpd_read_user_content, false)
+gen_tunable(httpd_verify_dns, false)
## <desc>
-## <p>
-## Determine whether httpd can change
-## its resource limits.
-## </p>
+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
## </desc>
gen_tunable(httpd_setrlimit, false)
## <desc>
-## <p>
-## Determine whether httpd can run
-## SSI executables in the same domain
-## as system CGI scripts.
-## </p>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
-## <p>
-## Determine whether httpd can communicate
-## with the terminal. Needed for entering the
-## passphrase for certificates at the terminal.
-## </p>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
## </desc>
gen_tunable(httpd_tty_comm, false)
## <desc>
-## <p>
-## Determine whether httpd can have full access
-## to its content types.
-## </p>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
## </desc>
gen_tunable(httpd_unified, false)
## <desc>
-## <p>
-## Determine whether httpd can use
-## cifs file systems.
-## </p>
+## <p>
+## Allow httpd to access openstack ports
+## </p>
+## </desc>
+gen_tunable(httpd_use_openstack, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
## <desc>
## <p>
-## Determine whether httpd can
-## use fuse file systems.
+## Allow httpd to access FUSE file systems
## </p>
## </desc>
gen_tunable(httpd_use_fusefs, false)
## <desc>
-## <p>
-## Determine whether httpd can use gpg.
-## </p>
+## <p>
+## Allow httpd to run gpg
+## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
## <desc>
-## <p>
-## Determine whether httpd can use
-## nfs file systems.
-## </p>
+## <p>
+## Allow httpd to connect to sasl
+## </p>
+## </desc>
+gen_tunable(httpd_use_sasl, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
+## <desc>
+## <p>
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
-# domains that can exec all scripts
+# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
-# all script domains
+# user script domains
attribute httpd_script_domains;
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
type httpd_t;
type httpd_exec_t;
+ifdef(`distro_redhat',`
+ typealias httpd_t alias phpfpm_t;
+ typealias httpd_exec_t alias phpfpm_exec_t;
+')
init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
+# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
+ifdef(`distro_redhat',`
+ typealias httpd_log_t alias phpfpm_log_t;
+')
logging_log_file(httpd_log_t)
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
-apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+# setup the system domain for system CGI scripts
+apache_content_template(httpd_sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -324,14 +418,16 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
-apache_content_template(user)
+apache_user_content_template(httpd_user)
ubac_constrained(httpd_user_script_t)
-userdom_user_home_content(httpd_user_content_t)
-userdom_user_home_content(httpd_user_htaccess_t)
-userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_ra_content_t)
-userdom_user_home_content(httpd_user_rw_content_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
+typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
+ifdef(`distro_redhat',`
+ typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
files_pid_file(httpd_var_run_t)
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
-# Local policy
+# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_read_search kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +484,39 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+can_exec(httpd_t, httpd_exec_t)
+
allow httpd_t httpd_keytab_t:file read_file_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
+
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_sys_content_t:file map;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
+allow httpd_t httpd_tmp_t:file map;
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+ corenet_tcp_connect_http_port(httpd_t)
+')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
-domain_use_interactive_fds(httpd_t)
+files_dontaudit_write_all_mountpoints(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_rw_hugetlbfs_files(httpd_t)
+fs_exec_hugetlbfs_files(httpd_t)
+fs_list_inotifyfs(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
+files_search_all(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
files_read_var_lib_symlinks(httpd_t)
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_map_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
- tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
- logging_send_audit_msgs(httpd_t)
- ')
+tunable_policy(`httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
')
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+ files_dontaudit_search_non_security_dirs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
- corenet_sendrecv_all_client_packets(httpd_t)
corenet_tcp_connect_all_ports(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_t)
corenet_tcp_connect_gds_db_port(httpd_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
- corenet_tcp_sendrecv_mssql_port(httpd_t)
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
+ corenet_tcp_connect_mongod_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
- corenet_sendrecv_gopher_client_packets(httpd_t)
+ # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_sendrecv_gopher_port(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_t)
- corenet_sendrecv_squid_client_packets(httpd_t)
corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_sendrecv_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
- allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+ corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
tunable_policy(`httpd_enable_ftp_server',`
- corenet_sendrecv_ftp_server_packets(httpd_t)
corenet_tcp_bind_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
+
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ automount_search_tmp_dirs(httpd_t)
+ ')
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_t)
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
- corenet_tcp_connect_smtp_port(httpd_t)
- corenet_tcp_sendrecv_smtp_port(httpd_t)
- corenet_sendrecv_pop_client_packets(httpd_t)
- corenet_tcp_connect_pop_port(httpd_t)
- corenet_tcp_sendrecv_pop_port(httpd_t)
-
- mta_send_mail(httpd_t)
- mta_signal_system_mail(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+ ')
')
optional_policy(`
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
+ tunable_policy(`httpd_can_sendmail',`
+ postfix_rw_spool_maildrop_files(httpd_t)
+ ')
')
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+ fs_manage_fusefs_dirs(httpd_t)
+ fs_manage_fusefs_files(httpd_t)
+ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_setrlimit',`
@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
')
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
- can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
')
optional_policy(`
@@ -749,24 +919,32 @@ optional_policy(`
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
+ cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
+ cvs_read_data(httpd_t)
')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
+ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
')
optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
')
optional_policy(`
@@ -775,6 +953,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
+
+ tunable_policy(`httpd_dbus_sssd',`
+ sssd_dbus_chat(httpd_t)
+ ')
')
optional_policy(`
@@ -786,35 +968,62 @@ optional_policy(`
')
optional_policy(`
- kerberos_manage_host_rcache(httpd_t)
- kerberos_read_keytab(httpd_t)
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
- kerberos_use(httpd_t)
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
')
optional_policy(`
- ldap_stream_connect(httpd_t)
+ gssproxy_stream_connect(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ ipa_read_lib(httpd_t)
+ ipa_manage_pid_files(httpd_t)
+')
+
+optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_manage_pid_sock_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+ jetty_admin(httpd_t)
+')
+
+optional_policy(`
+ kerberos_manage_host_rcache(httpd_t)
+ kerberos_read_keytab(httpd_t)
+ kerberos_read_kdc_config(httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+ kerberos_use(httpd_t)
+')
+
+optional_policy(`
+ # needed by FreeIPA
+ ldap_stream_connect(httpd_t)
+ ldap_read_certs(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
+ # should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- memcached_stream_connect(httpd_t)
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_memcache',`
- memcached_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ memcached_stream_connect(httpd_t)
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +1031,31 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ ipa_domtrans_helper(httpd_t)
+ ')
+ ipa_cert_filetrans_named_content(httpd_t)
+')
+
+optional_policy(`
+ munin_read_config(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with mysql
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_t)
+ ')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +1064,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_lib(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -842,20 +1076,48 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+ passenger_exec(httpd_t)
+ passenger_kill(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
+ pkcs11proxyd_stream_connect(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
+ puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+ pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+ realmd_read_var_lib(httpd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
@@ -863,16 +1125,31 @@ optional_policy(`
')
optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
smokeping_read_lib_files(httpd_t)
+ smokeping_read_pid_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
')
optional_policy(`
- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ thin_stream_connect(httpd_t)
')
optional_policy(`
@@ -883,65 +1160,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+ zoneminder_stream_connect(httpd_t)
+ zoneminder_exec(httpd_t)
+')
+
########################################
#
-# Helper local policy
+# Apache helper local policy
#
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
-logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
+tunable_policy(`httpd_verify_dns',`
+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ passenger_manage_lib_files(httpd_t)
+ passenger_getattr_log_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_read_lib_files(httpd_t)
+ passenger_stream_connect(httpd_t)
+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_preupgrade', `
+ anaconda_manage_lib_files_preupgrade(httpd_t)
+ anaconda_domtrans_preupgrade(httpd_t)
+ ',`
+ anaconda_read_lib_files_preupgrade(httpd_t)
+ anaconda_exec_preupgrade(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_preupgrade', `
+ corenet_tcp_bind_preupgrade_port(httpd_t)
+ ')
+')
+
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
#
-# Suexec local policy
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
+')
+
+########################################
+#
+# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
dev_read_urand(httpd_suexec_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
-miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
- allow httpd_suexec_t httpdcontent:file read_file_perms;
- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
- corenet_tcp_connect_smtp_port(httpd_suexec_t)
- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
- corenet_tcp_connect_pop_port(httpd_suexec_t)
- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
mta_send_mail(httpd_suexec_t)
- mta_signal_system_mail(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_suexec_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_cifs_dirs(httpd_suexec_t)
- fs_manage_cifs_files(httpd_suexec_t)
- fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_fusefs_dirs(httpd_suexec_t)
- fs_manage_fusefs_files(httpd_suexec_t)
- fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+optional_policy(`
+ apache_rw_stream_sockets(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
- mailman_domtrans_cgi(httpd_suexec_t)
+ mta_stub(httpd_suexec_t)
')
optional_policy(`
mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1436,107 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
########################################
#
-# Common script local policy
+# Apache system script local policy
#
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_send_syslog_msg(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
- can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_script_domains self:process { setsched signal_perms };
- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(httpd_script_domains)
-
- fs_getattr_all_fs(httpd_script_domains)
-
- files_read_etc_runtime_files(httpd_script_domains)
- files_read_usr_files(httpd_script_domains)
-
- libs_read_lib_files(httpd_script_domains)
-
- miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
')
optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_script_domains)
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
')
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
- corenet_tcp_connect_gds_db_port(httpd_script_domains)
- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
- corenet_tcp_connect_mssql_port(httpd_script_domains)
- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
')
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
-')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
-optional_policy(`
- nscd_use(httpd_script_domains)
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_sys_script_t)
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
- allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
+ fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- postgresql_unpriv_client(httpd_sys_script_t)
+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
')
########################################
#
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
#
-allow httpd_rotatelogs_t self:capability dac_override;
+allow httpd_rotatelogs_t self:capability { dac_read_search };
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-files_read_etc_files(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
-miscfiles_read_localization(httpd_rotatelogs_t)
########################################
#
@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
- apache_content_template(unconfined)
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
########################################
@@ -1330,49 +1635,43 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
- fs_read_cifs_symlinks(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
- fs_read_nfs_symlinks(httpd_user_script_t)
-')
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ allow httpd_t httpd_user_content_type:file map;
')
tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
-optional_policy(`
- postgresql_unpriv_client(httpd_user_script_t)
-')
-
########################################
#
-# Passwd local policy
+# httpd_passwd local policy
#
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
+
auth_use_nsswitch(httpd_passwd_t)
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
+
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-files_read_usr_files(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-miscfiles_read_localization(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
')
optional_policy(`
- apache_manage_sys_rw_content(httpd_gpg_t)
+ nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+allow httpd_t httpd_content_type:file map;
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
+ corenet_tcp_bind_commplex_main_port(httpd_t)
')
optional_policy(`
- gpg_entry_type(httpd_gpg_t)
- gpg_exec(httpd_gpg_t)
+ tunable_policy(`httpd_use_openstack',`
+ keystone_read_log(httpd_t)
+ ')
')
+
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13c8..97c204fe5 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,18 +1,23 @@
+/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
+
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0abac6..f6e25eda4 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
########################################
## <summary>
## Execute a domain transition to
-## run httpd_apcupsd_cgi_script.
+## run apcupsd_cgi_script.
## </summary>
## <param name="domain">
## <summary>
@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
#
interface(`apcupsd_cgi_script_domtrans',`
gen_require(`
- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
')
files_search_var($1)
- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
optional_policy(`
apache_search_sys_content($1)
@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
+## Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_systemctl',`
+ gen_require(`
+ type apcupsd_t;
+ type apcupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+## <summary>
+## Create configuration files in /var/lock
+## with a named file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apcupsd_filetrans_named_content',`
+ gen_require(`
+ type apcupsd_lock_t;
+ ')
+
+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
+ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
+ allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apcupsd_t:process ptrace;
+ ')
+
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
+
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4ddb..b73cf151d 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
#
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:capability { dac_read_search setgid sys_tty_config };
allow apcupsd_t self:process signal;
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
kernel_read_system_state(apcupsd_t)
+kernel_read_network_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
-corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
corenet_udp_sendrecv_snmp_port(apcupsd_t)
+corenet_tcp_connect_smtp_port(apcupsd_t)
+
+fs_getattr_xattr_fs(apcupsd_t)
+
+dev_read_sysfs(apcupsd_t)
+dev_read_urand(apcupsd_t)
+
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+auth_use_nsswitch(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +123,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
+optional_policy(`
+ systemd_start_power_services(apcupsd_t)
+ systemd_status_power_services(apcupsd_t)
+')
+
########################################
#
# CGI local policy
@@ -108,20 +135,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
-
- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-
- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
+
+ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
+ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
+ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
+
+ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
')
diff --git a/apm.fc b/apm.fc
index ce27d2fb3..b2ba16a04 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
@@ -7,6 +8,8 @@
/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/subsys/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
diff --git a/apm.if b/apm.if
index 1a7a97e5c..2c7252a39 100644
--- a/apm.if
+++ b/apm.if
@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
########################################
## <summary>
+## Execute apmd server in the apmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apmd_systemctl',`
+ gen_require(`
+ type apmd_t;
+ type apmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apmd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an apm environment.
## </summary>
@@ -163,9 +187,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
+ allow $1 apmd_t:process { signal_perms };
ps_process_pattern($1, apmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apmd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431bcd..ffb0792b8 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
# Client local policy
#
-allow apm_t self:capability { dac_override sys_admin };
+allow apm_t self:capability { dac_read_search sys_admin sys_resource };
kernel_read_system_state(apm_t)
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
allow apmd_t self:unix_stream_socket { accept listen };
allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
corecmd_exec_all_executables(apmd_t)
@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
+init_dbus_chat(apmd_t)
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
-miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_config(apmd_t)
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
optional_policy(`
automount_domtrans(apmd_t)
@@ -206,11 +212,20 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
')
optional_policy(`
- shutdown_domtrans(apmd_t)
+ sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(apmd_t)
+')
+
+optional_policy(`
+ systemd_start_power_services(apmd_t)
+ systemd_status_power_services(apmd_t)
')
optional_policy(`
diff --git a/apt.if b/apt.if
index cde81d248..2fe02018a 100644
--- a/apt.if
+++ b/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
')
diff --git a/apt.te b/apt.te
index efa853059..68f2e3676 100644
--- a/apt.te
+++ b/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_read_search fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
-miscfiles_read_localization(apt_t)
-
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
backup_manage_store_files(apt_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0fb8..9a1a61f82 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c87..533a555a2 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
## <summary>
+## Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`arpwatch_systemctl',`
+ gen_require(`
+ type arpwatch_t;
+ type arpwatch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, arpwatch_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an arpwatch environment.
## </summary>
@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms };
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 arpwatch_t:process ptrace;
+ ')
+
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
+
+ arpwatch_systemctl($1)
+ admin_pattern($1, arpwatch_unit_file_t)
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf345b..766a91a41 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
########################################
#
# Local policy
@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
+# meminfo
kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
-files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
auth_use_nsswitch(arpwatch_t)
logging_send_syslog_msg(arpwatch_t)
-miscfiles_read_localization(arpwatch_t)
-
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
index 2077053ea..198a02ab4 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms };
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 asterisk_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e4135022..a0ff3fc8f 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk")
# Local policy
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { dac_read_search chown setgid setuid sys_nice net_admin };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
-corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
corenet_sendrecv_sip_client_packets(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_http_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-files_read_usr_files(asterisk_t)
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
-
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 000000000..4579cfe17
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 000000000..316c324f2
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## <summary>policy for authconfig</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the authconfig domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`authconfig_domtrans',`
+ gen_require(`
+ type authconfig_t, authconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+## <summary>
+## Search authconfig lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authconfig_search_lib',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read authconfig lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authconfig_read_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage authconfig lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authconfig_manage_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage authconfig lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authconfig_manage_lib_dirs',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an authconfig environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authconfig_admin',`
+ gen_require(`
+ type authconfig_t;
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, authconfig_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, authconfig_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 000000000..362a049e9
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index 92adb37e1..0a2ffc62d 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index f24e36960..4484a98da 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
## </summary>
## </param>
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
########################################
## <summary>
+## Allow domain to search of automount temporary
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_search_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to get
## attributes of automount temporary
## directories.
@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
## <summary>
+## Execute automount server in the automount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`automount_systemctl',`
+ gen_require(`
+ type automount_t;
+ type automount_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, automount_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an automount environment.
## </summary>
@@ -153,12 +195,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
- type automount_keytab_t;
+ type automount_unit_file_t, automount_keytab_t;
')
- allow $1 automount_t:process { ptrace signal_perms };
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 automount_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
@@ -175,4 +221,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
+
+ automount_systemctl($1)
+ admin_pattern($1, automount_unit_file_t)
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
index 27d2f400b..bc3619c20 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search sys_admin };
+allow automount_t self:capability2 block_suspend;
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_all_recvfrom_unlabeled(automount_t)
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
-miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+ mount_rw_pid_files(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
@@ -166,3 +174,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
+
+tunable_policy(`mount_anyfile',`
+ files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2cac1..4c2d0769e 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index 9078c3d85..2f6b2503e 100644
--- a/avahi.if
+++ b/avahi.if
@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
+## Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`avahi_systemctl',`
+ gen_require(`
+ type avahi_t;
+ type avahi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
+')
+
+########################################
+## <summary>
## Create specified objects in generic
## pid directories with the avahi pid file type.
## </summary>
@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ type avahi_unit_file_t;
type avahi_var_lib_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
@@ -274,4 +303,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
+
+ avahi_systemctl($1)
+ admin_pattern($1, avahi_unit_file_t)
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
index b8355b32f..51ce1b60f 100644
--- a/avahi.te
+++ b/avahi.te
@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
type avahi_var_lib_t;
-files_pid_file(avahi_var_lib_t)
+files_type(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
########################################
#
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
auth_use_nsswitch(avahi_t)
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
-miscfiles_read_localization(avahi_t)
miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
sysnet_etc_filetrans_config(avahi_t)
+systemd_login_signull(avahi_t)
+
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --git a/awstats.fc b/awstats.fc
index 11e6d5ffe..73b4ea47c 100644
--- a/awstats.fc
+++ b/awstats.fc
@@ -1,5 +1,5 @@
/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/awstats.te b/awstats.te
index c1b16c392..ffbf2cb8f 100644
--- a/awstats.te
+++ b/awstats.te
@@ -26,6 +26,7 @@ type awstats_var_lib_t;
files_type(awstats_var_lib_t)
apache_content_template(awstats)
+apache_content_alias_template(awstats, awstats)
########################################
#
@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
kernel_dontaudit_read_system_state(awstats_t)
@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
fs_list_inotifyfs(awstats_t)
@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
-miscfiles_read_localization(awstats_t)
-
sysnet_dns_name_resolve(awstats_t)
tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +87,13 @@ optional_policy(`
# CGI local policy
#
-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+apache_read_log(awstats_script_t)
+
+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-files_search_var_lib(httpd_awstats_script_t)
+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-apache_read_log(httpd_awstats_script_t)
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450b6..c9da8d3d0 100644
--- a/backup.te
+++ b/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { dac_read_search };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
-corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.fc b/bacula.fc
index 27ec3d519..65aa71bf6 100644
--- a/bacula.fc
+++ b/bacula.fc
@@ -8,6 +8,8 @@
/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0)
+
/var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0)
/var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0)
diff --git a/bacula.if b/bacula.if
index dcd774ee4..c240ffaf6 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
type bacula_t, bacula_etc_t, bacula_log_t;
type bacula_spool_t, bacula_var_lib_t;
type bacula_var_run_t, bacula_initrc_exec_t;
+ attribute_role bacula_admin_roles;
')
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b00008..db82cfb6a 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
files_type(bacula_store_t)
files_mountpoint(bacula_store_t)
+type bacula_tmp_t;
+files_tmp_file(bacula_tmp_t)
+
type bacula_var_lib_t;
files_type(bacula_var_lib_t)
@@ -38,21 +41,30 @@ type bacula_admin_exec_t;
application_domain(bacula_admin_t, bacula_admin_exec_t)
role bacula_admin_roles types bacula_admin_t;
+type bacula_unconfined_script_exec_t;
+application_executable_file(bacula_unconfined_script_exec_t)
+
########################################
#
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search chown fowner fsetid setgid setuid};
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
+
+manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t)
corenet_sendrecv_generic_server_packets(bacula_t)
corenet_udp_bind_generic_port(bacula_t)
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t)
dev_getattr_all_blk_files(bacula_t)
dev_getattr_all_chr_files(bacula_t)
+files_getattr_all_pipes(bacula_t)
+files_getattr_all_sockets(bacula_t)
+
files_dontaudit_getattr_all_sockets(bacula_t)
+files_dontaudit_getattr_all_pipes(bacula_t)
files_read_all_files(bacula_t)
files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
+storage_raw_read_fixed_disk(bacula_t)
+storage_read_tape(bacula_t)
+storage_write_tape(bacula_t)
+
+auth_use_nsswitch(bacula_t)
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
sysnet_dns_name_resolve(bacula_t)
+userdom_home_manager(bacula_t)
+
optional_policy(`
mysql_stream_connect(bacula_t)
mysql_tcp_connect(bacula_t)
@@ -125,6 +152,12 @@ optional_policy(`
ldap_stream_connect(bacula_t)
')
+optional_policy(`
+ postgresql_tcp_connect(bacula_t)
+ postgresql_stream_connect(bacula_t)
+')
+
+
########################################
#
# Client local policy
@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
-files_read_etc_files(bacula_admin_t)
-
-miscfiles_read_localization(bacula_admin_t)
-
sysnet_dns_name_resolve(bacula_admin_t)
userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
userdom_use_user_ptys(bacula_admin_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+ type bacula_unconfined_script_t;
+ domain_type(bacula_unconfined_script_t)
+
+ domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t)
+ role system_r types bacula_unconfined_script_t;
+
+ allow bacula_t bacula_unconfined_script_t:process signal_perms;
+
+ domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t)
+
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms;
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms;
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl;
+
+ optional_policy(`
+ unconfined_domain(bacula_unconfined_script_t)
+ ')
+')
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e352b..8af0e14ce 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d361e..186271b74 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
## <summary>
+## Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_systemctl',`
+ gen_require(`
+ type bcfg2_t;
+ type bcfg2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bcfg2_t)
+')
+
+
+########################################
+## <summary>
## All of the rules required to
## administrate an bcfg2 environment.
## </summary>
@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
+ type bcfg2_unit_file_t;
')
- allow $1 bcfg2_t:process { ptrace signal_perms };
+ allow $1 bcfg2_t:process { signal_perms };
ps_process_pattern($1, bcfg2_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bcfg2_t:process ptrace;
+ ')
+
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
+
+ bcfg2_systemctl($1)
+ admin_pattern($1, bcfg2_unit_file_t)
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
index c3fd7b148..e18959384 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
type bcfg2_var_run_t;
files_pid_file(bcfg2_var_run_t)
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
domain_use_interactive_fds(bcfg2_t)
-files_read_usr_files(bcfg2_t)
auth_use_nsswitch(bcfg2_t)
logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a10d..982ce9b71 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,78 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-pkcs11 -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/softhsm(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/proc(/.*)? <<none>>
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 531a8f244..3fcf18722 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
########################################
## <summary>
+## Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_systemctl',`
+ gen_require(`
+ type named_unit_file_t;
+ type named_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
@@ -169,6 +193,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
+ allow $1 named_conf_t:dir list_dir_perms;
read_files_pattern($1, named_conf_t, named_conf_t)
')
@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
+## Create, read, write, and delete
+## BIND configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
## Search bind cache directories.
## </summary>
## <param name="domain">
@@ -310,6 +354,47 @@ interface(`bind_read_zone',`
########################################
## <summary>
+## Read BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## bind zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## bind zone files.
## </summary>
@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',`
########################################
## <summary>
+## Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_state',`
+ gen_require(`
+ type named_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an bind environment.
## </summary>
@@ -364,11 +468,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
- type named_keytab_t;
+ type named_keytab_t, named_unit_file_t;
')
- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { named_t ndc_t })
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
+ ')
+
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
@@ -384,11 +494,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
+ admin_pattern($1, named_keytab_t)
+
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
- bind_run_ndc($1, $2)
+ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
index 124112346..6a704537e 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_keytab_t;
files_type(named_keytab_t)
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
# Local policy
#
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_read_search dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
read_files_pattern(named_t, named_conf_t, named_conf_t)
read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
manage_files_pattern(named_t, named_cache_t, named_cache_t)
manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
allow named_t named_keytab_t:file read_file_perms;
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
+kernel_read_net_sysctls(named_t)
corecmd_search_bin(named_t)
-corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
corenet_sendrecv_all_server_packets(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
+corenet_udp_bind_ipp_port(named_t)
+corenet_udp_bind_rtsp_port(named_t)
+corenet_udp_bind_dhcpc_port(named_t)
+corenet_udp_bind_kerberos_port(named_t)
+corenet_udp_bind_flash_port(named_t)
+corenet_udp_bind_bgp_port(named_t)
corenet_tcp_sendrecv_dns_port(named_t)
corenet_udp_sendrecv_dns_port(named_t)
-
+corenet_udp_bind_whois_port(named_t)
corenet_tcp_bind_rndc_port(named_t)
corenet_tcp_sendrecv_rndc_port(named_t)
@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_all_ephemeral_ports(named_t)
+corenet_udp_bind_all_ephemeral_ports(named_t)
+
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_mmap_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
+ cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
+ # needed by FreeIPA with DNS support
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+ dnssec_trigger_manage_pid_files(named_t)
+')
+
+optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
@@ -187,7 +214,17 @@ optional_policy(`
')
optional_policy(`
+ ipa_manage_lib(named_t)
+')
+
+optional_policy(`
+ ipsec_rw_inherited_pipes(named_t)
+')
+
+optional_policy(`
+ kerberos_filetrans_named_content(named_t)
kerberos_read_keytab(named_t)
+ kerberos_read_host_rcache(named_t)
kerberos_use(named_t)
')
@@ -214,8 +251,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability { dac_read_search net_admin };
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
-kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
-corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
+dev_read_rand(ndc_t)
+dev_read_urand(ndc_t)
+
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
index 1d60c2730..f8bb70055 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
# /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
logging_send_syslog_msg(bird_t)
diff --git a/bitlbee.fc b/bitlbee.fc
index e9708d6cc..61362d088 100644
--- a/bitlbee.fc
+++ b/bitlbee.fc
@@ -7,7 +7,7 @@
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
-/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
+/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb799e..2badfc0d9 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
type bitlbee_log_t, bitlbee_tmp_t;
')
- allow $1 bitlbee_t:process { ptrace signal_perms };
+ allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bitlbee_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48b6..dbc347918 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
# Local policy
#
-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+allow bitlbee_t self:capability { dac_read_search kill setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };
+
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
-files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file})
manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
corenet_tcp_connect_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
-files_read_usr_files(bitlbee_t)
-
libs_legacy_use_shared_libs(bitlbee_t)
auth_use_nsswitch(bitlbee_t)
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
+optional_policy(`
+ dbus_system_bus_client(bitlbee_t)
+')
optional_policy(`
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
+
diff --git a/blkmapd.fc b/blkmapd.fc
new file mode 100644
index 000000000..5e59fb414
--- /dev/null
+++ b/blkmapd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/blkmapd -- gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
+
+/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
+
+/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0)
diff --git a/blkmapd.if b/blkmapd.if
new file mode 100644
index 000000000..76663796f
--- /dev/null
+++ b/blkmapd.if
@@ -0,0 +1,121 @@
+
+## <summary>The blkmapd daemon performs device discovery and mapping for pNFS block layout client.</summary>
+
+########################################
+## <summary>
+## Execute blkmapd_exec_t in the blkmapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`blkmapd_domtrans',`
+ gen_require(`
+ type blkmapd_t, blkmapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
+')
+
+######################################
+## <summary>
+## Execute blkmapd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`blkmapd_exec',`
+ gen_require(`
+ type blkmapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, blkmapd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute blkmapd server in the blkmapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`blkmapd_initrc_domtrans',`
+ gen_require(`
+ type blkmapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
+')
+########################################
+## <summary>
+## Read blkmapd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`blkmapd_read_pid_files',`
+ gen_require(`
+ type blkmapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an blkmapd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`blkmapd_admin',`
+ gen_require(`
+ type blkmapd_t;
+ type blkmapd_initrc_exec_t;
+ type blkmapd_var_run_t;
+ ')
+
+ allow $1 blkmapd_t:process { signal_perms };
+ ps_process_pattern($1, blkmapd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 blkmapd_t:process ptrace;
+ ')
+
+ blkmapd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 blkmapd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, blkmapd_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/blkmapd.te b/blkmapd.te
new file mode 100644
index 000000000..6cfb35592
--- /dev/null
+++ b/blkmapd.te
@@ -0,0 +1,44 @@
+policy_module(blkmapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type blkmapd_t;
+type blkmapd_exec_t;
+init_daemon_domain(blkmapd_t, blkmapd_exec_t)
+
+type blkmapd_initrc_exec_t;
+init_script_file(blkmapd_initrc_exec_t)
+
+type blkmapd_var_run_t;
+files_pid_file(blkmapd_var_run_t)
+
+
+########################################
+#
+# blkmapd local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+
+manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
+files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
+
+kernel_read_system_state(blkmapd_t)
+
+dev_list_sysfs(blkmapd_t)
+
+fs_list_rpc(blkmapd_t)
+fs_rw_rpc_named_pipes(blkmapd_t)
+
+storage_raw_read_fixed_disk(blkmapd_t)
+storage_raw_read_removable_device(blkmapd_t)
+
+
+logging_send_syslog_msg(blkmapd_t)
+
+optional_policy(`
+ rpc_read_nfs_state_data(blkmapd_t)
+')
diff --git a/blueman.fc b/blueman.fc
index c295d2e01..4f84e9c14 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec52526..1dd40595c 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
allow $1 blueman_t:dbus send_msg;
allow blueman_t $1:dbus send_msg;
+ ps_process_pattern(blueman_t, $1)
')
########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e06..3facb7156 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
type blueman_t;
type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
type blueman_var_run_t;
files_pid_file(blueman_var_run_t)
+type blueman_tmp_t;
+files_tmp_file(blueman_tmp_t)
+
########################################
#
# Local policy
#
allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-kernel_read_net_sysctls(blueman_t)
+manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
+
+kernel_rw_net_sysctls(blueman_t)
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
+files_dontaudit_write_all_mountpoints(blueman_t)
auth_use_nsswitch(blueman_t)
logging_send_syslog_msg(blueman_t)
-miscfiles_read_localization(blueman_t)
-
sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
')
optional_policy(`
+ bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
dnsmasq_domtrans(blueman_t)
dnsmasq_read_pid_files(blueman_t)
')
optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
iptables_domtrans(blueman_t)
')
+
+optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f329..6ae8a62c9 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,15 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/obexd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0ae0..1c29d21e7 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ allow $2 bluetooth_helper_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
allow $2 bluetooth_t:socket rw_socket_perms;
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ bluetooth_stream_connect($2)
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
- files_search_pids($2)
')
#####################################
@@ -63,11 +70,13 @@ interface(`bluetooth_role',`
interface(`bluetooth_stream_connect',`
gen_require(`
type bluetooth_t, bluetooth_var_run_t;
+ type bluetooth_tmp_t;
')
files_search_pids($1)
allow $1 bluetooth_t:socket rw_socket_perms;
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
')
########################################
@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
@@ -190,6 +220,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
## <summary>
+## Execute bluetooth server in the bluetooth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bluetooth_systemctl',`
+ gen_require(`
+ type bluetooth_t;
+ type bluetooth_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bluetooth_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an bluetooth environment.
## </summary>
@@ -210,12 +264,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
- type bluetooth_initrc_exec_t;
+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
+ allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bluetooth_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +293,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
+
+ bluetooth_systemctl($1)
+ admin_pattern($1, bluetooth_unit_file_t)
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
index 851769e55..53e2283cb 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -10,6 +10,7 @@ attribute_role bluetooth_helper_roles;
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+init_nnp_daemon_domain(bluetooth_t)
type bluetooth_conf_t;
files_config_file(bluetooth_conf_t)
@@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
########################################
#
# Local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_read_search net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
@@ -78,10 +82,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+allow bluetooth_t bluetooth_var_lib_t:file map;
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@@ -90,27 +96,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
kernel_request_load_module(bluetooth_t)
kernel_search_debugfs(bluetooth_t)
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
-
-dev_read_sysfs(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_rw_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
+dev_rw_uhid_dev(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +138,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
-miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
@@ -130,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +219,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad60..9c69f28ab 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,15 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaaf7..308616e8d 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,166 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an boinc environment.
+## Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+## Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit getattr on boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_dontaudit_getattr_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+## <summary>
+## Search boinc lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boinc_systemctl',`
+ gen_require(`
+ type boinc_t;
+ type boinc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, boinc_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an boinc environment.
## </summary>
## <param name="domain">
## <summary>
@@ -19,26 +176,32 @@
#
interface(`boinc_admin',`
gen_require(`
-
- type boinc_t, boinc_project_t, boinc_log_t;
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
- type boinc_project_var_lib_t, boinc_project_tmp_t;
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ type boinc_unit_file_t;
')
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { boinc_t boinc_project_t })
+ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_logs($1)
- admin_pattern($1, boinc_log_t)
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+ boinc_systemctl($1)
+ admin_pattern($1, boinc_unit_file_t)
- files_search_var_lib($1)
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+ allow $1 boinc_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/boinc.te b/boinc.te
index 687d4c48d..7ee6d41fd 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.1.1)
+policy_module(boinc, 1.3.1)
########################################
#
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
## </desc>
gen_tunable(boinc_execmem, true)
-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
@@ -28,31 +30,71 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
type boinc_log_t;
logging_log_file(boinc_log_t)
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
type boinc_project_t;
domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
role system_r types boinc_project_t;
type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+ allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
########################################
#
-# Local policy
+# boinc local policy
#
allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
+
+can_exec(boinc_t, boinc_exec_t)
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -61,84 +103,63 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+allow boinc_t boinc_project_var_lib_t:file map;
-can_exec(boinc_t, boinc_var_lib_t)
-
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+dev_rw_dri(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
-fs_getattr_all_fs(boinc_t)
+auth_use_nsswitch(boinc_t)
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
init_read_utmp(boinc_t)
+libs_exec_lib_files(boinc_t)
+
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
+
+xserver_stream_connect(boinc_t)
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
@@ -148,48 +169,69 @@ optional_policy(`
mta_send_mail(boinc_t)
')
-optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
-')
-
########################################
#
-# Project local policy
+# boinc-projects local policy
#
allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+ allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
+
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
files_dontaudit_search_home(boinc_project_t)
+term_getattr_ptmx(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+
+userdom_getattr_user_ttys(boinc_t)
+
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
+
optional_policy(`
java_exec(boinc_project_t)
')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index c5a91138c..1919abdd8 100644
--- a/brctl.te
+++ b/brctl.te
@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
kernel_request_load_module(brctl_t)
+kernel_read_system_state(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
-files_read_etc_files(brctl_t)
-
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
-
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
index 000000000..05e352897
--- /dev/null
+++ b/brltty.fc
@@ -0,0 +1,10 @@
+/tmp/brltty\.log.* -- gen_context(system_u:object_r:brltty_log_t,s0)
+
+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
+/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 000000000..968c957ab
--- /dev/null
+++ b/brltty.if
@@ -0,0 +1,80 @@
+
+## <summary>brltty is refreshable braille display driver for Linux/Unix</summary>
+
+########################################
+## <summary>
+## Execute brltty in the brltty domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brltty_domtrans',`
+ gen_require(`
+ type brltty_t, brltty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, brltty_exec_t, brltty_t)
+')
+########################################
+## <summary>
+## Execute brltty server in the brltty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brltty_systemctl',`
+ gen_require(`
+ type brltty_t;
+ type brltty_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 brltty_unit_file_t:file read_file_perms;
+ allow $1 brltty_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, brltty_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an brltty environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`brltty_admin',`
+ gen_require(`
+ type brltty_t;
+ type brltty_unit_file_t;
+ ')
+
+ allow $1 brltty_t:process { signal_perms };
+ ps_process_pattern($1, brltty_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 brltty_t:process ptrace;
+ ')
+
+ brltty_systemctl($1)
+ admin_pattern($1, brltty_unit_file_t)
+ allow $1 brltty_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
index 000000000..c167267f8
--- /dev/null
+++ b/brltty.te
@@ -0,0 +1,70 @@
+policy_module(brltty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brltty_t;
+type brltty_exec_t;
+init_daemon_domain(brltty_t, brltty_exec_t)
+
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
+type brltty_var_run_t;
+files_pid_file(brltty_var_run_t)
+
+type brltty_log_t;
+logging_log_file(brltty_log_t)
+
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
+########################################
+#
+# brltty local policy
+#
+allow brltty_t self:capability { sys_admin sys_tty_config mknod };
+allow brltty_t self:process { fork signal_perms };
+
+allow brltty_t self:fifo_file rw_fifo_file_perms;
+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
+allow brltty_t self:tcp_socket listen;
+
+manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
+
+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
+allow brltty_t brltty_var_run_t:dir mounton;
+
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
+auth_use_nsswitch(brltty_t)
+
+corenet_tcp_bind_brlp_port(brltty_t)
+
+dev_read_sysfs(brltty_t)
+dev_rw_generic_usb_dev(brltty_t)
+dev_rw_input_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
+
+sysnet_dns_name_resolve(brltty_t)
+
+term_use_unallocated_ttys(brltty_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6ebf..9efceac4e 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262d5..d9ea246a1 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -12,10 +12,10 @@
#
interface(`bugzilla_search_content',`
gen_require(`
- type httpd_bugzilla_content_t;
+ type bugzilla_content_t;
')
- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+ allow $1 bugzilla_content_t:dir search_dir_perms;
')
########################################
@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
#
interface(`bugzilla_dontaudit_rw_stream_sockets',`
gen_require(`
- type httpd_bugzilla_script_t;
+ type bugzilla_script_t;
')
- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
')
########################################
@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
interface(`bugzilla_admin',`
gen_require(`
- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
+ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
+ type bugzilla_rw_content_t, bugzilla_script_exec_t;
+ type bugzilla_htaccess_t, bugzilla_tmp_t;
+ ')
+
+ allow $1 bugzilla_script_t:process signal_perms;
+ ps_process_pattern($1, bugzilla_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bugzilla_script_t:process ptrace;
')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
- ps_process_pattern($1, httpd_bugzilla_script_t)
+ files_list_tmp($1)
+ admin_pattern($1, bugzilla_tmp_t)
- files_search_usr($1)
- admin_pattern($1, httpd_bugzilla_script_exec_t)
- admin_pattern($1, httpd_bugzilla_script_t)
- admin_pattern($1, httpd_bugzilla_content_t)
- admin_pattern($1, httpd_bugzilla_htaccess_t)
- admin_pattern($1, httpd_bugzilla_ra_content_t)
+ files_list_var_lib(bugzilla_script_t)
+
+ admin_pattern($1, bugzilla_script_exec_t)
+ admin_pattern($1, bugzilla_script_t)
+ admin_pattern($1, bugzilla_content_t)
+ admin_pattern($1, bugzilla_htaccess_t)
+ admin_pattern($1, bugzilla_ra_content_t)
files_search_tmp($1)
files_search_var_lib($1)
- admin_pattern($1, httpd_bugzilla_rw_content_t)
+ admin_pattern($1, bugzilla_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
index 18623e39e..c62f617e1 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
#
apache_content_template(bugzilla)
+apache_content_alias_template(bugzilla, bugzilla)
+
+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
+files_tmp_file(bugzilla_tmp_t)
########################################
#
# Local policy
#
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+allow bugzilla_script_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+
+corenet_sendrecv_http_client_packets(bugzilla_script_t)
+corenet_tcp_connect_http_port(bugzilla_script_t)
+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+
+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
+corenet_tcp_connect_smtp_port(bugzilla_script_t)
+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+
+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+files_search_var_lib(bugzilla_script_t)
-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
+auth_read_passwd(bugzilla_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+dev_read_sysfs(bugzilla_script_t)
-files_search_var_lib(httpd_bugzilla_script_t)
+sysnet_read_config(bugzilla_script_t)
+sysnet_use_ldap(bugzilla_script_t)
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
-sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(bugzilla_script_t)
optional_policy(`
- mta_send_mail(httpd_bugzilla_script_t)
+ mta_send_mail(bugzilla_script_t)
')
optional_policy(`
- mysql_stream_connect(httpd_bugzilla_script_t)
- mysql_tcp_connect(httpd_bugzilla_script_t)
+ mysql_stream_connect(bugzilla_script_t)
+ mysql_tcp_connect(bugzilla_script_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_bugzilla_script_t)
- postgresql_tcp_connect(httpd_bugzilla_script_t)
+ postgresql_stream_connect(bugzilla_script_t)
+ postgresql_tcp_connect(bugzilla_script_t)
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 000000000..b5ee23be7
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 000000000..2d2e60c19
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,122 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
+## <summary>
+## Execute bumblebee in the bumblebee domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bumblebee_domtrans',`
+ gen_require(`
+ type bumblebee_t, bumblebee_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+## Read bumblebee PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bumblebee_read_pid_files',`
+ gen_require(`
+ type bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute bumblebee server in the bumblebee domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bumblebee_systemctl',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+## <summary>
+## Connect to bumblebee over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bumblebee_stream_connect',`
+ gen_require(`
+ type bumblebee_t, bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bumblebee environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_var_run_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bumblebee_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
+ bumblebee_systemctl($1)
+ admin_pattern($1, bumblebee_unit_file_t)
+ allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 000000000..9aee6f327
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,63 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_read_network_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_use_nsswitch(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_kill(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+ apm_stream_connect(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c7902b..aa03fc8ae 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9c5..3b419455f 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## <summary>CacheFiles user-space management daemon.</summary>
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an cachefilesd environment.
+## Execute a domain transition to run cachefilesd.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
gen_require(`
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
- type cachefilesd_var_run_t;
+ type cachefilesd_t, cachefilesd_exec_t;
')
- allow $1 cachefilesd_t:process { ptrace signal_perms };
- ps_process_pattern($1, cachefilesd_t)
-
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var($1)
- admin_pattern($1, cachefilesd_cache_t)
-
- files_search_pids($1)
- admin_pattern($1, cachefilesd_var_run_t)
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
index a3760bc92..f2fc5b2f3 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,125 @@
policy_module(cachefilesd, 1.1.0)
-########################################
+###############################################################################
#
# Declarations
#
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
type cachefilesd_t;
type cachefilesd_exec_t;
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
-########################################
#
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search };
+allow cachefilesd_t self:process signal_perms;
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-miscfiles_read_localization(cachefilesd_t)
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_read_search };
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c52871..ba793b748 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
attribute_role calamaris_roles;
')
- lightsquid_domtrans($1)
+ calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
')
diff --git a/calamaris.te b/calamaris.te
index 7e574604b..66915d96c 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
# Local policy
#
-allow calamaris_t self:capability dac_override;
+allow calamaris_t self:capability { dac_read_search };
allow calamaris_t self:process { signal_perms setsched };
allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket { accept listen };
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
dev_read_urand(calamaris_t)
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
files_read_etc_runtime_files(calamaris_t)
-libs_read_lib_files(calamaris_t)
-
auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t)
-miscfiles_read_localization(calamaris_t)
-
userdom_dontaudit_list_user_home_dirs(calamaris_t)
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 0e5be4cdf..b9a407f90 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07a2..f416e22a7 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
- allow $1 canna_t:process { ptrace signal_perms };
+ allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 canna_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 9fe61621f..5c505e7de 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_all_recvfrom_unlabeled(canna_t)
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
-files_read_etc_files(canna_t)
files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
-logging_send_syslog_msg(canna_t)
+auth_use_nsswitch(canna_t)
-miscfiles_read_localization(canna_t)
+logging_send_syslog_msg(canna_t)
sysnet_read_config(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d37..cb94e5ea7 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
+ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
- allow $1 ccs_t:process { ptrace signal_perms };
+ allow $1 ccs_t:process { signal_perms };
ps_process_pattern($1, ccs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ccs_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index 658134d8a..58deeceaa 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { accept connectto listen };
allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
dev_read_urand(ccs_t)
-files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
logging_send_syslog_msg(ccs_t)
-miscfiles_read_localization(ccs_t)
-
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- aisexec_stream_connect(ccs_t)
- corosync_stream_connect(ccs_t)
+ rhcs_stream_connect_cluster(ccs_t)
')
optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f694..4de4a005c 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
- allow $2 cdrecord_t:process { ptrace signal_perms };
+ allow $2 cdrecord_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 cdrecord_t:process ptrace;
+ ')
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
index 16883c9c3..96f86d07b 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
# Local policy
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
-files_read_etc_files(cdrecord_t)
-
term_use_controlling_term(cdrecord_t)
term_list_ptys(cdrecord_t)
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
logging_send_syslog_msg(cdrecord_t)
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt(cdrecord_t)
- fs_read_nfs_files(cdrecord_t)
- fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
optional_policy(`
resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b189b..ef29f6e6c 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
- allow $1 certmaster_t:process { ptrace signal_perms };
+ allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmaster_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index 4a878730b..59890995f 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
# Local policy
#
-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:capability { dac_read_search sys_tty_config };
allow certmaster_t self:tcp_socket { accept listen };
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
auth_use_nsswitch(certmaster_t)
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8b6..c88764838 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -1,7 +1,12 @@
+/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef26..144c0740a 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
')
ps_process_pattern($1, certmonger_t)
- allow $1 certmonger_t:process { ptrace signal_perms };
+ allow $1 certmonger_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmonger_t:process ptrace;
+ ')
certmonger_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287ce..73104ec93 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
+type certmonger_unit_file_t;
+systemd_unit_file(certmonger_unit_file_t)
+
########################################
#
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
corecmd_exec_bin(certmonger_t)
corecmd_exec_shell(certmonger_t)
+dev_read_rand(certmonger_t)
dev_read_urand(certmonger_t)
domain_use_interactive_fds(certmonger_t)
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
+files_dontaudit_write_etc_runtime_files(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
+libs_exec_ldconfig(certmonger_t)
+
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
+systemd_start_systemd_services(certmonger_t)
+systemd_status_all_unit_files(certmonger_t)
userdom_search_user_home_content(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
- apache_search_config(certmonger_t)
+ apache_read_config(certmonger_t)
apache_signal(certmonger_t)
apache_signull(certmonger_t)
+ apache_systemctl(certmonger_t)
')
optional_policy(`
@@ -92,11 +116,74 @@ optional_policy(`
')
optional_policy(`
- kerberos_read_keytab(certmonger_t)
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
+ dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+ ipa_manage_log(certmonger_t)
+ ipa_manage_pid_files(certmonger_t)
+ ipa_filetrans_pid(certmonger_t,"renewal.lock")
+ ipa_named_filetrans_log_dir(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
+ kerberos_manage_kdc_config(certmonger_t)
+ kerberos_filetrans_named_content(certmonger_t)
')
optional_policy(`
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t)
+ pki_tomcat_systemctl(certmonger_t)
+')
+
+optional_policy(`
+ rhcs_start_haproxy_services(certmonger_t)
+')
+
+optional_policy(`
+ sssd_delete_public_files(certmonger_t)
+')
+
+optional_policy(`
+ allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
+ allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
+ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
+ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type certmonger_unconfined_t;
+ domain_type(certmonger_unconfined_t)
+
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+ role system_r types certmonger_unconfined_t;
+
+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(certmonger_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(certmonger_unconfined_t)
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
index 171fafb99..38614a0e9 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
# Local policy
#
-allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:capability { dac_read_search sys_nice };
allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
+ apache_domtrans(certwatch_t)
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
optional_policy(`
+ mta_send_mail(certwatch_t)
+')
+
+optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
diff --git a/cfengine.if b/cfengine.if
index a7311229f..5279d4e3a 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
- type cfengine_log_t, cfengine_var_lib_t;
')
########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
# Policy
#
+ kernel_read_system_state(cfengine_$1_t)
+
auth_use_nsswitch(cfengine_$1_t)
+
+ logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+## <summary>
+## Search cfengine lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cfengine_search_lib_files',`
+ gen_require(`
+ type cfengine_var_lib_t;
+ ')
+
+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
')
########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
+#####################################
+## <summary>
+## Allow the specified domain to append cfengine's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cfengine_append_inherited_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ cfengine_search_lib_files($1)
+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+## <summary>
+## Dontaudit the specified domain to write cfengine's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cfengine_dontaudit_write_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ dontaudit $1 cfengine_var_log_t:file write;
+')
+
########################################
## <summary>
## All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
- allow $1 cfengine_domain:process { ptrace signal_perms };
+ allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')
+
diff --git a/cfengine.te b/cfengine.te
index fbe3ad955..21ab8e176 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
-kernel_read_system_state(cfengine_domain)
-
corecmd_exec_bin(cfengine_domain)
corecmd_exec_shell(cfengine_domain)
dev_read_urand(cfengine_domain)
dev_read_sysfs(cfengine_domain)
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
sysnet_domtrans_ifconfig(cfengine_domain)
########################################
@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
# Monitord local policy
#
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
+kernel_read_usermodehelper_state(cfengine_monitord_t)
kernel_read_network_state(cfengine_monitord_t)
domain_read_all_domains_state(cfengine_monitord_t)
diff --git a/cgdcbxd.fc b/cgdcbxd.fc
new file mode 100644
index 000000000..756703813
--- /dev/null
+++ b/cgdcbxd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/cgdcbxd\.service -- gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0)
+
+/usr/sbin/cgdcbxd -- gen_context(system_u:object_r:cgdcbxd_exec_t,s0)
+
+/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0)
diff --git a/cgdcbxd.if b/cgdcbxd.if
new file mode 100644
index 000000000..1efacf1d1
--- /dev/null
+++ b/cgdcbxd.if
@@ -0,0 +1,99 @@
+
+## <summary>policy for cgdcbxd</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cgdcbxd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgdcbxd_domtrans',`
+ gen_require(`
+ type cgdcbxd_t, cgdcbxd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t)
+')
+########################################
+## <summary>
+## Read cgdcbxd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgdcbxd_read_pid_files',`
+ gen_require(`
+ type cgdcbxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute cgdcbxd server in the cgdcbxd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgdcbxd_systemctl',`
+ gen_require(`
+ type cgdcbxd_t;
+ type cgdcbxd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cgdcbxd_unit_file_t:file read_file_perms;
+ allow $1 cgdcbxd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cgdcbxd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cgdcbxd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgdcbxd_admin',`
+ gen_require(`
+ type cgdcbxd_t;
+ type cgdcbxd_var_run_t;
+ type cgdcbxd_unit_file_t;
+ ')
+
+ allow $1 cgdcbxd_t:process { signal_perms };
+ ps_process_pattern($1, cgdcbxd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgdcbxd_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, cgdcbxd_var_run_t)
+
+ cgdcbxd_systemctl($1)
+ admin_pattern($1, cgdcbxd_unit_file_t)
+ allow $1 cgdcbxd_unit_file_t:service all_service_perms;
+
+')
diff --git a/cgdcbxd.te b/cgdcbxd.te
new file mode 100644
index 000000000..06ff1b01a
--- /dev/null
+++ b/cgdcbxd.te
@@ -0,0 +1,36 @@
+policy_module(cgdcbxd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgdcbxd_t;
+type cgdcbxd_exec_t;
+init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t)
+
+type cgdcbxd_var_run_t;
+files_pid_file(cgdcbxd_var_run_t)
+
+type cgdcbxd_unit_file_t;
+systemd_unit_file(cgdcbxd_unit_file_t)
+
+########################################
+#
+# cgdcbxd local policy
+#
+
+allow cgdcbxd_t self:fifo_file rw_fifo_file_perms;
+allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms;
+
+dontaudit cgdcbxd_t self:capability sys_ptrace;
+allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file })
+
+kernel_read_system_state(cgdcbxd_t)
+kernel_read_network_state(cgdcbxd_t)
+kernel_search_network_sysctl(cgdcbxd_t)
+
+domain_dontaudit_read_all_domains_state(cgdcbxd_t)
diff --git a/cgroup.if b/cgroup.if
index 85ca63f9a..1d1c99c8f 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgclear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgconfig_t:process ptrace;
+ ')
+
+ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgred_t:process ptrace;
+ ')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a27a..9d59bfa0e 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -40,12 +40,14 @@ files_config_file(cgconfig_etc_t)
# cgclear local policy
#
-allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+allow cgclear_t self:capability { dac_read_search sys_admin };
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
kernel_read_system_state(cgclear_t)
+auth_use_nsswitch(cgclear_t)
+
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig local policy
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { dac_read_search fowner fsetid chown sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
-files_read_etc_files(cgconfig_t)
-
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
+auth_use_nsswitch(cgconfig_t)
+
########################################
#
# cgred local policy
#
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t self:netlink_connector_socket create_socket_perms;
+allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 000000000..5c6bdb68d
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,11 @@
+/opt/google/chrome[^/]*/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/opt/google/chrome[^/]*/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 000000000..aa308eba6
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
+ allow $1 chrome_sandbox_t:fd use;
+
+ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
+
+
+########################################
+## <summary>
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the chrome_sandbox domain.
+## </summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+ role $1 types chrome_sandbox_nacl_t;
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
+ allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 000000000..ca526f823
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,256 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_read_search fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+auth_dontaudit_read_passwd(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+term_dontaudit_use_console(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_execute_user_tmp_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+ gnome_exec_config_home_files(chrome_sandbox_t)
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
+ mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(chrome_sandbox_t)
+ fs_read_fusefs_files(chrome_sandbox_t)
+ fs_exec_fusefs_files(chrome_sandbox_t)
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(chrome_sandbox_t)
+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+ bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_write_state(chrome_sandbox_t)
+')
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143ed8..9c06350c2 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,13 +1,20 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265c2..508f3b84f 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Send generic signals to chronyd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_signal',`
+ gen_require(`
+ type chronyd_t;
+ ')
+
+ allow $1 chronyd_t:process signal;
+')
+
#####################################
## <summary>
## Read chronyd log files.
@@ -100,8 +118,25 @@ interface(`chronyd_rw_shm',`
########################################
## <summary>
-## Connect to chronyd using a unix
-## domain stream socket.
+## Read chronyd keys files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+## Append chronyd keys files.
## </summary>
## <param name="domain">
## <summary>
@@ -109,6 +144,49 @@ interface(`chronyd_rw_shm',`
## </summary>
## </param>
#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+## Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
+ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+## <summary>
+## Connect to chronyd using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`chronyd_stream_connect',`
gen_require(`
type chronyd_t, chronyd_var_run_t;
@@ -140,7 +218,7 @@ interface(`chronyd_dgram_send',`
########################################
## <summary>
-## Read chronyd key files.
+## Manage pid files used by chronyd
## </summary>
## <param name="domain">
## <summary>
@@ -148,13 +226,14 @@ interface(`chronyd_dgram_send',`
## </summary>
## </param>
#
-interface(`chronyd_read_key_files',`
+interface(`chronyd_manage_pid',`
gen_require(`
- type chronyd_keys_t;
+ type chronyd_var_run_t;
')
- files_search_etc($1)
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ files_search_pids($1)
+ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
+ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
')
####################################
@@ -176,28 +255,81 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
+ allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 chronyd_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
+
+ admin_pattern($1, chronyd_tmpfs_t)
+
+ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
+ allow $1 chronyd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_chronyc',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_run_chronyc',`
+ gen_require(`
+ type chronyc_t;
+ attribute_role chronyc_roles;
+ ')
+
+ chronyd_domtrans_chronyc($1)
+ roleattribute $2 chronyc_roles;
')
diff --git a/chronyd.te b/chronyd.te
index e5b621c29..98e3ce0ab 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
# Declarations
#
+attribute_role chronyc_roles;
+roleattribute system_r chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -27,18 +33,33 @@ logging_log_file(chronyd_var_log_t)
type chronyd_var_run_t;
files_pid_file(chronyd_var_run_t)
+type chronyc_t;
+type chronyc_exec_t;
+domain_type(chronyc_t, chronyc_exec_t)
+init_system_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
+
########################################
#
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
+allow chronyd_t self:capability2 block_suspend;
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
allow chronyd_t self:fifo_file rw_fifo_file_perms;
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+allow chronyd_t chronyc_t:unix_dgram_socket sendto;
+
+allow chronyd_t chronyc_exec_t:file mmap_file_perms;
+
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
+kernel_request_load_module(chronyd_t)
+
+can_exec(chronyd_t,chronyc_exec_t)
+
+clock_read_adjtime(chronyd_t)
corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
@@ -76,18 +102,64 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
auth_use_nsswitch(chronyd_t)
+corecmd_exec_bin(chronyd_t)
+
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
+sysnet_read_dhcpc_state(chronyd_t)
+
+systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
+
+optional_policy(`
+ dbus_system_bus_client(chronyd_t)
+')
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
optional_policy(`
- mta_send_mail(chronyd_t)
+ timemaster_stream_connect(chronyd_t)
+ timemaster_read_pid_files(chronyd_t)
+ timemaster_rw_shm(chronyd_t)
+')
+
+optional_policy(`
+ ptp4l_rw_shm(chronyd_t)
')
+
+########################################
+#
+# Local policy
+#
+
+allow chronyc_t self:capability { dac_read_search dac_override };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:unix_dgram_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow chronyc_t chronyd_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+
+corecmd_exec_bin(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+
+userdom_use_user_ptys(chronyc_t)
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 000000000..4b318b783
--- /dev/null
+++ b/cinder.fc
@@ -0,0 +1,16 @@
+
+/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0)
+/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0)
+/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
+/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-cinder-api.* -- gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-backup.* -- gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-scheduler.* -- gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-volume.* -- gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
+
+/var/lib/cinder(/.*)? gen_context(system_u:object_r:cinder_var_lib_t,s0)
+
+/var/log/cinder(/.*)? gen_context(system_u:object_r:cinder_log_t,s0)
+
+/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0)
diff --git a/cinder.if b/cinder.if
new file mode 100644
index 000000000..fc9cae7c7
--- /dev/null
+++ b/cinder.if
@@ -0,0 +1,57 @@
+## <summary>openstack-cinder</summary>
+
+######################################
+## <summary>
+## Manage cinder lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cinder_manage_lib_files',`
+ gen_require(`
+ type cinder_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## openstack-cinder systemd daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`cinder_domain_template',`
+ gen_require(`
+ attribute cinder_domain;
+ ')
+
+ type cinder_$1_t, cinder_domain;
+ type cinder_$1_exec_t;
+ init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
+
+ type cinder_$1_unit_file_t;
+ systemd_unit_file(cinder_$1_unit_file_t)
+
+ type cinder_$1_tmp_t;
+ files_tmp_file(cinder_$1_tmp_t)
+
+ manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+ manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+ files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
+ can_exec(cinder_$1_t, cinder_$1_tmp_t)
+
+ kernel_read_system_state(cinder_$1_t)
+
+ logging_send_syslog_msg(cinder_$1_t)
+
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
index 000000000..488a7a659
--- /dev/null
+++ b/cinder.te
@@ -0,0 +1,169 @@
+policy_module(cinder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# cinder-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute cinder_domain;
+
+cinder_domain_template(api)
+cinder_domain_template(backup)
+cinder_domain_template(scheduler)
+cinder_domain_template(volume)
+
+type cinder_log_t;
+logging_log_file(cinder_log_t)
+
+type cinder_var_lib_t;
+files_type(cinder_var_lib_t)
+
+type cinder_var_run_t;
+files_pid_file(cinder_var_run_t)
+
+######################################
+#
+# cinder general domain local policy
+#
+
+allow cinder_domain self:process signal_perms;
+allow cinder_domain self:fifo_file rw_fifo_file_perms;
+allow cinder_domain self:tcp_socket create_stream_socket_perms;
+allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+
+corenet_tcp_connect_amqp_port(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+kernel_read_network_state(cinder_domain)
+
+corecmd_exec_bin(cinder_domain)
+corecmd_exec_shell(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+auth_read_passwd(cinder_domain)
+
+dev_read_sysfs(cinder_domain)
+dev_read_urand(cinder_domain)
+
+fs_getattr_xattr_fs(cinder_domain)
+
+init_read_utmp(cinder_domain)
+
+libs_exec_ldconfig(cinder_domain)
+
+optional_policy(`
+ mysql_stream_connect(cinder_domain)
+ mysql_read_db_lnk_files(cinder_domain)
+')
+
+optional_policy(`
+ sysnet_read_config(cinder_domain)
+ sysnet_exec_ifconfig(cinder_domain)
+')
+
+#######################################
+#
+# cinder api local policy
+#
+
+allow cinder_api_t self:process setfscreate;
+allow cinder_api_t self:key write;
+allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_api_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_api_t)
+
+corenet_tcp_bind_generic_node(cinder_api_t)
+corenet_udp_bind_generic_node(cinder_api_t)
+# should be add to booleans
+corenet_tcp_connect_all_ports(cinder_api_t)
+corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
+
+auth_read_passwd(cinder_api_t)
+
+logging_send_syslog_msg(cinder_api_t)
+
+miscfiles_read_certs(cinder_api_t)
+
+optional_policy(`
+ iptables_domtrans(cinder_api_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cinder_api_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cinder_api_t)
+')
+
+optional_policy(`
+ unconfined_domain(cinder_api_t)
+')
+
+#######################################
+#
+# cinder backup local policy
+#
+
+allow cinder_backup_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(cinder_backup_t)
+
+systemd_dbus_chat_logind(cinder_backup_t)
+
+optional_policy(`
+ unconfined_domain(cinder_backup_t)
+')
+
+#######################################
+#
+# cinder scheduler local policy
+#
+
+allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_scheduler_t self:udp_socket create_socket_perms;
+
+auth_read_passwd(cinder_scheduler_t)
+
+init_read_utmp(cinder_scheduler_t)
+
+optional_policy(`
+ unconfined_domain(cinder_scheduler_t)
+')
+
+#######################################
+#
+# cinder volume local policy
+#
+
+allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow cinder_volume_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_volume_t)
+
+logging_send_syslog_msg(cinder_volume_t)
+
+optional_policy(`
+ lvm_domtrans(cinder_volume_t)
+')
+
+optional_policy(`
+ unconfined_domain(cinder_volume_t)
+')
+
diff --git a/cipe.te b/cipe.te
index a0aa693d1..af571edbb 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_all_recvfrom_unlabeled(ciped_t)
corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
domain_use_interactive_fds(ciped_t)
-files_read_etc_files(ciped_t)
files_read_etc_runtime_files(ciped_t)
files_dontaudit_search_var(ciped_t)
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
logging_send_syslog_msg(ciped_t)
-miscfiles_read_localization(ciped_t)
-
sysnet_read_config(ciped_t)
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc31..c53b80dcd 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
index 4cc4a5cd0..a6c632290 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## <summary>ClamAV Virus Scanner.</summary>
+## <summary>ClamAV Virus Scanner</summary>
########################################
## <summary>
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
type clamd_t, clamd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamd_exec_t, clamd_t)
')
########################################
## <summary>
-## Connect to clamd using a unix
-## domain stream socket.
+## Connect to run clamd.
## </summary>
## <param name="domain">
## <summary>
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
########################################
## <summary>
-## Append clamav log files.
+## Allow the specified domain to append
+## to clamav log files.
## </summary>
## <param name="domain">
## <summary>
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## clamav pid content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
- gen_require(`
- type clamd_var_run_t;
- ')
-
- files_search_pids($1)
- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
-########################################
-## <summary>
## Read clamav configuration files.
## </summary>
## <param name="domain">
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
########################################
## <summary>
-## Search clamav library directories.
+## Search clamav libraries directories.
## </summary>
## <param name="domain">
## <summary>
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
type clamscan_t, clamscan_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
########################################
## <summary>
-## Execute clamscan in the caller domain.
+## Execute clamscan without a transition.
## </summary>
## <param name="domain">
## <summary>
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
type clamscan_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, clamscan_exec_t)
')
-#######################################
+########################################
## <summary>
-## Read clamd process state files.
+## Manage clamd pid content.
## </summary>
## <param name="domain">
## <summary>
@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
## </summary>
## </param>
#
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
gen_require(`
- type clamd_t;
+ type clamd_var_run_t;
')
- kernel_search_proc($1)
- allow $1 clamd_t:dir list_dir_perms;
- read_files_pattern($1, clamd_t, clamd_t)
- read_lnk_files_pattern($1, clamd_t, clamd_t)
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+## <summary>
+## Read clamd state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_state_clamd',`
+ gen_require(`
+ type clamd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+## <summary>
+## Execute clamd server in the clamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamd_systemctl',`
+ gen_require(`
+ type clamd_t;
+ type clamd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, clamd_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an clamav environment.
+## All of the rules required to administrate
+## an clamav environment
## </summary>
## <param name="domain">
## <summary>
@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the clamav domain.
## </summary>
## </param>
## <rolecap/>
@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
+ type clamd_unit_file_t;
')
- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 clamd_t:process ptrace;
+ allow $1 clamscan_t:process ptrace;
+ allow $1 freshclam_t:process ptrace;
+ ')
+
+ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
+ clamd_systemctl($1)
+ admin_pattern($1, clamd_unit_file_t)
+ allow $1 clamd_unit_file_t:service all_service_perms;
+
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
@@ -217,11 +252,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+ admin_pattern($1, clamd_var_log_t)
files_list_pids($1)
admin_pattern($1, clamd_var_run_t)
files_list_tmp($1)
- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+ admin_pattern($1, clamd_tmp_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
')
diff --git a/clamav.te b/clamav.te
index ce3836acd..237fc8bf0 100644
--- a/clamav.te
+++ b/clamav.te
@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
## <desc>
## <p>
-## Determine whether can clamd use JIT compiler.
+## Determine whether clamd can use JIT compiler.
## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { kill setgid setuid dac_read_search };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
corecmd_exec_shell(clamd_t)
-corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
corenet_sendrecv_generic_client_packets(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
-',`
- dontaudit clamd_t self:process execmem;
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
amavis_create_pid_files(clamd_t)
')
@@ -165,12 +161,37 @@ optional_policy(`
mta_send_mail(clamd_t)
')
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
+',`
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(freshclam_t)
+')
+
########################################
#
# Freshclam local policy
#
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { setgid setuid dac_read_search };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
-miscfiles_read_localization(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
@@ -241,6 +261,10 @@ optional_policy(`
')
optional_policy(`
+ clamd_systemctl(freshclam_t)
+')
+
+optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -249,7 +273,7 @@ optional_policy(`
# Clamscam local policy
#
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { setgid setuid dac_read_search };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
-corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corecmd_read_all_executables(clamscan_t)
-files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
-miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)
sysnet_dns_name_resolve(clamscan_t)
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
')
optional_policy(`
- amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff --git a/clockspeed.te b/clockspeed.te
index d3e2a67e5..f5b330c08 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-miscfiles_read_localization(clockspeed_srv_t)
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 4a5b3d1a5..cd146bd5a 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
-miscfiles_read_localization(clogd_t)
-
optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
+ rhcs_stream_connect_cluster(clogd_t)
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 000000000..e07f85124
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/lib/systemd/system-generators/cloud-init.* gen_context(system_u:object_r:cloud_init_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init.*\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
+
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 000000000..55fe0d668
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,116 @@
+## <summary>cloudform policy</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## cloudform daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`cloudform_domain_template',`
+ gen_require(`
+ attribute cloudform_domain;
+ ')
+
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run cloud_init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_init_domtrans',`
+ gen_require(`
+ type cloud_init_t, cloud_init_exec_t;
+ ')
+
+ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
+')
+
+######################################
+## <summary>
+## Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_exec_mongod',`
+ gen_require(`
+ type mongod_exec_t;
+ ')
+
+ can_exec($1, mongod_exec_t)
+')
+
+#######################################
+## <summary>
+## Allow read to cloud lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_read_lib_files',`
+ gen_require(`
+ type cloud_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Allow read to cloud lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_read_lib_lnk_files',`
+ gen_require(`
+ type cloud_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+######################################
+## <summary>
+## Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_dontaudit_write_cloud_log',`
+ gen_require(`
+ type cloud_log_t;
+ ')
+
+ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 000000000..2f19544f0
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,251 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+init_dbus_chat(cloud_init_t)
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+auth_use_nsswitch(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_dbus_chat_timedated(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ certmonger_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+ rhsmcertd_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+ mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ # it check file context and run restorecon
+ seutil_read_file_contexts(cloud_init_t)
+ seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cloud_init_t)
+ ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cloud_init_t)
+ sysnet_read_dhcpc_state(cloud_init_t)
+ sysnet_dns_name_resolve(cloud_init_t)
+ sysnet_filetrans_cloud_net_conf(cloud_init_t)
+')
+
+optional_policy(`
+ rpm_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+ unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_read_search setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+kernel_read_network_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+ sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb96..f348d2746 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
type cmirrord_t, cmirrord_tmpfs_t;
')
- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
- allow $1 cmirrord_t:process { ptrace signal_perms };
+ allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cmirrord_t:process ptrace;
+ ')
+
cmirrord_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index bbdd3960e..28b176182 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
allow cmirrord_t self:sem create_sem_perms;
allow cmirrord_t self:shm create_shm_perms;
allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:netlink_connector_socket create_socket_perms;
allow cmirrord_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
logging_send_syslog_msg(cmirrord_t)
-miscfiles_read_localization(cmirrord_t)
-
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208ff..6ce88039f 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,11 +4,15 @@
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f8132..8b567c191 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
+
+
+########################################
+## <summary>
+## Read cobbler configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+')
+
+
########################################
## <summary>
## Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
-
- apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd44..0a4711b5d 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t)
# Local policy
#
-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+allow cobblerd_t self:capability { chown dac_read_search fowner fsetid sys_nice };
dontaudit cobblerd_t self:capability sys_tty_config;
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket { accept listen };
+allow cobblerd_t self:netlink_audit_socket create_socket_perms;
allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
allow cobblerd_t cobbler_etc_t:file read_file_perms;
@@ -81,6 +82,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +91,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -112,14 +114,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)
+dev_read_sysfs(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +129,8 @@ selinux_get_enforce_mode(cobblerd_t)
term_use_console(cobblerd_t)
+auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -160,6 +163,7 @@ tunable_policy(`cobbler_use_nfs',`
')
optional_policy(`
+ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
@@ -170,6 +174,7 @@ optional_policy(`
bind_domtrans(cobblerd_t)
bind_initrc_domtrans(cobblerd_t)
bind_manage_zone(cobblerd_t)
+ bind_systemctl(cobblerd_t)
')
optional_policy(`
@@ -179,12 +184,22 @@ optional_policy(`
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
+ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
dnsmasq_domtrans(cobblerd_t)
dnsmasq_initrc_domtrans(cobblerd_t)
dnsmasq_write_config(cobblerd_t)
+ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(cobblerd_t)
')
optional_policy(`
@@ -192,13 +207,14 @@ optional_policy(`
')
optional_policy(`
+ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
')
optional_policy(`
- tftp_manage_config_files(cobblerd_t)
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+ tftp_manage_config(cobblerd_t)
+ tftp_delete_content_dirs(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 000000000..bf801737d
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,13 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_var_run_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 000000000..d5920c061
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,188 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+ gen_require(`
+ type cockpit_ws_t, cockpit_ws_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+ gen_require(`
+ type cockpit_session_t, cockpit_session_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+## Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cockpit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_session_t;
+ type cockpit_var_lib_t;
+ type cockpit_var_run_t;
+ type cockpit_unit_file_t;
+ ')
+
+ allow $1 cockpit_ws_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_ws_t)
+
+ allow $1 cockpit_session_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_session_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cockpit_ws_t:process ptrace;
+ allow $1 cockpit_session_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, cockpit_var_run_t)
+
+ cockpit_systemctl($1)
+ admin_pattern($1, cockpit_unit_file_t)
+ allow $1 cockpit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 000000000..a830e90b5
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,123 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_var_run_t;
+files_pid_file(cockpit_var_run_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
+
+manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+files_mmap_usr_files(cockpit_ws_t)
+
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
+ kerberos_use(cockpit_ws_t)
+ kerberos_etc_filetrans_keytab(cockpit_ws_t)
+')
+
+optional_policy(`
+ ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+# cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search setuid setgid sys_resource};
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_passwd(cockpit_session_t)
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe3a..3ee73d17d 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e64..67801421b 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,145 @@
########################################
## <summary>
-## All of the rules required to
-## administrate an collectd environment.
+## Transition to collectd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_domtrans',`
+ gen_require(`
+ type collectd_t, collectd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+## <summary>
+## Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_initrc_domtrans',`
+ gen_require(`
+ type collectd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_search_lib',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_read_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_manage_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_manage_lib_dirs',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_systemctl',`
+ gen_require(`
+ type collectd_t;
+ type collectd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, collectd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an collectd environment
## </summary>
## <param name="domain">
## <summary>
@@ -20,13 +157,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
- type collectd_var_lib_t;
+ type collectd_var_lib_t, collectd_unit_file_t;
')
- allow $1 collectd_t:process { ptrace signal_perms };
+ allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 collectd_t:process ptrace;
+ ')
+
+ collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +177,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
+
+ collectd_systemctl($1)
+ admin_pattern($1, collectd_unit_file_t)
+ allow $1 collectd_unit_file_t:service all_service_perms;
')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8c4..90d2b5324 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
apache_content_template(collectd)
+apache_content_alias_template(collectd, collectd)
+
+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
+files_tmp_file(collectd_script_tmp_t)
########################################
#
# Local policy
#
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:rawip_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
+
+auth_use_nsswitch(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
+fs_getattr_all_dirs(collectd_t)
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
+ lvm_read_config(collectd_t)
+')
+
+optional_policy(`
+ pdns_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
+optional_policy(`
virt_read_config(collectd_t)
+ virt_stream_connect(collectd_t)
')
########################################
#
-# Web local policy
+# Web collectd local policy
#
-optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(collectd_script_t)
+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
+
+auth_read_passwd(collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb54..08ab89171 100644
--- a/colord.fc
+++ b/colord.fc
@@ -7,5 +7,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37c1..c69be28b9 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## <summary>GNOME color manager.</summary>
+## <summary>GNOME color manager</summary>
########################################
## <summary>
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
type colord_t, colord_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, colord_exec_t, colord_t)
')
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
allow $1 colord_t:dbus send_msg;
allow colord_t $1:dbus send_msg;
+ ps_process_pattern(colord_t, $1)
')
######################################
@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+########################################
+## <summary>
+## Execute colord server in the colord domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`colord_systemctl',`
+ gen_require(`
+ type colord_t;
+ type colord_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 9f2dfb233..5f29a909f 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
@@ -18,18 +19,24 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
########################################
#
# Local policy
#
-allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:capability { dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
+
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
@@ -100,19 +106,17 @@ init_read_state(colord_t)
auth_use_nsswitch(colord_t)
-logging_send_syslog_msg(colord_t)
+init_read_state(colord_t)
-miscfiles_read_localization(colord_t)
+logging_send_syslog_msg(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
+systemd_read_logind_sessions_files(colord_t)
+systemd_hwdb_manage_config(colord_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmp_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
cups_read_config(colord_t)
@@ -120,6 +124,13 @@ optional_policy(`
cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
+')
+
+optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+ # Fixes lots of breakage in F16 on upgrade
+ gnome_read_generic_data_home_files(colord_t)
')
optional_policy(`
@@ -134,6 +145,23 @@ optional_policy(`
')
optional_policy(`
+ systemd_hwdb_read_config(colord_t)
+')
+
+optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+ # allow to read /run/initial-setup-$username
+ xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index c63cf8556..dc6998b60 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
dev_read_urand(comsat_t)
fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
logging_send_syslog_msg(comsat_t)
-miscfiles_read_localization(comsat_t)
-
userdom_dontaudit_getattr_user_ttys(comsat_t)
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index ad2b69606..28d1af020 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,6 +1,7 @@
/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
index 881d92f35..a2d588a51 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,391 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
+
+#####################################
+## <summary>
+## Creates types and rules for a basic
+## condor init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`condor_domain_template',`
+ gen_require(`
+ type condor_master_t;
+ attribute condor_domain;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type condor_$1_t, condor_domain;
+ type condor_$1_exec_t;
+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+ role system_r types condor_$1_t;
+
+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+ allow condor_master_t condor_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(condor_$1_t)
+
+ corenet_all_recvfrom_netlabel(condor_$1_t)
+ corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+ auth_use_nsswitch(condor_$1_t)
+
+ logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+## <summary>
+## Transition to condor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`condor_domtrans_master',`
+ gen_require(`
+ type condor_master_t, condor_master_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+## <summary>
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by condor_startd.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The executable type for the entrypoint.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+#
+interface(`condor_startd_ranged_domtrans_to',`
+ gen_require(`
+ type sshd_t;
+ ')
+ condor_startd_domtrans_to($1, $2)
+
+
+ ifdef(`enable_mcs',`
+ range_transition condor_startd_t $2:process $3;
+ ')
+
+')
#######################################
## <summary>
-## The template to define a condor domain.
+## Allows to start userlandprocesses
+## by transitioning to the specified domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
+## <summary>
+## The process type entered by condor_startd.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The executable type for the entrypoint.
+## </summary>
+## </param>
+#
+interface(`condor_startd_domtrans_to',`
+ gen_require(`
+ type condor_startd_t;
+ ')
+
+ domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+## <summary>
+## Read condor's log files.
+## </summary>
+## <param name="domain">
## <summary>
-## Domain prefix to be used.
+## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-template(`condor_domain_template',`
+interface(`condor_read_log',`
gen_require(`
- attribute condor_domain;
- type condor_master_t;
+ type condor_log_t;
')
- #############################
- #
- # Declarations
- #
+ logging_search_logs($1)
+ read_files_pattern($1, condor_log_t, condor_log_t)
+')
- type condor_$1_t, condor_domain;
- type condor_$1_exec_t;
- domain_type(condor_$1_t)
- domain_entry_file(condor_$1_t, condor_$1_exec_t)
- role system_r types condor_$1_t;
+########################################
+## <summary>
+## Append to condor log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_append_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- #############################
- #
- # Policy
- #
+ logging_search_logs($1)
+ append_files_pattern($1, condor_log_t, condor_log_t)
+')
- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
- allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+## <summary>
+## Manage condor log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_manage_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- auth_use_nsswitch(condor_$1_t)
+ logging_search_logs($1)
+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
+ manage_files_pattern($1, condor_log_t, condor_log_t)
+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an condor environment.
+## Search condor lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`condor_search_lib',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ allow $1 condor_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read condor lib files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read and write condor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_rw_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage condor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_manage_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage condor lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_manage_lib_dirs',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read condor PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_read_pid_files',`
gen_require(`
- attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+ type condor_var_run_t;
')
- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute condor server in the condor domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`condor_systemctl',`
+ gen_require(`
+ type condor_domain;
+ type condor_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+## <summary>
+## Read and write condor_startd server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_startd',`
+ gen_require(`
+ type condor_startd_t;
+ ')
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+## Read and write condor_schedd server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+ gen_require(`
+ type condor_schedd_t;
+ ')
+
+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an condor environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`condor_admin',`
+ gen_require(`
+ attribute condor_domain;
+ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t;
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
+ ps_process_pattern($1, condor_domain)
+
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
+ allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
@@ -77,8 +393,8 @@ interface(`condor_admin',`
logging_search_logs($1)
admin_pattern($1, condor_log_t)
- files_search_locks($1)
- admin_pattern($1, condor_var_lock_t)
+ files_search_locks($1)
+ admin_pattern($1, condor_var_lock_t)
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
@@ -88,4 +404,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+ condor_systemctl($1)
+ admin_pattern($1, condor_unit_file_t)
+ allow $1 condor_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/condor.te b/condor.te
index ce9f040e2..7c90ce13c 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
-type condor_conf_t;
+type condor_conf_t alias condor_etc_rw_t;
files_config_file(condor_conf_t)
type condor_log_t;
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
@@ -60,10 +63,18 @@ condor_domain_template(startd)
# Global local policy
#
+allow condor_domain self:capability { dac_read_search };
+allow condor_domain self:capability2 block_suspend;
+
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
@@ -86,16 +97,16 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
-kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
+kernel_rw_kernel_sysctl(condor_domain)
+kernel_search_network_sysctl(condor_domain)
+kernel_read_vm_sysctls(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
@@ -109,9 +120,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
sysnet_dns_name_resolve(condor_domain)
@@ -130,7 +141,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -138,6 +149,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+kernel_read_fs_sysctls(condor_master_t)
+kernel_rw_net_sysctls(condor_master_t)
+
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
@@ -157,6 +174,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
+logging_send_syslog_msg(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
@@ -174,6 +193,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
+corenet_tcp_bind_http_port(condor_collector_t)
+
#####################################
#
# Negotiator local policy
@@ -183,12 +204,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
######################################
#
# Procd local policy
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { fowner chown kill dac_read_search sys_ptrace };
+allow condor_procd_t self:cap_userns { sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -199,13 +223,15 @@ domain_read_all_domains_state(condor_procd_t)
# Schedd local policy
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
+
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -214,12 +240,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
+optional_policy(`
+ mta_send_mail(condor_schedd_t)
+ mta_read_config(condor_schedd_t)
+')
+
#####################################
#
# Startd local policy
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
@@ -238,11 +271,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
libs_exec_lib_files(condor_startd_t)
-files_read_usr_files(condor_startd_t)
-
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
@@ -254,3 +286,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
+
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 000000000..b13a6f6db
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,10 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
+
+/usr/share/conman/exec(/.*)? gen_context(system_u:object_r:conman_unconfined_script_exec_t,s0)
+
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
+/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 000000000..1cc5fa464
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,143 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
+## <summary>
+## Execute conman in the conman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conman_domtrans',`
+ gen_require(`
+ type conman_t, conman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+## <summary>
+## Read conman's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`conman_read_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+## Append to conman log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`conman_append_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+## Manage conman log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`conman_manage_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, conman_log_t, conman_log_t)
+ manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+## Execute conman server in the conman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conman_systemctl',`
+ gen_require(`
+ type conman_t;
+ type conman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an conman environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`conman_admin',`
+ gen_require(`
+ type conman_t;
+ type conman_log_t;
+ type conman_unit_file_t;
+ ')
+
+ allow $1 conman_t:process { signal_perms };
+ ps_process_pattern($1, conman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 conman_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, conman_log_t)
+
+ conman_systemctl($1)
+ admin_pattern($1, conman_unit_file_t)
+ allow $1 conman_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 000000000..246420052
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,114 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether conman can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(conman_can_network, false)
+
+## <desc>
+## <p>
+## Allow conman to manage nfs files
+## </p>
+## </desc>
+gen_tunable(conman_use_nfs, false)
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_tmp_t;
+files_tmp_file(conman_tmp_t)
+
+type conman_var_run_t;
+files_pid_file(conman_var_run_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+type conman_unconfined_script_t;
+type conman_unconfined_script_exec_t;
+application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+allow conman_t conman_unconfined_script_t:process sigkill;
+allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
+
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
+auth_use_nsswitch(conman_t)
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corenet_tcp_connect_all_ephemeral_ports(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+dev_read_urand(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+term_use_usb_ttys(conman_t)
+term_use_ptmx(conman_t)
+
+tunable_policy(`conman_can_network',`
+ corenet_sendrecv_all_client_packets(conman_t)
+ corenet_tcp_connect_all_ports(conman_t)
+ corenet_tcp_sendrecv_all_ports(conman_t)
+')
+
+tunable_policy(`conman_use_nfs',`
+ fs_manage_nfs_files(conman_t)
+ fs_read_nfs_symlinks(conman_t)
+')
+
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
+
+########################################
+#
+# conman script local policy
+#
+
+domtrans_pattern(conman_t, conman_unconfined_script_exec_t, conman_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(conman_unconfined_script_t)
+')
diff --git a/conntrackd.fc b/conntrackd.fc
new file mode 100644
index 000000000..c743543cc
--- /dev/null
+++ b/conntrackd.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/conntrackd.* -- gen_context(system_u:object_r:conntrackd_unit_file_t,s0)
+
+/usr/sbin/conntrackd -- gen_context(system_u:object_r:conntrackd_exec_t,s0)
+
+/etc/conntrackd(/.*)? gen_context(system_u:object_r:conntrackd_conf_t,s0)
+
+/var/log/conntrackd.log gen_context(system_u:object_r:conntrackd_log_t,s0)
+
+/var/lock/conntrack.lock gen_context(system_u:object_r:conntrackd_var_lock_t,s0)
+
+/run/conntrackd.ctl -s gen_context(system_u:object_r:conntrackd_var_run_t,s0)
diff --git a/conntrackd.if b/conntrackd.if
new file mode 100644
index 000000000..601b56a46
--- /dev/null
+++ b/conntrackd.if
@@ -0,0 +1,118 @@
+## <summary>Conntrackd connection tracking service</summary>
+
+########################################
+## <summary>
+## Read the configuration files for conntrackd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`conntrackd_read_config',`
+ gen_require(`
+ type conntrackd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 conntrackd_conf_t:dir list_dir_perms;
+ read_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
+ read_lnk_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
+')
+
+########################################
+## <summary>
+## Connect to conntrackd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`conntrackd_stream_connect',`
+ gen_require(`
+ type conntrackd_t, conntrackd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, conntrackd_var_run_t, conntrackd_var_run_t, conntrackd_t)
+')
+
+#######################################
+## <summary>
+## Execute conntrackd services in the conntrackd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conntrackd_systemctl',`
+ gen_require(`
+ type conntrackd_t;
+ type conntrackd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 conntrackd_unit_file_t:file read_file_perms;
+ allow $1 conntrackd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, conntrackd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an conntrackd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the conntrackd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`conntrackd_admin',`
+ gen_require(`
+ type conntrackd_t, conntrackd_tmp_t, conntrackd_log_t;
+ type conntrackd_conf_t, conntrackd_var_run_t, conntrackd_initrc_exec_t;
+ ')
+
+ allow $1 conntrackd_t:process signal_perms;
+ ps_process_pattern($1, conntrackd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 conntrackd_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, conntrackd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 conntrackd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, conntrackd_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, conntrackd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, conntrackd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, conntrackd_var_run_t)
+
+ conntrackd_systemctl($1)
+ admin_pattern($1, conntrackd_unit_file_t)
+ allow $1 conntrackd_unit_file_t:service all_service_perms;
+')
diff --git a/conntrackd.te b/conntrackd.te
new file mode 100644
index 000000000..72e0d23db
--- /dev/null
+++ b/conntrackd.te
@@ -0,0 +1,69 @@
+policy_module(conntrackd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type conntrackd_t;
+type conntrackd_exec_t;
+init_daemon_domain(conntrackd_t, conntrackd_exec_t)
+
+type conntrackd_conf_t;
+files_config_file(conntrackd_conf_t)
+
+type conntrackd_initrc_exec_t;
+init_script_file(conntrackd_initrc_exec_t)
+
+type conntrackd_unit_file_t;
+systemd_unit_file(conntrackd_unit_file_t)
+
+type conntrackd_log_t;
+logging_log_file(conntrackd_log_t)
+
+type conntrackd_var_run_t;
+files_pid_file(conntrackd_var_run_t)
+
+type conntrackd_var_lock_t;
+files_lock_file(conntrackd_var_lock_t)
+
+########################################
+#
+# Local policy
+#
+#
+
+allow conntrackd_t self:capability { sys_nice };
+allow conntrackd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow conntrackd_t self:netlink_netfilter_socket create_socket_perms;
+allow conntrackd_t self:udp_socket create_socket_perms;
+allow conntrackd_t self:unix_dgram_socket create_socket_perms;
+allow conntrackd_t self:process { setsched signal };
+
+allow conntrackd_t conntrackd_conf_t:dir list_dir_perms;
+read_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
+read_lnk_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
+
+allow conntrackd_t conntrackd_log_t:dir setattr_dir_perms;
+manage_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
+manage_sock_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
+logging_log_filetrans(conntrackd_t, conntrackd_log_t, { sock_file file dir })
+
+manage_dirs_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
+manage_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
+manage_sock_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
+files_pid_filetrans(conntrackd_t, conntrackd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
+manage_files_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
+
+files_lock_filetrans(conntrackd_t, conntrackd_var_lock_t, { dir file sock_file })
+
+kernel_read_network_state(conntrackd_t)
+corenet_udp_sendrecv_generic_if(conntrackd_t)
+corenet_udp_sendrecv_generic_node(conntrackd_t)
+corenet_udp_sendrecv_all_ports(conntrackd_t)
+corenet_udp_bind_generic_node(conntrackd_t)
+
+corenet_udp_bind_conntrackd_port(conntrackd_t)
+corenet_udp_sendrecv_conntrackd_port(conntrackd_t)
diff --git a/consolekit.fc b/consolekit.fc
index 23c95582f..29e5fd38d 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec9c..78025c5e7 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## consolekit over dbus.
## </summary>
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+## <summary>
+## List consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_state',`
+ gen_require(`
+ type consolekit_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+## <summary>
+## Execute consolekit server in the consolekit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consolekit_systemctl',`
+ gen_require(`
+ type consolekit_t;
+ type consolekit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index bd18063f6..efa99d8f4 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
########################################
#
# Local policy
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
-mcs_ptrace_all(consolekit_t)
-
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
auth_create_pam_console_data_dirs(consolekit_t)
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
+init_read_utmp(consolekit_t)
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
+optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
')
optional_policy(`
@@ -109,13 +110,6 @@ optional_policy(`
')
')
-optional_policy(`
- hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
- networkmanager_append_log_files(consolekit_t)
-')
optional_policy(`
policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0fcc..b26d3e0a4 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -10,3 +12,5 @@
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037da..d8596812d 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
')
+#######################################
+## <summary>
+## Setattr corosync log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_setattr_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
#####################################
## <summary>
## Connect to corosync over a unix
@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
+ type corosync_var_lib_t;
')
files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
######################################
## <summary>
-## Read and write corosync tmpfs files.
+## Allow the specified domain to read/write corosync's tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_rw_tmpfs',`
+ gen_require(`
+ type corosync_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+## <summary>
+## Execute corosync server in the corosync domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
gen_require(`
- type corosync_tmpfs_t;
+ type corosync_t;
+ type corosync_unit_file_t;
')
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, corosync_t)
')
######################################
@@ -160,12 +205,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
+ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
+ allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 corosync_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
@@ -183,4 +233,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
+
+ corosync_systemctl($1)
+ admin_pattern($1, corosync_unit_file_t)
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
index d5aa1e446..94ca2cd02 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
########################################
#
# Local policy
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
# for hearbeat
allow corosync_t self:capability { net_raw chown };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmp_files(corosync_t)
+userdom_rw_user_tmp_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
optional_policy(`
ccs_read_config(corosync_t)
@@ -129,20 +137,29 @@ optional_policy(`
')
optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
qpidd_rw_shm(corosync_t)
')
optional_policy(`
- rhcs_getattr_fenced_exec_files(corosync_t)
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
rhcs_rw_cluster_shm(corosync_t)
rhcs_rw_cluster_semaphores(corosync_t)
rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
+ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
- rgmanager_manage_tmpfs_files(corosync_t)
+ rpc_search_nfs_state_data(corosync_t)
')
optional_policy(`
- rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+ wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c0863022d..5380ab641 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,8 +1,10 @@
-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
-
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
+
+/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 715a826f1..a1cbdb29e 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Read couchdb log files.
+## Allow to read couchdb log files.
## </summary>
## <param name="domain">
## <summary>
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
type couchdb_log_t;
')
- logging_search_logs($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
## <summary>
-## Read, write, and create couchdb lib files.
+## Allow to read couchdb lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
## </summary>
## </param>
#
-interface(`couchdb_manage_lib_files',`
+interface(`couchdb_read_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
########################################
## <summary>
-## Read couchdb config files.
+## All of the rules required to
+## administrate an couchdb environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage couchdb lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`couchdb_manage_lib_dirs',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow to read couchdb conf files.
## </summary>
## <param name="domain">
## <summary>
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
type couchdb_conf_t;
')
- files_search_etc($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
## <summary>
-## Read couchdb pid files.
+## Read couchdb PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Search couchdb PID dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`couchdb_search_pid_dirs',`
+ gen_require(`
+ type couchdb_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to manage couchdb content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`couchdb_manage_files',`
+ gen_require(`
+ type couchdb_var_run_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
+ type couchdb_conf_t;
+ ')
+
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an couchdb environment.
+## Execute couchdb server in the couchdb domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
+ type couchdb_t;
+ type couchdb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an couchdb environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
## <param name="role">
## <summary>
## Role allowed access.
@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
+ type couchdb_unit_file_t;
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
type couchdb_tmp_t;
')
- allow $1 couchdb_t:process { ptrace signal_perms };
+ allow $1 couchdb_t:process { signal_perms };
ps_process_pattern($1, couchdb_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 couchdb_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
+
+ admin_pattern($1, couchdb_unit_file_t)
+ couchdb_systemctl($1)
+ allow $1 couchdb_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/couchdb.te b/couchdb.te
index ae1c1b12a..9b3a328c2 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
########################################
#
# Local policy
#
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { execmem setsched signal signull sigkill };
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:unix_dgram_socket create_socket_perms;
allow couchdb_t self:tcp_socket { accept listen };
-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
-allow couchdb_t couchdb_conf_t:file read_file_perms;
+manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
+files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
can_exec(couchdb_t, couchdb_exec_t)
+kernel_read_network_state(couchdb_t)
kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
+# disksup tries to monitor the local disks
+fs_getattr_all_files(couchdb_t)
+fs_getattr_all_dirs(couchdb_t)
+fs_getattr_all_fs(couchdb_t)
+files_getattr_all_mountpoints(couchdb_t)
+files_search_all_mountpoints(couchdb_t)
+files_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+
dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
-files_read_usr_files(couchdb_t)
+auth_use_nsswitch(couchdb_t)
-fs_getattr_xattr_fs(couchdb_t)
+optional_policy(`
+ gnome_dontaudit_search_config(couchdb_t)
+')
+
+optional_policy(`
+ rpc_read_nfs_state_data(couchdb_t)
+')
-auth_use_nsswitch(couchdb_t)
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 2f017a076..defdc871e 100644
--- a/courier.fc
+++ b/courier.fc
@@ -11,17 +11,18 @@
/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820fc7..acdb179e8 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## <summary>Courier IMAP and POP3 email servers.</summary>
+## <summary>Courier IMAP and POP3 email servers</summary>
-#######################################
+########################################
## <summary>
-## The template to define a courier domain.
+## Template for creating courier server processes.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix name of the server process.
## </summary>
## </param>
#
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
attribute courier_domain;
')
- ########################################
+ ##############################
#
# Declarations
#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
- ########################################
+ ##############################
#
- # Policy
+ # Declarations
#
can_exec(courier_$1_t, courier_$1_exec_t)
+
+ kernel_read_system_state(courier_$1_t)
+
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
')
########################################
## <summary>
-## Execute the courier authentication
-## daemon with a domain transition.
+## Execute the courier authentication daemon with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
#######################################
## <summary>
-## Connect to courier-authdaemon over
-## a unix stream socket.
+## Connect to courier-authdaemon over a unix stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`courier_stream_connect_authdaemon',`
- gen_require(`
- type courier_authdaemon_t, courier_spool_t;
- ')
+ gen_require(`
+ type courier_authdaemon_t, courier_spool_t;
+ ')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
')
########################################
## <summary>
-## Execute the courier POP3 and IMAP
-## server with a domain transition.
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
########################################
## <summary>
-## Read courier config files.
+## Read courier config files
## </summary>
## <param name="domain">
## <summary>
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
## </summary>
-## <param name="domain">
+## <param name="domains">
## <summary>
## Domain allowed access.
## </summary>
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
########################################
## <summary>
-## Read and write courier spool pipes.
+## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
type courier_spool_t;
')
- files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
index ae3bc70e9..3fe942539 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
type courier_var_lib_t;
files_type(courier_var_lib_t)
@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t)
# Common local policy
#
-allow courier_domain self:capability dac_override;
+allow courier_domain self:capability { dac_read_search };
dontaudit courier_domain self:capability sys_tty_config;
allow courier_domain self:process { setpgid signal_perms };
allow courier_domain self:fifo_file rw_fifo_file_perms;
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
files_pid_filetrans(courier_domain, courier_var_run_t, dir)
kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
corecmd_exec_bin(courier_domain)
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
domain_use_interactive_fds(courier_domain)
-files_read_etc_files(courier_domain)
files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
fs_getattr_xattr_fs(courier_domain)
fs_search_auto_mountpoints(courier_domain)
-logging_send_syslog_msg(courier_domain)
-
sysnet_read_config(courier_domain)
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -77,6 +72,10 @@ optional_policy(`
')
optional_policy(`
+ mysql_stream_connect(courier_domain)
+')
+
+optional_policy(`
udev_read_db(courier_domain)
')
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
-miscfiles_read_localization(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
-miscfiles_read_localization(courier_tcpd_t)
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
index af72c4e55..afab0367f 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
-logging_send_syslog_msg(cpucontrol_domain)
-
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-kernel_list_proc(cpucontrol_t)
kernel_read_proc_symlinks(cpucontrol_t)
dev_read_sysfs(cpucontrol_t)
dev_rw_cpu_microcode(cpucontrol_t)
+logging_send_syslog_msg(cpucontrol_t)
+
optional_policy(`
rhgb_use_ptys(cpucontrol_t)
')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
domain_read_all_domains_state(cpuspeed_t)
-files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 6cedb8724..530e250e5 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
kernel_read_system_state(cpufreqselector_t)
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
dev_rw_sysfs(cpufreqselector_t)
-miscfiles_read_localization(cpufreqselector_t)
-
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cpuplug.fc b/cpuplug.fc
new file mode 100644
index 000000000..be203ff49
--- /dev/null
+++ b/cpuplug.fc
@@ -0,0 +1,3 @@
+/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
+
+/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0)
diff --git a/cpuplug.if b/cpuplug.if
new file mode 100644
index 000000000..c68d1d3cf
--- /dev/null
+++ b/cpuplug.if
@@ -0,0 +1,20 @@
+## <summary>cpuplugd - Linux on System z CPU and memory hotplug daemon</summary>
+
+########################################
+## <summary>
+## Execute cpuplug in the cpuplug domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cpuplug_domtrans',`
+ gen_require(`
+ type cpuplug_t, cpuplug_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
+')
diff --git a/cpuplug.te b/cpuplug.te
new file mode 100644
index 000000000..074f3e04d
--- /dev/null
+++ b/cpuplug.te
@@ -0,0 +1,40 @@
+policy_module(cpuplug, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpuplug_t;
+type cpuplug_exec_t;
+init_daemon_domain(cpuplug_t, cpuplug_exec_t)
+
+type cpuplug_initrc_exec_t;
+init_script_file(cpuplug_initrc_exec_t)
+
+type cpuplug_lock_t;
+files_lock_file(cpuplug_lock_t)
+
+type cpuplug_var_run_t;
+files_pid_file(cpuplug_var_run_t)
+
+########################################
+#
+# cpuplug local policy
+#
+allow cpuplug_t self:fifo_file rw_fifo_file_perms;
+allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
+files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
+
+manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
+files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
+
+kernel_read_system_state(cpuplug_t)
+kernel_rw_vm_sysctls(cpuplug_t)
+
+dev_rw_sysfs(cpuplug_t)
+
+logging_send_syslog_msg(cpuplug_t)
+
diff --git a/cron.fc b/cron.fc
index ad0bae948..615a947aa 100644
--- a/cron.fc
+++ b/cron.fc
@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]* -- <<none>>
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <<none>>
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <<none>>
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
ifdef(`distro_debian',`
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <<none>>
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
index 1303b3036..f5bd4aee8 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
#######################################
## <summary>
-## The template to define a crontab domain.
+## The common rules for a crontab domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="userdomain_prefix">
## <summary>
-## Domain prefix to be used.
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
## </summary>
## </param>
#
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ kernel_read_system_state($1_t)
+
auth_domtrans_chk_passwd($1_t)
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ userdom_home_reader($1_t)
+
')
########################################
## <summary>
-## Role access for cron.
+## Role access for cron
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
## <rolecap/>
@@ -60,56 +68,66 @@ interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
role $1 types { cronjob_t crontab_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- allow $2 crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
+ allow $2 crontab_t:process signal_perms;
ps_process_pattern($2, crontab_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 cronjob_t:process { signal_perms };
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -119,78 +137,75 @@ interface(`cron_role',`
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
## <summary>
-## Role access for unconfined cron.
+## Role access for unconfined cronjobs
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`cron_unconfined_role',`
gen_require(`
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
-
- role $1 types { unconfined_cronjob_t crontab_t };
-
- ##############################
- #
- # Local policy
- #
-
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types unconfined_cronjob_t;
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ ##############################
+ #
+ # Local policy
+ #
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
+ allow $2 crond_t:process sigchld;
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process signal_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
+ ')
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, unconfined_cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ allow $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ ')
optional_policy(`
gen_require(`
@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
########################################
## <summary>
-## Role access for admin cron.
+## Role access for cron
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`cron_admin_role',`
gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t;
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ type user_cron_spool_t, crond_t;
class passwd crontab;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
- role $1 types { cronjob_t admin_crontab_t };
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 crond_t:process sigchld;
- allow $2 admin_crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 admin_crontab_t:process ptrace;
+ ')
# Manipulate other users crontab.
allow $2 self:passwd crontab;
@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
## <summary>
-## Make the specified program domain
-## accessable from the system cron jobs.
+## Make the specified program domain accessable
+## from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
- type user_cron_spool_log_t;
')
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
+
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
type system_cronjob_t, crond_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
########################################
## <summary>
-## Execute crond in the caller domain.
+## Execute crond_exec_t
## </summary>
## <param name="domain">
## <summary>
@@ -352,7 +369,6 @@ interface(`cron_exec',`
type crond_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, crond_exec_t)
')
@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
-## Use crond file descriptors.
+## Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_systemctl',`
+ gen_require(`
+ type crond_unit_file_t;
+ type crond_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from the cron daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
########################################
## <summary>
-## Send child terminated signals to crond.
+## Send a SIGCHLD signal to the cron daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
########################################
## <summary>
-## Set the attributes of cron log files.
+## Send a generic signal to cron daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
## </summary>
## </param>
#
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file setattr_file_perms;
+ allow $1 crond_t:process signal;
')
########################################
## <summary>
-## Create cron log files.
+## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
## </summary>
## </param>
#
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- create_files_pattern($1, cron_log_t, cron_log_t)
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
-## Write to cron log files.
+## Read crond state files.
## </summary>
## <param name="domain">
## <summary>
@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
## </summary>
## </param>
#
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file write_file_perms;
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
')
+
########################################
## <summary>
-## Create, read, write and delete
-## cron log files.
+## Send and receive messages from
+## crond over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
## </summary>
## </param>
#
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
+ class dbus send_msg;
')
- manage_files_pattern($1, cron_log_t, cron_log_t)
-
- logging_search_logs($1)
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
')
########################################
## <summary>
-## Create specified objects in generic
-## log directories with the cron log file type.
+## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- logging_log_filetrans($1, cron_log_t, $2, $3)
+ dontaudit $1 crond_t:fifo_file write;
')
########################################
## <summary>
-## Read cron daemon unnamed pipes.
+## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
## </summary>
## </param>
#
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
gen_require(`
type crond_t;
')
- allow $1 crond_t:fifo_file read_fifo_file_perms;
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to write
-## cron daemon unnamed pipes.
+## Do not audit attempts to setattr cron daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
## </summary>
## </param>
#
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_dontaudit_setattr_pipes',`
gen_require(`
type crond_t;
')
- dontaudit $1 crond_t:fifo_file write;
+ dontaudit $1 crond_t:fifo_file setattr;
')
########################################
## <summary>
-## Read and write crond unnamed pipes.
+## Read and write inherited user spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
## </summary>
## </param>
#
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
- type crond_t;
+ type user_cron_spool_t;
')
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Read and write crond TCP sockets.
+## Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
## <summary>
-## Do not audit attempts to read and
-## write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
-## Search cron spool directories.
+## Search the directory containing user cron tables.
## </summary>
## <param name="domain">
## <summary>
@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
########################################
## <summary>
-## Create, read, write, and delete
-## crond pid files.
+## Search the directory containing user cron tables.
## </summary>
## <param name="domain">
## <summary>
@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
## </summary>
## </param>
#
-interface(`cron_manage_pid_files',`
+interface(`cron_manage_system_spool',`
gen_require(`
- type crond_var_run_t;
+ type cron_system_spool_t;
')
- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
########################################
## <summary>
-## Execute anacron in the cron
-## system domain.
+## Manage pid files used by cron
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`cron_anacron_domtrans_system_job',`
+interface(`cron_manage_pid_files',`
gen_require(`
- type system_cronjob_t, anacron_exec_t;
+ type crond_var_run_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
## <summary>
-## Use system cron job file descriptors.
+## Read pid files used by cron
## </summary>
## <param name="domain">
## <summary>
@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
## </summary>
## </param>
#
-interface(`cron_use_system_job_fds',`
+interface(`cron_read_pid_files',`
gen_require(`
- type system_cronjob_t;
+ type crond_var_run_t;
')
- allow $1 system_cronjob_t:fd use;
+ files_search_pids($1)
+ read_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
## <summary>
-## Read system cron job lib files.
+## Execute anacron in the cron system domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_anacron_domtrans_system_job',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t, anacron_exec_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## system cron job lib files.
+## Inherit and use a file descriptor
+## from system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
## </summary>
## </param>
#
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_use_system_job_fds',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fd use;
')
########################################
## <summary>
-## Write system cron job unnamed pipes.
+## Write a system cron job unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
## <summary>
-## Read and write system cron job
-## unnamed pipes.
+## Read and write a system cron job unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Read and write inherited system cron
-## job unix domain stream sockets.
+## Allow read/write unix stream sockets from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
########################################
## <summary>
-## Read system cron job temporary files.
+## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Do not audit attempts to append temporary
-## system cron job files.
+## files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
########################################
## <summary>
## Do not audit attempts to write temporary
-## system cron job files.
+## files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write and delete
+## cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Create specified objects in generic
+## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+#######################################
+## <summary>
+## Create specified objects in generic
+## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log_insights',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
index 7de385956..46400791a 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
## <desc>
## <p>
-## Determine whether system cron jobs
-## can relabel filesystem for
-## restoring file contexts.
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
-## <p>
-## Determine whether crond can execute jobs
-## in the user domain as opposed to the
-## the generic cronjob domain.
-## </p>
+## <p>
+## Determine whether crond can execute jobs
+## in the user domain as opposed to the
+## the generic cronjob domain.
+## </p>
+## </desc>
+gen_tunable(cron_userdomain_transition, true)
+
+## <desc>
+## <p>
+## Allow system cronjob to be executed on
+## on NFS, CIFS or FUSE filesystem.
+## </p>
## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_system_cronjob_use_shares, false)
## <desc>
## <p>
-## Determine whether extra rules
-## should be enabled to support fcron.
+## Enable extra rules in the cron domain
+## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond, false)
-attribute cron_spool_type;
attribute crontab_domain;
+attribute cron_spool_type;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
+# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
files_pid_file(cron_var_run_t)
+# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+corecmd_bin_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
-
+# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
- dontaudit crontab_domain crond_t:process signal;
-')
-
########################################
#
-# Admin local policy
+# Admin crontab local policy
#
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
')
########################################
#
-# Daemon local policy
+# Cron daemon local policy
#
-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown fowner setgid setuid sys_nice dac_read_search };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
-miscfiles_read_localization(crond_t)
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
- dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
- allow crond_t cronjob_t:process transition;
- allow crond_t cronjob_t:fd use;
- allow crond_t cronjob_t:key manage_key_perms;
+optional_policy(`
+ mta_send_mail(crond_t)
+ mta_filetrans_admin_home_content(crond_t)
+ mta_system_content(cron_spool_t)
')
ifdef(`distro_debian',`
+ # pam_limits is used
allow crond_t self:process setrlimit;
- optional_policy(`
- logwatch_search_cache_dir(crond_t)
- ')
+')
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
files_polyinstantiate_all(crond_t)
')
-tunable_policy(`fcron_crond',`
- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -354,103 +314,141 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client(crond_t)
-
- optional_policy(`
- hal_dbus_chat(crond_t)
- ')
-
- optional_policy(`
- unconfined_dbus_send(crond_t)
- ')
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
- amanda_search_var_lib(crond_t)
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
- amavis_search_lib(crond_t)
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+ init_dbus_chat(crond_t)
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
- hal_write_log(crond_t)
+ antivirus_search_db(crond_t)
')
optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
- mta_send_mail(crond_t)
+ # cjp: why?
+ munin_search_lib(crond_t)
')
optional_policy(`
- munin_search_lib(crond_t)
+ rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
- postgresql_search_db(crond_t)
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
')
optional_policy(`
- rpc_search_nfs_state_data(crond_t)
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
')
optional_policy(`
- rpm_read_pipes(crond_t)
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
')
optional_policy(`
- seutil_sigchld_newrole(crond_t)
+ udev_read_db(crond_t)
')
optional_policy(`
- udev_read_db(crond_t)
+ vnstatd_search_lib(crond_t)
')
########################################
#
-# System local policy
+# System cron process domain
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+tunable_policy(`cron_system_cronjob_use_shares',`
+ fs_fusefs_entrypoint(system_cronjob_t)
+ fs_nfs_entrypoint(system_cronjob_t)
+ fs_cifs_entrypoint(system_cronjob_t)
+')
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
+# for nscd:
files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
-init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_cronjob_t)
+miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
seutil_read_config(system_cronjob_t)
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
+selinux_get_fs_mount(system_cronjob_t)
+
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
- selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ # Needed for certwatch
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ cron_generic_log_filetrans_log_insights(system_cronjob_t)
+')
+
+optional_policy(`
+ chronyd_run_chronyc(system_cronjob_t,system_r)
')
optional_policy(`
@@ -551,10 +579,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
')
optional_policy(`
@@ -567,6 +591,10 @@ optional_policy(`
')
optional_policy(`
+ firewalld_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -591,6 +619,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_filetrans_admin_home_content(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -598,7 +628,31 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
+ pcp_filetrans_named_content(system_cronjob_t)
+')
+
+optional_policy(`
postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+ rkhunter_manage_lib_files(system_cronjob_t)
+')
+
+optional_policy(`
+ rhsmcertd_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -607,7 +661,12 @@ optional_policy(`
')
optional_policy(`
+ snapper_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -615,12 +674,27 @@ optional_policy(`
')
optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_dbus_chat_timedated(system_cronjob_t)
+ systemd_dbus_chat_hostnamed(system_cronjob_t)
+ systemd_dbus_chat_localed(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
+ userdom_filetrans_home_content(crond_t)
')
########################################
#
-# Cronjob local policy
+# User cronjobs local policy
#
allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
-corenet_all_recvfrom_unlabeled(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
files_dontaudit_search_pids(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
-miscfiles_read_localization(cronjob_t)
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
userdom_manage_user_home_content_files(cronjob_t)
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit cronjob_t crond_t:fd use;
- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- dontaudit cronjob_t crond_t:process sigchld;
-
- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
- allow cronjob_t crond_t:fd use;
- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
- allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
')
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
optional_policy(`
nis_use_ypbind(cronjob_t)
')
+##############################
+#
+# crontab common policy
+#
+
+# is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+corecmd_exec_bin(crontab_domain)
+corecmd_exec_shell(crontab_domain)
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+ openshift_transition(system_cronjob_t)
+')
+
########################################
#
-# Unconfined local policy
+# Unconfined cronjobs local policy
#
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6f3..84ece3e4a 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -1,12 +1,20 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d12..06895f39a 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,178 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
+## <summary>policy for ctdbd</summary>
+
+########################################
+## <summary>
+## Transition to ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+## Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Allow domain to signal ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_signal',`
+ gen_require(`
+ type ctdbd_t;
+ ')
+ allow $1 ctdbd_t:process signal;
+')
+
+#######################################
+## <summary>
+## Allow domain to sigchld ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_sigchld',`
+ gen_require(`
+ type ctdbd_t;
+ ')
+ allow $1 ctdbd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Append to ctdbd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Manage ctdbd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
########################################
## <summary>
-## Create, read, write, and delete
-## ctdbd lib files.
+## Manage ctdbd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Connect to ctdbd with a unix
-## domain stream socket.
+## Manage ctdbd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
## </summary>
## </param>
#
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read ctdbd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_read_pid_files',`
gen_require(`
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ type ctdbd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an ctdb environment.
+## All of the rules required to administrate
+## an ctdbd environment
## </summary>
## <param name="domain">
## <summary>
@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+ type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
- allow $1 ctdbd_t:process { ptrace signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ctdbd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502e6..8f9d0e50f 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
@@ -32,13 +35,16 @@ files_pid_file(ctdbd_var_run_t)
# Local policy
#
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-allow ctdbd_t self:process { setpgid signal_perms setsched };
+allow ctdbd_t self:capability { chown dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
+allow ctdbd_t self:capability2 block_suspend;
+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
allow ctdbd_t self:packet_socket create_socket_perms;
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
+allow ctdbd_t self:rawip_socket create_socket_perms;
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,12 +63,23 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+
+can_exec(ctdbd_t, ctdbd_exec_t)
+
kernel_read_network_state(ctdbd_t)
kernel_read_system_state(ctdbd_t)
kernel_rw_net_sysctls(ctdbd_t)
@@ -72,27 +89,38 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_bind_smbd_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
+corenet_tcp_connect_gluster_port(ctdbd_t)
+corenet_tcp_connect_nfs_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
corecmd_exec_shell(ctdbd_t)
+corecmd_getattr_all_executables(ctdbd_t)
dev_read_sysfs(ctdbd_t)
dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
+fs_getattr_all_fs(ctdbd_t)
+
+auth_use_nsswitch(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
+userdom_home_manager(ctdbd_t)
+
optional_policy(`
consoletype_exec(ctdbd_t)
')
@@ -106,9 +134,22 @@ optional_policy(`
')
optional_policy(`
+ rpc_domtrans_rpcd(ctdbd_t)
+ rpc_manage_nfs_state_data_dir(ctdbd_t)
+ rpc_read_nfs_state_data(ctdbd_t)
+')
+
+optional_policy(`
+ samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+ samba_signull_winbind(ctdbd_t)
+ samba_signull_unconfined_net(ctdbd_t)
')
optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011ec8..8f8bc200a 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,92 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 3023be7f6..5afde8039 100644
--- a/cups.if
+++ b/cups.if
@@ -70,6 +70,7 @@ interface(`cups_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
')
########################################
@@ -200,10 +201,13 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
########################################
@@ -306,6 +310,30 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
+## Execute cupsd server in the cupsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cupsd_systemctl',`
+ gen_require(`
+ type cupsd_t;
+ type cupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
+')
+
+########################################
+## <summary>
## Read the process state (/proc/pid) of cupsd.
## </summary>
## <param name="domain">
@@ -344,18 +372,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+ ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -368,13 +401,46 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
- files_list_spool($1)
- admin_pattern($1, cupsd_spool_t)
-
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
-
- files_list_pids($1)
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+ cupsd_systemctl($1)
+ admin_pattern($1, cupsd_unit_file_t)
+ allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Transition to cups named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_filetrans_named_content',`
+ gen_require(`
+ type cupsd_rw_etc_t;
+ type cupsd_etc_t;
+ ')
+
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813ccb..dd52ab6ad 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
# Declarations
#
-type cupsd_config_t;
+## <desc>
+## <p>
+## Allow cups execmem/execstack
+## </p>
+## </desc>
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
type cupsd_config_exec_t;
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t)
-type cupsd_t;
+type cupsd_t, cups_domain;
type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
logging_log_file(cupsd_log_t)
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
type ptal_t;
type ptal_exec_t;
@@ -97,21 +99,50 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+ lpd_manage_spool(cups_domain)
+')
+
########################################
#
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:socket connect;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +170,24 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-allow cupsd_t hplip_t:process { signal sigkill };
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +195,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
-corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +220,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -203,7 +245,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -212,17 +253,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
-fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
+mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
@@ -232,6 +275,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -244,23 +289,33 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
+libs_exec_ld_so(cupsd_t)
+libs_use_ld_so(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+miscfiles_legacy_read_localization(cupsd_t)
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
+
optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -272,6 +327,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
+ init_dbus_chat(cupsd_t)
+
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -279,11 +336,17 @@ optional_policy(`
')
optional_policy(`
+ colord_read_lib_files(cupsd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -296,8 +359,8 @@ optional_policy(`
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
kerberos_manage_host_rcache(cupsd_t)
- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
optional_policy(`
@@ -306,7 +369,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
- lpd_manage_spool(cupsd_t)
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -316,6 +378,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(cupsd_t)
+')
+
+optional_policy(`
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
@@ -326,7 +392,7 @@ optional_policy(`
')
optional_policy(`
- snmp_read_snmp_var_lib_files(cupsd_t)
+ snmp_manage_var_lib_files(cupsd_t)
')
optional_policy(`
@@ -334,7 +400,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(cupsd_t)
')
########################################
@@ -342,12 +412,11 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_read_search sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -367,23 +436,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+allow cupsd_config_t cupsd_var_run_t:sock_file read_file_perms;
manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +461,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
-fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,17 +478,16 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
userdom_read_user_tmp_symlinks(cupsd_config_t)
userdom_rw_user_tmp_files(cupsd_config_t)
+tunable_policy(`cups_execmem',`
+ allow cupsd_config_t self:process { execmem execstack };
+')
+
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
')
@@ -449,9 +509,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -467,6 +530,10 @@ optional_policy(`
')
optional_policy(`
+ libs_exec_ldconfig(cupsd_config_t)
+')
+
+optional_policy(`
rpm_read_db(cupsd_config_t)
')
@@ -487,10 +554,6 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +571,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +600,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -549,9 +609,9 @@ optional_policy(`
# Pdf local policy
#
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search };
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+allow cups_pdf_t cupsd_rw_etc_t:dir search;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- lpd_manage_spool(cups_pdf_t)
+ gnome_read_config(cups_pdf_t)
')
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
-')
-
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_all_recvfrom_unlabeled(ptal_t)
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
-dev_read_sysfs(ptal_t)
dev_read_usbfs(ptal_t)
dev_rw_printer(ptal_t)
domain_use_interactive_fds(ptal_t)
-files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
-miscfiles_read_localization(ptal_t)
-
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +703,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be90c..4c1a965c0 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,13 +1,16 @@
+HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+
/etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
/var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
index 64775fd37..91a60569c 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
## <summary>Concurrent versions system.</summary>
+######################################
+## <summary>
+## Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Read CVS data and metadata content.
@@ -41,6 +59,24 @@ interface(`cvs_exec',`
########################################
## <summary>
+## Transition to cvs named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cvs_filetrans_home_content',`
+ gen_require(`
+ type cvs_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an cvs environment
## </summary>
@@ -60,11 +96,17 @@ interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
+ allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cvs_t:process ptrace;
+ ')
+
+ # Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
@@ -81,4 +123,7 @@ interface(`cvs_admin',`
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
+
+ userdom_search_user_home_dirs($1)
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
index 0f7755005..3e3f3cd61 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
## password files.
## </p>
## </desc>
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
########################################
#
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_read_search setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:tcp_socket { accept listen };
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
+init_dontaudit_read_utmp(cvs_t)
+
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-miscfiles_read_localization(cvs_t)
-
mta_send_mail(cvs_t)
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
- allow cvs_t self:capability dac_override;
+tunable_policy(`cvs_read_shadow',`
+ allow cvs_t self:capability { dac_read_search };
auth_tunable_read_shadow(cvs_t)
')
@@ -116,8 +129,10 @@ optional_policy(`
optional_policy(`
apache_content_template(cvs)
+ apache_content_alias_template(cvs, cvs)
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc7355..86e11f5e3 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
-corenet_all_recvfrom_unlabeled(cyphesis_t)
corenet_tcp_sendrecv_generic_if(cyphesis_t)
corenet_tcp_sendrecv_generic_node(cyphesis_t)
corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
domain_use_interactive_fds(cyphesis_t)
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
logging_send_syslog_msg(cyphesis_t)
-miscfiles_read_localization(cyphesis_t)
-
sysnet_dns_name_resolve(cyphesis_t)
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 83bfda6ed..92d9fb2e7 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
+#######################################
+## <summary>
+## Allow write cyrus data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cyrus_write_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
########################################
## <summary>
## Connect to Cyrus using a unix
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
type cyrus_keytab_t;
')
- allow $1 cyrus_t:process { ptrace signal_perms };
+ allow $1 cyrus_t:process signal_perms;
ps_process_pattern($1, cyrus_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cyrus_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2de2..c29c47501 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_read_search net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
+kernel_read_network_state(cyrus_t)
-corenet_all_recvfrom_unlabeled(cyrus_t)
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
corenet_tcp_sendrecv_all_ports(cyrus_t)
corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
-miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
@@ -121,6 +122,14 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ gssproxy_stream_connect(cyrus_t)
+')
+
+optional_policy(`
kerberos_read_keytab(cyrus_t)
kerberos_use(cyrus_t)
')
@@ -134,8 +143,8 @@ optional_policy(`
')
optional_policy(`
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
')
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0b7..6c8106a87 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
')
+
diff --git a/daemontools.te b/daemontools.te
index ee1b4aa8e..2fd746e05 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
+term_write_console(svc_multilog_t)
+
init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
logging_manage_generic_logs(svc_multilog_t)
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 5a5e2902a..6321a1d0a 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
domain_use_interactive_fds(dante_t)
-files_read_etc_files(dante_t)
files_read_etc_runtime_files(dante_t)
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index b60c464f1..51bf02f4a 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
########################################
#
# Local policy
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
@@ -60,3 +61,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index f55c42082..e9d64ab5f 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_all_recvfrom_unlabeled(dbskkd_t)
corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_generic_if(dbskkd_t)
corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
fs_getattr_xattr_fs(dbskkd_t)
-files_read_etc_files(dbskkd_t)
auth_use_nsswitch(dbskkd_t)
logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b9c..60806a524 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,31 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb46..c0c2ed47d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## <summary>Desktop messaging bus.</summary>
+## <summary>Desktop messaging bus</summary>
########################################
## <summary>
@@ -19,7 +19,24 @@ interface(`dbus_stub',`
########################################
## <summary>
-## Role access for dbus.
+## Execute dbus-daemon in the caller domain.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dbus_exec_dbusd',`
+ gen_require(`
+ type dbusd_exec_t;
+ ')
+ can_exec($1, dbusd_exec_t)
+')
+
+########################################
+## <summary>
+## Role access for dbus
## </summary>
## <param name="role_prefix">
## <summary>
@@ -41,59 +58,69 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
- attribute session_bus_type;
- type system_dbusd_t, dbusd_exec_t;
- type session_dbusd_tmp_t, session_dbusd_home_t;
+ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
#
- # Declarations
+ # Delcarations
#
type $1_dbusd_t, session_bus_type;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
-
role $2 types $1_dbusd_t;
+ kernel_read_system_state($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+
+ userdom_home_manager($1_dbusd_t)
+
##############################
#
# Local policy
#
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 $1_dbusd_t:fd use;
-
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+ # SE-DBus specific permissions
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
+ allow $3 $1_dbusd_t:process signal_perms;
- allow $1_dbusd_t $3:process sigkill;
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_dbusd_t:process ptrace;
+ ')
- corecmd_bin_domtrans($1_dbusd_t, $3)
- corecmd_shell_domtrans($1_dbusd_t, $3)
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
auth_use_nsswitch($1_dbusd_t)
- ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ logging_send_syslog_msg($1_dbusd_t)
+
+ optional_policy(`
+ mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
')
#######################################
## <summary>
## Template for creating connections to
-## the system bus.
+## the system DBUS.
## </summary>
## <param name="domain">
## <summary>
@@ -103,91 +130,88 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
- attribute dbusd_system_bus_client;
- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
- typeattribute $1 dbusd_system_bus_client;
-
+ # SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
- allow system_dbusd_t $1:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+
+ dev_read_urand($1)
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
dbus_read_config($1)
+
+ optional_policy(`
+ unconfined_server_dbus_chat($1)
+ ')
')
#######################################
## <summary>
-## Acquire service on DBUS
-## session bus.
+## Creating connections to specified
+## DBUS sessions.
## </summary>
-## <param name="domain">
+## <param name="role_prefix">
## <summary>
-## Domain allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
## </summary>
## </param>
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
- dbus_connect_all_session_bus($1)
-')
-
-#######################################
-## <summary>
-## Acquire service on all DBUS
-## session busses.
-## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_connect_all_session_bus',`
+interface(`dbus_session_client',`
gen_require(`
- attribute session_bus_type;
- class dbus acquire_svc;
+ class dbus send_msg;
+ type $1_dbusd_t;
')
- allow $1 session_bus_type:dbus acquire_svc;
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
')
#######################################
## <summary>
-## Acquire service on specified
-## DBUS session bus.
+## Template for creating connections to
+## a user DBUS.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_bus_client',`
gen_require(`
- type $1_dbusd_t;
- class dbus acquire_svc;
+ attribute session_bus_type;
+ class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus acquire_svc;
+ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+
+ allow session_bus_type $1:process sigkill;
')
-#######################################
+########################################
## <summary>
-## Creating connections to DBUS
-## session bus.
+## Send a message the session DBUS.
## </summary>
## <param name="domain">
## <summary>
@@ -195,15 +219,18 @@ interface(`dbus_connect_spec_session_bus',`
## </summary>
## </param>
#
-interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
+interface(`dbus_send_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 session_bus_type:dbus send_msg;
')
-#######################################
+########################################
## <summary>
-## Creating connections to all
-## DBUS session busses.
+## Read dbus configuration.
## </summary>
## <param name="domain">
## <summary>
@@ -211,57 +238,39 @@ interface(`dbus_session_bus_client',`
## </summary>
## </param>
#
-interface(`dbus_all_session_bus_client',`
+interface(`dbus_read_config',`
gen_require(`
- attribute session_bus_type, dbusd_session_bus_client;
- class dbus send_msg;
+ type dbusd_etc_t;
')
- typeattribute $1 dbusd_session_bus_client;
-
- allow $1 { session_bus_type self }:dbus send_msg;
- allow session_bus_type $1:dbus send_msg;
-
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
+ allow $1 dbusd_etc_t:dir list_dir_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
')
-#######################################
+########################################
## <summary>
-## Creating connections to specified
-## DBUS session bus.
+## Read system dbus lib files.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_spec_session_bus_client',`
+interface(`dbus_read_lib_files',`
gen_require(`
- attribute dbusd_session_bus_client;
- type $1_dbusd_t;
- class dbus send_msg;
+ type system_dbusd_var_lib_t;
')
- typeattribute $2 dbusd_session_bus_client;
-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
-
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:fd use;
+ files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Send messages to DBUS session bus.
+## Create, read, write, and delete
+## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -269,15 +278,19 @@ interface(`dbus_spec_session_bus_client',`
## </summary>
## </param>
#
-interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Send messages to all DBUS
-## session busses.
+## Connect to the system DBUS
+## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
@@ -285,44 +298,52 @@ interface(`dbus_send_session_bus',`
## </summary>
## </param>
#
-interface(`dbus_send_all_session_bus',`
+interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
- class dbus send_msg;
+ class dbus acquire_svc;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
+ allow $1 session_bus_type:dbus acquire_svc;
')
-#######################################
+########################################
## <summary>
-## Send messages to specified
-## DBUS session busses.
+## Allow a application domain to be started
+## by the session dbus.
## </summary>
-## <param name="role_prefix">
+## <param name="domain_prefix">
## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## User domain prefix to be used.
## </summary>
## </param>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an
+## entry point to this domain.
## </summary>
## </param>
#
-interface(`dbus_send_spec_session_bus',`
+interface(`dbus_session_domain',`
gen_require(`
type $1_dbusd_t;
- class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus send_msg;
+ domtrans_pattern($1_dbusd_t, $2, $3)
+
+ dbus_session_bus_client($3)
+ dbus_connect_session_bus($3)
')
########################################
## <summary>
-## Read dbus configuration content.
+## Connect to the system DBUS
+## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
@@ -330,18 +351,18 @@ interface(`dbus_send_spec_session_bus',`
## </summary>
## </param>
#
-interface(`dbus_read_config',`
+interface(`dbus_connect_system_bus',`
gen_require(`
- type dbusd_etc_t;
+ type system_dbusd_t;
+ class dbus acquire_svc;
')
- allow $1 dbusd_etc_t:dir list_dir_perms;
- allow $1 dbusd_etc_t:file read_file_perms;
+ allow $1 system_dbusd_t:dbus acquire_svc;
')
########################################
## <summary>
-## Read system dbus lib files.
+## Send a message on the system DBUS.
## </summary>
## <param name="domain">
## <summary>
@@ -349,20 +370,18 @@ interface(`dbus_read_config',`
## </summary>
## </param>
#
-interface(`dbus_read_lib_files',`
+interface(`dbus_send_system_bus',`
gen_require(`
- type system_dbusd_var_lib_t;
+ type system_dbusd_t;
+ class dbus send_msg;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus send_msg;
')
########################################
## <summary>
-## Create, read, write, and delete
-## system dbus lib files.
+## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
@@ -370,26 +389,20 @@ interface(`dbus_read_lib_files',`
## </summary>
## </param>
#
-interface(`dbus_manage_lib_files',`
+interface(`dbus_system_bus_unconfined',`
gen_require(`
- type system_dbusd_var_lib_t;
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus *;
')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
+## Create a domain for processes
+## which can be started by the system dbus
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Type to be used as a domain.
@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
## </param>
## <param name="entry_point">
## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
+## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
+interface(`dbus_system_domain',`
+ gen_require(`
+ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
+ typeattribute $1 system_bus_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+ init_system_domain($1, $2)
+
+ ps_process_pattern($1, system_dbusd_t)
+
')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
+## Use and inherit system DBUS file descriptors.
## </summary>
## <param name="domain">
## <summary>
-## Type to be used as a domain.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="entry_point">
+#
+interface(`dbus_use_system_bus_fds',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_all_session_domain',`
+interface(`dbus_unconfined',`
gen_require(`
- type session_bus_type;
+ attribute dbusd_unconfined;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
+ typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
+## Delete all dbus pid files
## </summary>
-## <param name="role_prefix">
+## <param name="domain">
## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
## </summary>
## </param>
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+## Read all dbus pid files
+## </summary>
## <param name="domain">
## <summary>
-## Type to be used as a domain.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="entry_point">
+#
+interface(`dbus_read_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
+## </summary>
+## <param name="domain">
## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_spec_session_domain',`
+interface(`dbus_dontaudit_stream_connect_session_bus',`
gen_require(`
- type $1_dbusd_t;
+ attribute session_bus_type;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
-
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
')
########################################
## <summary>
-## Acquire service on the DBUS system bus.
+## Allow attempts to connect to
+## session bus types with a unix
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_connect_system_bus',`
+interface(`dbus_stream_connect_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus acquire_svc;
+ attribute session_bus_type;
')
- allow $1 system_dbusd_t:dbus acquire_svc;
+ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
## <summary>
-## Send messages to the DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_send_system_bus',`
+interface(`dbus_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
+ attribute session_bus_type;
class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
+ allow session_bus_type $1:dbus send_msg;
')
########################################
## <summary>
-## Unconfined access to DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_system_bus_unconfined',`
+interface(`dbus_dontaudit_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus all_dbus_perms;
+ attribute session_bus_type;
+ class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus *;
+ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
## <summary>
-## Create a domain for processes which
-## can be started by the DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to system bus types.
## </summary>
## <param name="domain">
## <summary>
-## Type to be used as a domain.
+## Domain to not audit.
## </summary>
## </param>
-## <param name="entry_point">
+#
+interface(`dbus_dontaudit_chat_system_bus',`
+ gen_require(`
+ attribute system_bus_type;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 system_bus_type:dbus send_msg;
+ dontaudit system_bus_type $1:dbus send_msg;
+')
+
+
+########################################
+## <summary>
+## Allow attempts to connect to
+## session bus types with a unix
+## stream socket.
+## </summary>
+## <param name="domain">
## <summary>
-## Type of the program to be used as an entry point to this domain.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_system_domain',`
+interface(`dbus_stream_connect_system_dbusd',`
gen_require(`
type system_dbusd_t;
- role system_r;
')
- domain_type($1)
- domain_entry_file($1, $2)
-
- role system_r types $1;
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
+ allow $1 system_dbusd_t:unix_stream_socket connectto;
')
+
########################################
## <summary>
-## Use and inherit DBUS system bus
-## file descriptors.
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_use_system_bus_fds',`
+interface(`dbus_dontaudit_stream_connect_system_dbusd',`
gen_require(`
type system_dbusd_t;
')
- allow $1 system_dbusd_t:fd use;
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
+## Allow attempts to send dbus
+## messages to system bus types.
## </summary>
## <param name="domain">
## <summary>
@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_chat_system_bus',`
gen_require(`
- type system_dbusd_t;
+ attribute system_bus_type;
+ class dbus send_msg;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_bus_type:dbus send_msg;
+ allow system_bus_type $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Transition to dbus named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_filetrans_named_content_system',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
########################################
## <summary>
-## Unconfined access to DBUS.
+## Allow attempts to send dbus
+## messages to system dbusd type.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_unconfined',`
+interface(`dbus_acquire_svc_system_dbusd',`
gen_require(`
- attribute dbusd_unconfined;
+ type system_dbusd_t;
+ class dbus acquire_svc;
')
- typeattribute $1 dbusd_unconfined;
+ allow $1 system_dbusd_t:dbus acquire_svc;
+
+')
+
+########################################
+## <summary>
+## Manage session_dbusd tmp dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_manage_session_tmp_dirs',`
+ gen_require(`
+ type session_dbusd_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
index c9998c80d..328aa81d2 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
class dbus all_dbus_perms;
')
-########################################
+##############################
#
-# Declarations
+# Delcarations
#
attribute dbusd_unconfined;
+attribute system_bus_type;
attribute session_bus_type;
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
type dbusd_etc_t;
files_config_file(dbusd_etc_t)
@@ -22,9 +20,6 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
-########################################
+##############################
#
-# Local policy
+# System bus local policy
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+# : /var/run/dbus is owned by messagebus on Debian
+# cjp: should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
+allow system_dbusd_t self:capability { sys_resource dac_read_search setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
+kernel_stream_connect(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+dev_rw_nvme(system_dbusd_t)
+
+files_rw_inherited_non_security_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
+init_start(system_dbusd_t) # needed by dbus-broker
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+ snapper_read_inherited_pipe(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+ systemd_start_power_services(system_dbusd_t)
+ systemd_config_all_services(system_dbusd_t)
+ files_config_all_files(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ virt_list_sandbox_dirs(system_dbusd_t)
+')
+
+optional_policy(`
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
+optional_policy(`
+ unconfined_server_domtrans(system_dbusd_t)
+')
+
########################################
#
-# Common session bus local policy
+# system_bus_type rules
#
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
allow session_bus_type self:file { getattr read write };
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_sock_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir sock_file })
+userdom_user_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir sock_file })
-kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_sendrecv_all_ports(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)
dev_read_urand(session_bus_type)
-domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
-selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
optional_policy(`
- xserver_use_xdm_fds(session_bus_type)
+ gnome_read_config(session_bus_type)
+ gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+ thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
')
########################################
@@ -244,5 +368,9 @@ optional_policy(`
# Unconfined access to this module
#
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+kernel_stream_connect(session_bus_type)
+systemd_login_read_pid_files(session_bus_type)
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e66..cef59a752 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+
/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0e8..46394219a 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
- files_search_var($1)
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
index 353fa4a09..a5e912fca 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
files_read_etc_runtime_files(cdcc_t)
auth_use_nsswitch(cdcc_t)
logging_send_syslog_msg(cdcc_t)
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
files_read_etc_runtime_files(dcc_client_t)
fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
- amavis_read_spool_files(dcc_client_t)
+ antivirus_read_db(dcc_client_t)
')
optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
files_read_etc_runtime_files(dcc_dbclean_t)
auth_use_nsswitch(dcc_dbclean_t)
logging_send_syslog_msg(dcc_dbclean_t)
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_all_recvfrom_unlabeled(dccd_t)
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
-miscfiles_read_localization(dccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
-miscfiles_read_localization(dccifd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
-miscfiles_read_localization(dccm_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_user_home_dirs(dccm_t)
diff --git a/ddclient.if b/ddclient.if
index 5606b4069..cd18cf2a7 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
type ddclient_var_run_t, ddclient_initrc_exec_t;
')
- allow $1 ddclient_t:process { ptrace signal_perms };
+ allow $1 ddclient_t:process signal_perms;
ps_process_pattern($1, ddclient_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ddclient_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index a4caa1b5b..f244f9a63 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
# Declarations
#
+
dontaudit ddclient_t self:capability sys_tty_config;
allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_all_recvfrom_unlabeled(ddclient_t)
corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
domain_use_interactive_fds(ddclient_t)
-files_read_etc_files(ddclient_t)
files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+auth_use_nsswitch(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
sysnet_exec_ifconfig(ddclient_t)
sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index 8fa4bb994..8f5ffb00a 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
-files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
term_use_all_ttys(ddcprobe_t)
term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da62..c87b5b7c6 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`denyhosts_admin',`
gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
- allow $1 denyhosts_t:process { ptrace signal_perms };
+ allow $1 denyhosts_t:process signal_perms;
ps_process_pattern($1, denyhosts_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 denyhosts_t:process ptrace;
+ ')
+
denyhosts_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
- files_search_locks($1)
+ files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
index 583a52726..91c4104c7 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# Local policy
#
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corecmd_exec_shell(denyhosts_t)
-corenet_all_recvfrom_unlabeled(denyhosts_t)
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
+corenet_tcp_connect_sype_transport_port(denyhosts_t)
+corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
+
dev_read_urand(denyhosts_t)
+auth_use_nsswitch(denyhosts_t)
+
+iptables_domtrans(denyhosts_t)
+
logging_read_generic_logs(denyhosts_t)
logging_send_syslog_msg(denyhosts_t)
-miscfiles_read_localization(denyhosts_t)
-
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d99..99a54eb7f 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -11,6 +11,8 @@
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/bin/udisksctl -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -24,3 +26,4 @@
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff48..1bc5d3aea 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## <summary>Devicekit modular hardware abstraction layer.</summary>
+## <summary>Devicekit modular hardware abstraction layer</summary>
########################################
## <summary>
@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
type devicekit_t, devicekit_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
')
########################################
## <summary>
+## Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans_disk',`
+ gen_require(`
+ type devicekit_disk_t, devicekit_disk_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+## <summary>
## Send to devicekit over a unix domain
## datagram socket.
## </summary>
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
#
interface(`devicekit_dgram_send',`
gen_require(`
- type devicekit_t, devicekit_var_run_t;
+ type devicekit_t;
')
- files_search_pids($1)
- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+ allow $1 devicekit_t:unix_dgram_socket sendto;
')
########################################
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
########################################
## <summary>
-## Send generic signals to devicekit power.
+## Use file descriptors for devicekit_disk.
## </summary>
## <param name="domain">
## <summary>
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
## </summary>
## </param>
#
-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
')
- allow $1 devicekit_power_t:process signal;
+ allow $1 devicekit_disk_t:fd use;
')
########################################
## <summary>
-## Send and receive messages from
-## devicekit power over dbus.
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
class dbus send_msg;
')
- allow $1 devicekit_power_t:dbus send_msg;
- allow devicekit_power_t $1:dbus send_msg;
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
+ dontaudit devicekit_disk_t $1:dbus send_msg;
')
########################################
## <summary>
-## Use and inherit devicekit power
-## file descriptors.
+## Send signal devicekit power
## </summary>
## <param name="domain">
## <summary>
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
## </summary>
## </param>
#
-interface(`devicekit_use_fds_power',`
+interface(`devicekit_signal_power',`
gen_require(`
type devicekit_power_t;
')
- allow $1 devicekit_power_t:fd use;
+ allow $1 devicekit_power_t:process signal;
')
########################################
## <summary>
-## Append inherited devicekit log files.
+## Send and receive messages from
+## devicekit power over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',`
## </summary>
## </param>
#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Use and inherit devicekit power
+## file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+## <summary>
+## Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`devicekit_append_inherited_log_files',`
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
devicekit_use_fds_power($1)
')
-########################################
+#######################################
## <summary>
-## Create, read, write, and delete
-## devicekit log files.
+## Allow read devicekit log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_read_log_files',`
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ allow $1 devicekit_var_log_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to write the devicekit
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
########################################
## <summary>
-## Relabel devicekit log files.
+## Allow the domain to read devicekit_power state files in /proc.
## </summary>
## <param name="domain">
## <summary>
@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',`
## </summary>
## </param>
#
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
gen_require(`
- type devicekit_var_log_t;
+ type devicekit_power_t;
')
- logging_search_logs($1)
- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, devicekit_power_t)
')
########################################
@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
-## Create, read, write, and delete
+## Do not audit attempts to read
## devicekit PID files.
## </summary>
## <param name="domain">
## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
+## Manage devicekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+## <summary>
+## Relabel devicekit LOG files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_relabel_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an devicekit environment.
+## Manage devicekit LOG files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`devicekit_manage_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an devicekit environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -259,21 +388,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
- type devicekit_var_log_t;
')
- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+ allow $1 devicekit_t:process signal_perms;
+ ps_process_pattern($1, devicekit_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 devicekit_t:process ptrace;
+ allow $1 devicekit_disk_t:process ptrace;
+ allow $1 devicekit_power_t:process ptrace;
+ ')
+
+ allow $1 devicekit_disk_t:process signal_perms;
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process signal_perms;
+ ps_process_pattern($1, devicekit_power_t)
- files_search_tmp($1)
admin_pattern($1, devicekit_tmp_t)
+ files_list_tmp($1)
- files_search_var_lib($1)
admin_pattern($1, devicekit_var_lib_t)
+ files_list_var_lib($1)
- logging_search_logs($1)
- admin_pattern($1, devicekit_var_log_t)
-
- files_search_pids($1)
admin_pattern($1, devicekit_var_run_t)
+ files_list_pids($1)
+')
+
+########################################
+## <summary>
+## Transition to devicekit named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_filetrans_named_content',`
+ gen_require(`
+ type devicekit_var_run_t, devicekit_var_log_t;
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
index 77a5003c0..27f168bb1 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
type devicekit_t;
type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
@@ -29,6 +29,10 @@ files_type(devicekit_var_lib_t)
type devicekit_var_log_t;
logging_log_file(devicekit_var_log_t)
+typealias devicekit_t alias { udisks2_t };
+typealias devicekit_var_lib_t alias { udisks2_var_lib_t };
+typealias devicekit_var_run_t alias { udisks2_var_run_t };
+
########################################
#
# Local policy
@@ -44,12 +48,10 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
+dev_getattr_all(devicekit_t)
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +66,8 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,17 +84,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_read_system_state(devicekit_disk_t)
kernel_read_vm_sysctls(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
-kernel_setsched(devicekit_disk_t)
+kernel_dontaudit_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +103,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
@@ -117,8 +123,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +141,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
logging_send_syslog_msg(devicekit_disk_t)
-miscfiles_read_localization(devicekit_disk_t)
-
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
optional_policy(`
+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +176,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
+ mount_read_pid_files(devicekit_disk_t)
')
optional_policy(`
@@ -183,6 +190,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
+ systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
udev_read_pid_files(devicekit_disk_t)
@@ -192,12 +204,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_read_search net_admin sys_admin sys_tty_config sys_nice };
+#allow devicekit_power_t self:capability2 compromise_kernel;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +231,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,12 +241,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
-kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_usermodehelper_state(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-kernel_setsched(devicekit_power_t)
+kernel_dontaudit_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +265,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
files_dontaudit_list_mnt(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
-miscfiles_read_localization(devicekit_power_t)
-
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
@@ -277,6 +291,12 @@ optional_policy(`
')
optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+ cron_systemctl(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -307,8 +327,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_manage_home_config(devicekit_power_t)
+')
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
@@ -347,3 +370,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ corenet_tcp_connect_xserver_port(devicekit_power_t)
+ xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 8182c4806..0b9bb9710 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,6 +1,13 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd6.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcrelay.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
+/usr/sbin/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edbcd..954c090bd 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
+ allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################
@@ -60,6 +60,31 @@ interface(`dhcpd_initrc_domtrans',`
########################################
## <summary>
+## Execute dhcpd server in the dhcpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dhcpd_systemctl',`
+ gen_require(`
+ type dhcpd_unit_file_t;
+ type dhcpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dhcpd environment.
## </summary>
@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ type dhcpd_unit_file_t;
')
- allow $1 dhcpd_t:process { ptrace signal_perms };
+ allow $1 dhcpd_t:process signal_perms;
ps_process_pattern($1, dhcpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dhcpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
+ admin_pattern($1, dhcpd_unit_file_t)
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
index 98a24b989..c9162e646 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)
-corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_generic_if(dhcpd_t)
corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
domain_use_interactive_fds(dhcpd_t)
-files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
tunable_policy(`dhcpd_use_ldap',`
- sysnet_use_ldap(dhcpd_t)
+ allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
')
optional_policy(`
+ tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_read_search setgid setuid sys_chroot };
+')
+
+optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/dictd.if b/dictd.if
index 3cc3494bd..cb0a1f4bf 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
type dictd_var_run_t, dictd_initrc_exec_t;
')
- allow $1 dictd_t:process { ptrace signal_perms };
+ allow $1 dictd_t:process signal_perms;
ps_process_pattern($1, dictd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dictd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index 433d3c5a0..0dccebfd9 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_all_recvfrom_unlabeled(dictd_t)
corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_generic_if(dictd_t)
corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
logging_send_syslog_msg(dictd_t)
-miscfiles_read_localization(dictd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b218815..5f917054c 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
-files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 000000000..38b17f89f
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/dirsrv-admin\.service -- gen_context(system_u:object_r:dirsrvadmin_unit_file_t,s0)
+
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 000000000..0d4e70492
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,157 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+## Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+## Exec cgi programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_script_exec',`
+ gen_require(`
+ type dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+## Execute dirsrv-admin server in the dirsrv-admin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_systemctl',`
+ gen_require(`
+ type dirsrvadmin_t;
+ type dirsrvadmin_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
+ allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dirsrvadmin_t)
+')
+
+#######################################
+## <summary>
+## Execute admin cgi programs in caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+ gen_require(`
+ type dirsrvadmin_unconfined_script_t;
+ type dirsrvadmin_unconfined_script_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 000000000..583d849ba
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,167 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unit_file_t;
+systemd_unit_file(dirsrvadmin_unit_file_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+ apache_domtrans(dirsrvadmin_t)
+ apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
+ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+ allow dirsrvadmin_script_t self:process { getsched getpgid };
+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search };
+ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+ auth_read_passwd(dirsrvadmin_script_t)
+
+ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
+ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
+ corenet_tcp_bind_http_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
+ files_search_var_lib(dirsrvadmin_script_t)
+
+ sysnet_read_config(dirsrvadmin_script_t)
+
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
+ dirsrvadmin_systemctl(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ apache_read_modules(dirsrvadmin_script_t)
+ apache_read_config(dirsrvadmin_script_t)
+ apache_read_pid_files(dirsrvadmin_script_t)
+ apache_signal(dirsrvadmin_script_t)
+ apache_signull(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(dirsrvadmin_script_t)
+ dirsrv_domtrans(dirsrvadmin_script_t)
+ dirsrv_signal(dirsrvadmin_script_t)
+ dirsrv_signull(dirsrvadmin_script_t)
+ dirsrv_manage_log(dirsrvadmin_script_t)
+ dirsrv_manage_var_lib(dirsrvadmin_script_t)
+ dirsrv_pid_filetrans(dirsrvadmin_script_t)
+ dirsrv_manage_var_run(dirsrvadmin_script_t)
+ dirsrv_manage_config(dirsrvadmin_script_t)
+ dirsrv_read_share(dirsrvadmin_script_t)
+ ')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 000000000..5d30dab95
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 000000000..b3784d85d
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,232 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+########################################
+## <summary>
+## Execute dirsrv in the dirsrv domain, and
+## allow the specified role the dirsrv domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_run',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ dirsrv_domtrans($1)
+ role $2 types dirsrv_t;
+')
+
+########################################
+## <summary>
+## Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+## Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_stream_connect',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+## <summary>
+## Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
+ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read dirsrv share files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir list_dir_perms;
+ allow $1 dirsrv_share_t:file read_file_perms;
+ allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 000000000..de56c291d
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,210 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+allow dirsrv_t dirsrv_tmpfs_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_lib_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_run_t:file map;
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { dir file })
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+fs_read_cgroup_files(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+ apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+ prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
+optional_policy(`
+ systemd_manage_passwd_run(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+kernel_read_system_state(dirsrv_snmp_t)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c740c..1790ec5dc 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
#
interface(`distcc_admin',`
gen_require(`
- type distccd_t, distccd_t, distccd_log_t;
+ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
diff --git a/distcc.te b/distcc.te
index 898b2f433..8a1725b62 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_all_recvfrom_unlabeled(distccd_t)
corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_generic_if(distccd_t)
corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
logging_send_syslog_msg(distccd_t)
-miscfiles_read_localization(distccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
userdom_dontaudit_search_user_home_dirs(distccd_t)
diff --git a/djbdns.if b/djbdns.if
index 671d3c0a1..6d36c951a 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
+ corenet_udp_bind_generic_node(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
')
#####################################
diff --git a/djbdns.te b/djbdns.te
index 87ca536ae..ebd327ad1 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
files_search_var(djbdns_domain)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
########################################
#
# axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418af..674367b3a 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f6770..653a1ecbb 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
')
+######################################
+## <summary>
+## Execute dmidecode in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dmidecode_exec',`
+ gen_require(`
+ type dmidecode_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dmidecode_exec_t)
+')
+
########################################
## <summary>
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index aa0ef6e94..d55bbd34c 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+ rhsmcertd_rw_lock_files(dmidecode_t)
+ rhsmcertd_read_log(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808d8..84735a8cb 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b80b..a79982cd6 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
## </summary>
## </param>
#
-#
interface(`dnsmasq_domtrans',`
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
')
+#######################################
+## <summary>
+## Execute dnsmasq server in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_exec',`
+ gen_require(`
+ type dnsmasq_exec_t;
+ ')
+
+ can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+## <summary>
+## Allow read/write dnsmasq pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
## <summary>
## Execute the dnsmasq init script in
@@ -42,6 +77,49 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
+## Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_systemctl',`
+ gen_require(`
+ type dnsmasq_unit_file_t;
+ type dnsmasq_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+## Send sigchld to dnsmasq.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigchld',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigchld;
+')
+
+########################################
+## <summary>
## Send generic signals to dnsmasq.
## </summary>
## <param name="domain">
@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
-#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
+
########################################
## <summary>
## Create, read, write, and delete
@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
## <summary>
-## Read dnsmasq pid files.
+## Read dnsmasq pid files
## </summary>
## <param name="domain">
## <summary>
@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
## </summary>
## </param>
#
-#
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
-## Create specified objects in specified
-## directories with a type transition to
-## the dnsmasq pid file type.
+## Create dnsmasq pid directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
+#
+interface(`dnsmasq_read_state',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+## Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
## <summary>
-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+## <param name="private type">
## <summary>
-## The name of the object being created.
+## The type of the directory for the object to be created.
## </summary>
## </param>
#
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
gen_require(`
type dnsmasq_var_run_t;
')
- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+## <summary>
+## Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
')
########################################
@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+ type dnsmasq_var_log_t;
+ type dnsmasq_initrc_exec_t;
+ type dnsmasq_unit_file_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
+ allow $1 dnsmasq_t:process signal_perms;
ps_process_pattern($1, dnsmasq_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dnsmasq_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
- logging_seearch_logs($1)
+ logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
+ admin_pattern($1, dnsmasq_unit_file_t)
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## dnsmasq over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_dbus_chat',`
+ gen_require(`
+ type dnsmasq_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dnsmasq_t:dbus send_msg;
+ allow dnsmasq_t $1:dbus send_msg;
')
+
+
diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b30..59eb2b7cb 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
########################################
#
# Local policy
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_read_search net_admin setgid setuid net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -98,12 +105,25 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
dbus_connect_system_bus(dnsmasq_t)
dbus_system_bus_client(dnsmasq_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(dnsmasq_t)
+ ')
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
+ dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -124,6 +144,18 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
+ virt_read_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
+
+optional_policy(`
+ neutron_manage_lib_files(dnsmasq_t)
+ neutron_stream_connect(dnsmasq_t)
+ neutron_rw_fifo_file(dnsmasq_t)
+ neutron_sigchld(dnsmasq_t)
+')
+
+optional_policy(`
+ systemd_resolved_read_pid(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 000000000..1714fa661
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 000000000..d22ed691a
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,123 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
+########################################
+## <summary>
+## Transition to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_domtrans',`
+ gen_require(`
+ type dnssec_trigger_t, dnssec_trigger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+## <summary>
+## Read dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_read_pid_files',`
+ gen_require(`
+ type dnssec_trigger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_manage_pid_files',`
+ gen_require(`
+ type dnssec_trigger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+ manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+ manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Send signull to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnssec_trigger_signull',`
+ gen_require(`
+ type dnssec_trigger_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process signull;
+')
+
+########################################
+## <summary>
+## Send sigkill to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnssec_trigger_sigkill',`
+ gen_require(`
+ type dnssec_trigger_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process sigkill;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dnssec_trigger environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_admin',`
+ gen_require(`
+ type dnssec_trigger_t;
+ type dnssec_trigger_var_run_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnssec_trigger_t)
+
+ files_search_pids($1)
+ admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 000000000..b93540692
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,93 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+type dnssec_trigger_tmp_t;
+files_tmp_file(dnssec_trigger_tmp_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability { net_admin linux_immutable sys_ptrace };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+can_exec(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+corecmd_read_all_executables(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+domain_read_all_domains_state(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
+
+libs_exec_ldconfig(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
+sysnet_relabelfrom_net_conf(dnssec_trigger_t)
+sysnet_relabelto_net_conf(dnssec_trigger_t)
+
+optional_policy(`
+ dbus_system_bus_client(dnssec_trigger_t)
+')
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
+ bind_read_config(dnssec_trigger_t)
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(dnssec_trigger_t)
+ networkmanager_stream_connect(dnssec_trigger_t)
+ networkmanager_signal(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
+ networkmanager_sigkill(dnssec_trigger_t)
+ networkmanager_signull(dnssec_trigger_t)
+ networkmanager_read_conf(dnssec_trigger_t)
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e782..e6fe2f402 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
logging_send_syslog_msg(dnssec_triggerd_t)
-miscfiles_read_localization(dnssec_triggerd_t)
-
sysnet_dns_name_resolve(dnssec_triggerd_t)
sysnet_manage_config(dnssec_triggerd_t)
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/dovecot.fc b/dovecot.fc
index c88007004..444805588 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index d5badb755..c2431fc73 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## <summary>POP and IMAP mail server.</summary>
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## dovecot daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`dovecot_basic_types_template',`
+ gen_require(`
+ attribute dovecot_domain;
+ ')
+
+ type $1_t, dovecot_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
#######################################
## <summary>
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot unix domain stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`dovecot_stream_connect',`
- gen_require(`
- type dovecot_t, dovecot_var_run_t;
- ')
+ gen_require(`
+ type dovecot_t, dovecot_var_run_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
')
########################################
## <summary>
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot auth unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
########################################
## <summary>
-## Execute dovecot_deliver in the
-## dovecot_deliver domain.
+## Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
## <summary>
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## dovecot spool files.
+## Create, read, write, and delete the dovecot spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
')
files_search_spool($1)
- allow $1 dovecot_spool_t:dir manage_dir_perms;
- allow $1 dovecot_spool_t:file manage_file_perms;
- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
########################################
## <summary>
-## Do not audit attempts to delete
-## dovecot lib files.
+## Do not audit attempts to delete dovecot lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
type dovecot_var_lib_t;
')
- dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+ dontaudit $1 dovecot_var_lib_t:file unlink;
')
######################################
## <summary>
-## Write inherited dovecot tmp files.
+## Allow attempts to write inherited
+## dovecot tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
allow $1 dovecot_tmp_t:file write;
')
+####################################
+## <summary>
+## Read dovecot configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_read_config',`
+ gen_require(`
+ type dovecot_etc_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an dovecot environment.
+## All of the rules required to administrate
+## an dovecot environment
## </summary>
## <param name="domain">
## <summary>
@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the dovecot domain.
## </summary>
## </param>
## <rolecap/>
@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
type dovecot_keytab_t;
')
- allow $1 dovecot_t:process { ptrace signal_perms };
+ allow $1 dovecot_t:process signal_perms;
ps_process_pattern($1, dovecot_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dovecot_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
- logging_list_logs($1)
- admin_pattern($1, dovecot_var_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
- files_search_tmp($1)
- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
index 0aabc7e66..6786b1a40 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
attribute dovecot_domain;
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
init_daemon_domain(dovecot_t, dovecot_exec_t)
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
+# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
@@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-########################################
+#######################################
#
-# Common local policy
+# dovecot domain local policy
#
-allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+allow dovecot_domain self:capability sys_resource;
+dontaudit dovecot_domain self:capability2 block_suspend;
+allow dovecot_domain self:process signal_perms;
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
@@ -81,26 +79,36 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_domain)
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
########################################
#
-# Local policy
+# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
+
+allow dovecot_t dovecot_deliver_t:process signull;
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
allow dovecot_t dovecot_keytab_t:file read_file_perms;
@@ -108,12 +116,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -125,45 +134,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
domain_use_interactive_fds(dovecot_t)
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -171,45 +170,45 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+ mta_manage_home_rw(dovecot_t)
+ mta_mmap_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
')
optional_policy(`
kerberos_manage_host_rcache(dovecot_t)
kerberos_read_keytab(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
kerberos_use(dovecot_t)
')
optional_policy(`
- mta_manage_spool(dovecot_t)
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
- postfix_manage_private_sockets(dovecot_t)
- postfix_search_spool(dovecot_t)
+ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
@@ -227,49 +226,73 @@ optional_policy(`
########################################
#
-# Auth local policy
+# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+allow dovecot_auth_t self:capability { chown dac_read_search ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+dovecot_stream_connect_auth(dovecot_auth_t)
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+corecmd_exec_bin(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
+systemd_login_read_pid_files(dovecot_auth_t)
+systemd_dbus_chat_logind(dovecot_auth_t)
+systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
userdom_list_user_tmp(dovecot_auth_t)
userdom_read_user_tmp_files(dovecot_auth_t)
userdom_read_user_tmp_symlinks(dovecot_auth_t)
')
optional_policy(`
+ mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
+ mysql_rw_db_sockets(dovecot_auth_t)
')
optional_policy(`
@@ -277,53 +300,79 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(dovecot_auth_t)
+ optional_policy(`
+ oddjob_dbus_chat(dovecot_auth_t)
+ oddjob_domtrans_mkhomedir(dovecot_auth_t)
+ ')
+')
+
+optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
########################################
#
-# Deliver local policy
+# dovecot deliver local policy
#
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
- fs_manage_nfs_files(dovecot_deliver_t)
- fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
- fs_manage_cifs_files(dovecot_deliver_t)
- fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+ gnome_manage_data(dovecot_deliver_t)
')
optional_policy(`
mta_mailserver_delivery(dovecot_deliver_t)
+ mta_manage_spool(dovecot_deliver_t)
mta_read_queue(dovecot_deliver_t)
')
@@ -332,5 +381,6 @@ optional_policy(`
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/dpkg.te b/dpkg.te
index 50af48c89..bb58612b0 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_read_search fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
@@ -202,7 +202,7 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/drbd.fc b/drbd.fc
index 671a3fb6f..47b4958d0 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
@@ -11,3 +11,5 @@
/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
/var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0)
+
+/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a2163936..26c59868b 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
########################################
## <summary>
-## Execute a domain transition to
-## run drbd.
+## Execute a domain transition to run drbd.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
type drbd_t, drbd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, drbd_exec_t, drbd_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an drbd environment.
+## Search drbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_search_lib',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read drbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_read_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## drbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_manage_lib_dirs',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an drbd environment
## </summary>
## <param name="domain">
## <summary>
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
## Role allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`drbd_admin',`
gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
- allow $1 drbd_t:process { ptrace signal_perms };
+ allow $1 drbd_t:process signal_perms;
ps_process_pattern($1, drbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 drbd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
')
+
diff --git a/drbd.te b/drbd.te
index f2516cc07..b8c9fe764 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t)
type drbd_lock_t;
files_lock_file(drbd_lock_t)
+type drbd_var_run_t;
+files_pid_file(drbd_var_run_t)
+
+type drbd_tmp_t;
+files_tmp_file(drbd_tmp_t)
+
########################################
#
# Local policy
#
-allow drbd_t self:capability { kill net_admin };
+allow drbd_t self:capability { dac_read_search kill net_admin sys_admin };
dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })
+
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file)
-can_exec(drbd_t, drbd_exec_t)
+manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
kernel_read_system_state(drbd_t)
+kernel_load_module(drbd_t)
+
+auth_use_nsswitch(drbd_t)
+
+can_exec(drbd_t, drbd_exec_t)
+
+corecmd_exec_bin(drbd_t)
+
+corenet_tcp_connect_http_port(drbd_t)
dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
-files_read_etc_files(drbd_t)
+files_read_kernel_modules(drbd_t)
-storage_raw_read_fixed_disk(drbd_t)
+logging_send_syslog_msg(drbd_t)
+
+fs_getattr_xattr_fs(drbd_t)
-miscfiles_read_localization(drbd_t)
+modutils_read_module_config(drbd_t)
+modutils_exec_insmod(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+storage_raw_write_fixed_disk(drbd_t)
sysnet_dns_name_resolve(drbd_t)
+
+optional_policy(`
+ rhcs_read_log_cluster(drbd_t)
+ rhcs_rw_cluster_tmpfs(drbd_t)
+ rhcs_manage_cluster_lib_files(drbd_t)
+')
diff --git a/dspam.fc b/dspam.fc
index 5eddac51c..b5fcb7760 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -2,11 +2,16 @@
/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
+/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f245250..a446210f0 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
+
+## <summary>policy for dspam</summary>
+
########################################
## <summary>
## Execute a domain transition to run dspam.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
type dspam_t, dspam_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dspam_exec_t, dspam_t)
')
-#######################################
+
+########################################
## <summary>
-## Connect to dspam using a unix
-## domain stream socket.
+## Execute dspam server in the dspam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dspam_initrc_domtrans',`
+ gen_require(`
+ type dspam_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read dspam's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## dspam log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dspam_append_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Search dspam lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_search_lib',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ allow $1 dspam_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read dspam lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_read_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## dspam lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage dspam lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_lib_dirs',`
gen_require(`
- type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read dspam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_read_pid_files',`
+ gen_require(`
+ type dspam_var_run_t;
')
files_search_pids($1)
+ allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Connect to DSPAM using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_stream_connect',`
+ gen_require(`
+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ ')
+
+ files_search_pids($1)
files_search_tmp($1)
- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an dspam environment.
+## All of the rules required to administrate
+## an dspam environment
## </summary>
## <param name="domain">
## <summary>
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
#
interface(`dspam_admin',`
gen_require(`
- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
- type dspam_var_lib_t, dspam_var_run_t;
+ type dspam_t;
+ type dspam_initrc_exec_t;
+ type dspam_log_t;
+ type dspam_var_lib_t;
+ type dspam_var_run_t;
')
- allow $1 dspam_t:process { ptrace signal_perms };
+ allow $1 dspam_t:process signal_perms;
ps_process_pattern($1, dspam_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dspam_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 dspam_initrc_exec_t system_r;
allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
files_search_pids($1)
admin_pattern($1, dspam_var_run_t)
+
')
diff --git a/dspam.te b/dspam.te
index ef6236335..084171673 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
allow dspam_t self:capability net_admin;
allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
corenet_tcp_bind_spamd_port(dspam_t)
corenet_tcp_connect_spamd_port(dspam_t)
corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
files_search_spool(dspam_t)
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
-miscfiles_read_localization(dspam_t)
-
optional_policy(`
apache_content_template(dspam)
+ apache_content_alias_template(dspam, dspam)
+
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+ auth_read_passwd(dspam_script_t)
+
+ files_search_var_lib(dspam_script_t)
+
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
+
+ term_dontaudit_search_ptys(dspam_script_t)
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+ init_read_utmp(dspam_script_t)
+
+ logging_send_syslog_msg(dspam_script_t)
+
+ mta_send_mail(dspam_script_t)
+
+ optional_policy(`
+ mysql_tcp_connect(dspam_script_t)
+ mysql_stream_connect(dspam_script_t)
+ ')
')
optional_policy(`
@@ -87,3 +114,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(dspam_t)
+ postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
diff --git a/ejabberd.fc b/ejabberd.fc
new file mode 100644
index 000000000..e797d6209
--- /dev/null
+++ b/ejabberd.fc
@@ -0,0 +1,7 @@
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:ejabberd_exec_t,s0)
+
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:ejabberd_unit_t,s0)
+
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_lib_t,s0)
+
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0)
diff --git a/ejabberd.if b/ejabberd.if
new file mode 100644
index 000000000..91ef4a49b
--- /dev/null
+++ b/ejabberd.if
@@ -0,0 +1,34 @@
+## <summary>ejabberd is a Free and Open Source distributed fault-tolerant: Jabber/XMPP server. </summary>
+########################################
+## <summary>
+## All of the rules required to
+## administrate an ejabberd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ejabberd_admin',`
+ gen_require(`
+ type ejabberd_t, ejabberd_exec_t;
+ type ejabberd_var_lib_t, ejabberd_var_log_t;
+ ')
+
+ admin_process_pattern($1, ejabberd_t)
+
+ init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, ejabberd_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, ejabberd_var_log_t)
+')
diff --git a/ejabberd.te b/ejabberd.te
new file mode 100644
index 000000000..4498b1110
--- /dev/null
+++ b/ejabberd.te
@@ -0,0 +1,62 @@
+policy_module(ejabberd,0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+# Private type declarations
+type ejabberd_t;
+type ejabberd_exec_t;
+init_daemon_domain(ejabberd_t, ejabberd_exec_t)
+
+type ejabberd_unit_t;
+systemd_unit_file(ejabberd_unit_t)
+
+type ejabberd_var_lib_t;
+files_type(ejabberd_var_lib_t)
+
+type ejabberd_var_log_t;
+logging_log_file(ejabberd_var_log_t)
+
+
+# What will we allow
+allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
+allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write };
+allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write };
+
+auth_use_nsswitch(ejabberd_t)
+
+corecmd_exec_bin(ejabberd_t)
+corecmd_exec_shell(ejabberd_t)
+
+corenet_tcp_bind_epmd_port(ejabberd_t)
+corenet_tcp_bind_generic_node(ejabberd_t)
+corenet_tcp_bind_generic_port(ejabberd_t)
+corenet_tcp_bind_jabber_client_port(ejabberd_t)
+corenet_tcp_bind_jabber_interserver_port(ejabberd_t)
+corenet_tcp_connect_epmd_port(ejabberd_t)
+corenet_tcp_connect_generic_port(ejabberd_t)
+corenet_tcp_connect_jabber_interserver_port(ejabberd_t)
+
+corenet_udp_bind_generic_node(ejabberd_t)
+
+dev_read_rand(ejabberd_t)
+dev_read_sysfs(ejabberd_t)
+
+files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir)
+
+kernel_dgram_send(ejabberd_t)
+
+logging_create_devlog_dev(ejabberd_t)
+logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file })
+
+manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
+manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
+manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
+manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
+
+miscfiles_read_generic_certs(ejabberd_t)
+
+sysnet_read_config(ejabberd_t)
diff --git a/entropyd.te b/entropyd.te
index b8b8328c0..7e635921e 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
## the entropy feeds.
## </p>
## </desc>
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
type entropyd_t;
type entropyd_exec_t;
@@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t)
# Local policy
#
-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+allow entropyd_t self:capability { dac_read_search ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
logging_send_syslog_msg(entropyd_t)
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/etcd.fc b/etcd.fc
new file mode 100644
index 000000000..eac30a338
--- /dev/null
+++ b/etcd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/etcd.* -- gen_context(system_u:object_r:etcd_unit_file_t,s0)
+
+/usr/bin/etcd -- gen_context(system_u:object_r:etcd_exec_t,s0)
+
+/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
index 000000000..d1a05a650
--- /dev/null
+++ b/etcd.if
@@ -0,0 +1,161 @@
+## <summary>A highly-available key value store for shared configuration.</summary>
+
+########################################
+## <summary>
+## Execute etcd in the etcd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`etcd_domtrans',`
+ gen_require(`
+ type etcd_t, etcd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, etcd_exec_t, etcd_t)
+')
+
+########################################
+## <summary>
+## Search etcd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`etcd_search_lib',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ allow $1 etcd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read etcd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`etcd_read_lib_files',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage etcd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`etcd_manage_lib_files',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage etcd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`etcd_manage_lib_dirs',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute etcd server in the etcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`etcd_systemctl',`
+ gen_require(`
+ type etcd_t;
+ type etcd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 etcd_unit_file_t:file read_file_perms;
+ allow $1 etcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, etcd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an etcd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`etcd_admin',`
+ gen_require(`
+ type etcd_t;
+ type etcd_var_lib_t;
+ type etcd_unit_file_t;
+ ')
+
+ allow $1 etcd_t:process { signal_perms };
+ ps_process_pattern($1, etcd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 etcd_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, etcd_var_lib_t)
+
+ etcd_systemctl($1)
+ admin_pattern($1, etcd_unit_file_t)
+ allow $1 etcd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/etcd.te b/etcd.te
new file mode 100644
index 000000000..7cee445f6
--- /dev/null
+++ b/etcd.te
@@ -0,0 +1,42 @@
+policy_module(etcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type etcd_t;
+type etcd_exec_t;
+init_daemon_domain(etcd_t,etcd_exec_t)
+
+permissive etcd_t;
+
+type etcd_unit_file_t;
+systemd_unit_file(etcd_unit_file_t)
+
+type etcd_var_lib_t;
+files_type(etcd_var_lib_t)
+
+########################################
+#
+# ectd local policy
+#
+
+allow etcd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_lnk_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+files_var_lib_filetrans(etcd_t, etcd_var_lib_t, dir)
+
+kernel_read_unix_sysctls(etcd_t)
+kernel_read_net_sysctls(etcd_t)
+
+corenet_tcp_bind_generic_node(etcd_t)
+
+corenet_tcp_bind_kubernetes_port(etcd_t)
+corenet_tcp_bind_afs3_callback_port(etcd_t)
+
+fs_getattr_xattr_fs(etcd_t)
+
+logging_send_syslog_msg(etcd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305da..85206539c 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
index c99e07c48..ab9dd9f90 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
-files_read_usr_files(evolution_t)
fs_search_auto_mountpoints(evolution_t)
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
userdom_manage_user_home_content_dirs(evolution_t)
userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
userdom_write_user_tmp_sockets(evolution_t)
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
dev_read_urand(evolution_alarm_t)
-files_read_usr_files(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
dev_read_urand(evolution_exchange_t)
-files_read_usr_files(evolution_exchange_t)
fs_search_auto_mountpoints(evolution_exchange_t)
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
dev_read_urand(evolution_server_t)
-files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
diff --git a/exim.if b/exim.if
index 9bbc6907a..4a8d0536b 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
########################################
## <summary>
-## Execute exim in the exim domain,
-## and allow the specified role
-## the exim domain.
+## Execute the mailman program in the mailman domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## The role to allow the mailman domain.
+## </summary>
## </param>
## <rolecap/>
#
interface(`exim_run',`
+ gen_require(`
+ type exim_t;
+ ')
+
+ exim_domtrans($1)
+ role $2 types exim_t;
+')
+
+########################################
+## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
gen_require(`
- attribute_role exim_roles;
+ type exim_initrc_exec_t;
')
- exim_domtrans($1)
- roleattribute $2 exim_roles;
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
')
########################################
## <summary>
-## Do not audit attempts to read exim
-## temporary tmp files.
+## Do not audit attempts to read,
+## exim tmp files
## </summary>
## <param name="domain">
## <summary>
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
########################################
## <summary>
-## Read exim temporary files.
+## Allow domain to read, exim tmp files
## </summary>
## <param name="domain">
## <summary>
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
########################################
## <summary>
-## Read exim pid files.
+## Read exim PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
########################################
## <summary>
-## Read exim log files.
+## Allow the specified domain to read exim's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
########################################
## <summary>
-## Append exim log files.
+## Allow the specified domain to append
+## exim log files.
## </summary>
## <param name="domain">
## <summary>
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## exim log files.
+## Allow the specified domain to manage exim's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
########################################
## <summary>
## Create, read, write, and delete
-## exim spool directories.
+## exim spool dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
## Role allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`exim_admin',`
gen_require(`
@@ -285,10 +300,14 @@ interface(`exim_admin',`
type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
+ allow $1 exim_t:process signal_perms;
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 exim_t:process ptrace;
+ ')
+
+ exim_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
index 4086c51b9..34c52e39d 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_read_search fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
corecmd_search_bin(exim_t)
-corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
@@ -151,10 +150,10 @@ fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
logging_send_syslog_msg(exim_t)
-miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -170,9 +169,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
- corenet_sendrecv_oracledb_client_packets(exim_t)
- corenet_tcp_connect_oracledb_port(exim_t)
- corenet_tcp_sendrecv_oracledb_port(exim_t)
+ corenet_sendrecv_oracle_client_packets(exim_t)
+ corenet_tcp_connect_oracle_port(exim_t)
+ corenet_tcp_sendrecv_oracle_port(exim_t)
')
tunable_policy(`exim_read_user_files',`
@@ -186,8 +185,8 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
- clamav_domtrans_clamscan(exim_t)
- clamav_stream_connect(exim_t)
+ antivirus_domtrans(exim_t)
+ antivirus_stream_connect(exim_t)
')
optional_policy(`
@@ -210,11 +209,6 @@ optional_policy(`
')
optional_policy(`
- mailman_read_data_files(exim_t)
- mailman_domtrans(exim_t)
-')
-
-optional_policy(`
nagios_search_spool(exim_t)
')
@@ -236,6 +230,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084d4..94e193606 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
-########################################
+#######################################
## <summary>
-## Execute the fail2ban client in
-## the fail2ban client domain.
+## Execute the fail2ban client in
+## the fail2ban client domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`fail2ban_domtrans_client',`
- gen_require(`
- type fail2ban_client_t, fail2ban_client_exec_t;
- ')
+ gen_require(`
+ type fail2ban_client_t, fail2ban_client_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
-########################################
+#######################################
## <summary>
-## Execute fail2ban client in the
-## fail2ban client domain, and allow
-## the specified role the fail2ban
-## client domain.
+## Execute fail2ban client in the
+## fail2ban client domain, and allow
+## the specified role the fail2ban
+## client domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Role allowed access.
+## </summary>
## </param>
#
interface(`fail2ban_run_client',`
- gen_require(`
- attribute_role fail2ban_client_roles;
- ')
+ gen_require(`
+ attribute_role fail2ban_client_roles;
+ ')
- fail2ban_domtrans_client($1)
- roleattribute $2 fail2ban_client_roles;
+ fail2ban_domtrans_client($1)
+ roleattribute $2 fail2ban_client_roles;
')
#####################################
## <summary>
-## Connect to fail2ban over a
-## unix domain stream socket.
+## Connect to fail2ban over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
')
files_search_tmp($1)
- allow $1 fail2ban_tmp_t:file { read write };
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to use
-## fail2ban file descriptors.
+## Read and write to an fail2ba unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fail2ban_dontaudit_use_fds',`
+interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
- dontaudit $1 fail2ban_t:fd use;
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
-########################################
+#######################################
## <summary>
-## Do not audit attempts to read and
-## write fail2ban unix stream sockets
+## Do not audit attempts to use
+## fail2ban file descriptors.
## </summary>
## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
+## <summary>
+## Domain to not audit.
+## </summary>
## </param>
#
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_use_fds',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ dontaudit $1 fail2ban_t:fd use;
')
-########################################
+#######################################
## <summary>
-## Read and write fail2ban unix
-## stream sockets.
+## Do not audit attempts to read and
+## write fail2ban unix stream sockets
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain to not audit.
+## </summary>
## </param>
#
-interface(`fail2ban_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
########################################
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
')
files_search_var_lib($1)
- allow $1 fail2ban_var_lib_t:file read_file_perms;
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
########################################
## <summary>
-## Read fail2ban log files.
+## Allow the specified domain to read fail2ban's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
## <summary>
-## Append fail2ban log files.
+## Allow the specified domain to append
+## fail2ban log files.
## </summary>
## <param name="domain">
## <summary>
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
## <summary>
-## Read fail2ban pid files.
+## Read fail2ban PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an fail2ban environment.
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fail2ban environment
## </summary>
## <param name="domain">
## <summary>
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the fail2ban domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_admin',`
gen_require(`
- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
- type fail2ban_var_lib_t, fail2ban_client_t;
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+ type fail2ban_client_t;
')
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e56772..040e11be6 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t;
# Server Local policy
#
-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:capability { dac_read_search sys_tty_config };
+allow fail2ban_t self:process { setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
-corenet_all_recvfrom_unlabeled(fail2ban_t)
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
optional_policy(`
apache_read_log(fail2ban_t)
')
optional_policy(`
+ dbus_system_bus_client(fail2ban_t)
+ dbus_connect_system_bus(fail2ban_t)
+
+ optional_policy(`
+ firewalld_dbus_chat(fail2ban_t)
+ ')
+')
+
+optional_policy(`
ftp_read_log(fail2ban_t)
')
optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
@@ -118,6 +130,10 @@ optional_policy(`
')
optional_policy(`
+ rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
shorewall_domtrans(fail2ban_t)
')
@@ -126,27 +142,37 @@ optional_policy(`
# Client Local policy
#
-allow fail2ban_client_t self:capability dac_read_search;
+allow fail2ban_client_t self:capability { dac_read_search };
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
corecmd_exec_bin(fail2ban_client_t)
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
domain_use_interactive_fds(fail2ban_client_t)
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
+auth_use_nsswitch(fail2ban_client_t)
+
+libs_exec_ldconfig(fail2ban_client_t)
+
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
-
-miscfiles_read_localization(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index ce358fb3f..f5316ffcf 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_read_search };
allow fcoemon_t self:fifo_file rw_fifo_file_perms;
allow fcoemon_t self:unix_stream_socket { accept listen };
allow fcoemon_t self:netlink_socket create_socket_perms;
allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
logging_send_syslog_msg(fcoemon_t)
miscfiles_read_localization(fcoemon_t)
+userdom_dgram_send(fcoemon_t)
+
optional_policy(`
lldpad_dgram_send(fcoemon_t)
')
+
+optional_policy(`
+ networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee67..a47a12fe7 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f791660..cab3954f3 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
+ ps_process_pattern($1, fetchmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fetchmail_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fetchmail_initrc_exec_t system_r;
allow $2 system_r;
- allow $1 fetchmail_t:process { ptrace signal_perms };
- ps_process_pattern($1, fetchmail_t)
-
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
index 742559a54..fa51d09dd 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
#
# Local policy
#
-
+allow fetchmail_t self:capability setuid;
dontaudit fetchmail_t self:capability sys_tty_config;
allow fetchmail_t self:process { signal_perms setrlimit };
allow fetchmail_t self:unix_stream_socket { accept listen };
+allow fetchmail_t self:key manage_key_perms;
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
corecmd_exec_bin(fetchmail_t)
corecmd_exec_shell(fetchmail_t)
-corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
-miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
+sysnet_dns_name_resolve(fetchmail_t)
+
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+ mta_send_mail(fetchmail_t)
+ mta_read_spool(fetchmail_t)
+')
+
+optional_policy(`
+ kerberos_use(fetchmail_t)
+')
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index 35da09d97..85f1e03d4 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_all_recvfrom_unlabeled(fingerd_t)
corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_generic_if(fingerd_t)
corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
domain_use_interactive_fds(fingerd_t)
files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
fs_getattr_all_fs(fingerd_t)
fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
term_getattr_all_ptys(fingerd_t)
auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
init_read_utmp(fingerd_t)
init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
mta_getattr_spool(fingerd_t)
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b8442..0e272bd0e 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index c62c5670a..a74f123da 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Read firewalld configuration files.
+## Read firewalld config
## </summary>
## <param name="domain">
## <summary>
@@ -10,7 +10,7 @@
## </summary>
## </param>
#
-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
gen_require(`
type firewalld_etc_rw_t;
')
@@ -21,6 +21,48 @@ interface(`firewalld_read_config_files',`
########################################
## <summary>
+## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firewalld_initrc_domtrans',`
+ gen_require(`
+ type firewalld_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`firewalld_systemctl',`
+ gen_require(`
+ type firewalld_t;
+ type firewalld_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 firewalld_unit_file_t:file read_file_perms;
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, firewalld_t)
+')
+
+########################################
+## <summary>
## Send and receive messages from
## firewalld over dbus.
## </summary>
@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
-## Do not audit attempts to read, snd
-## write firewalld temporary files.
+## Dontaudit attempts to write
+## firewalld tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -51,18 +93,55 @@ interface(`firewalld_dbus_chat',`
## </summary>
## </param>
#
-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
gen_require(`
type firewalld_tmp_t;
')
- dontaudit $1 firewalld_tmp_t:file { read write };
+ dontaudit $1 firewalld_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Read firewalld PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_pid_files',`
+ gen_require(`
+ type firewalld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 firewalld_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit read and write leaked firewalld file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewalld_dontaudit_leaks',`
+ gen_require(`
+ type firewalld_tmpfs_t;
+ ')
+
+ dontaudit $1 firewalld_tmpfs_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## All of the rules required to
-## administrate an firewalld environment.
+## All of the rules required to administrate
+## an firewalld environment
## </summary>
## <param name="domain">
## <summary>
@@ -79,14 +158,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
- type firewall_etc_rw_t, firewalld_var_run_t;
+ type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
- allow $1 firewalld_t:process { ptrace signal_perms };
+ allow $1 firewalld_t:process signal_perms;
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 firewalld_t:process ptrace;
+ ')
+
+ firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
@@ -97,6 +180,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
- files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
+ admin_pattern($1, firewalld_etc_rw_t)
+
+ admin_pattern($1, firewalld_unit_file_t)
+ firewalld_systemctl($1)
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3a1..dc0aeb347 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
type firewalld_tmp_t;
files_tmp_file(firewalld_tmp_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
########################################
#
# Local policy
#
-allow firewalld_t self:capability { dac_override net_admin };
+allow firewalld_t self:capability { dac_read_search net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
+
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir })
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
+files_list_kernel_modules(firewalld_t)
+
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
@@ -62,21 +78,29 @@ dev_read_urand(firewalld_t)
dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
+domain_obj_id_change_exemption(firewalld_t)
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
files_dontaudit_list_tmp(firewalld_t)
fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
-logging_send_syslog_msg(firewalld_t)
+auth_use_nsswitch(firewalld_t)
-miscfiles_read_localization(firewalld_t)
+libs_exec_ldconfig(firewalld_t)
+libs_dontaudit_write_lib_dirs(firewalld_t)
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
+
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
+sysnet_relabelfrom_net_conf(firewalld_t)
+sysnet_relabelto_net_conf(firewalld_t)
-sysnet_read_config(firewalld_t)
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -91,10 +115,15 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(firewalld_t)
+ networkmanager_stream_connect(firewalld_t)
')
')
optional_policy(`
+ gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
+optional_policy(`
iptables_domtrans(firewalld_t)
')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1fd..941f4ef73 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
type firewallgui_t;
')
- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')
diff --git a/firewallgui.te b/firewallgui.te
index 209454664..2481a9704 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
dev_read_sysfs(firewallgui_t)
dev_read_urand(firewallgui_t)
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
auth_use_nsswitch(firewallgui_t)
@@ -60,12 +62,13 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_gconf_home_content(firewallgui_t)
+ gnome_read_gconf_home_files(firewallgui_t)
')
optional_policy(`
iptables_domtrans(firewallgui_t)
iptables_initrc_domtrans(firewallgui_t)
+ iptables_systemctl(firewallgui_t)
')
optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c89..ba614e457 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875f0..f3a67c911 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## <summary>Initial system configuration utility.</summary>
+## <summary>
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+## </summary>
########################################
## <summary>
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################
## <summary>
-## Execute firstboot in the firstboot
-## domain, and allow the specified role
-## the firstboot domain.
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
#
interface(`firstboot_run',`
gen_require(`
- attribute_role firstboot_roles;
+ type firstboot_t;
')
firstboot_domtrans($1)
- roleattribute $2 firstboot_roles;
+ role $2 types firstboot_t;
')
########################################
## <summary>
-## Inherit and use firstboot file descriptors.
+## Inherit and use a file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
########################################
## <summary>
-## Do not audit attempts to inherit
-## firstboot file descriptors.
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
########################################
## <summary>
-## Write firstboot unnamed pipes.
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_leaks',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:socket_class_set { read write };
+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
type firstboot_t;
')
+ allow $1 firstboot_t:fd use;
allow $1 firstboot_t:fifo_file write;
')
########################################
## <summary>
-## Read and Write firstboot unnamed pipes.
+## Read and Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
########################################
## <summary>
-## Do not audit attemps to read and
-## write firstboot unnamed pipes.
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
########################################
## <summary>
-## Do not audit attemps to read and
-## write firstboot unix domain
-## stream sockets.
+## Do not audit attemps to read and write to a firstboot
+## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
diff --git a/firstboot.te b/firstboot.te
index 5010f04e1..8d5eae955 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
policy_module(firstboot, 1.13.0)
gen_require(`
- class passwd { passwd chfn chsh rootok };
+ class passwd { passwd chfn chsh rootok crontab };
')
########################################
@@ -9,17 +9,12 @@ gen_require(`
# Declarations
#
-attribute_role firstboot_roles;
-
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
@@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t)
# Local policy
#
-allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:capability { dac_read_search setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd { rootok passwd chfn chsh };
allow firstboot_t firstboot_etc_t:file read_file_perms;
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
-miscfiles_read_localization(firstboot_t)
-
sysnet_dns_name_resolve(firstboot_t)
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
optional_policy(`
dbus_system_bus_client(firstboot_t)
@@ -102,20 +105,17 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(firstboot_t)
-')
-
-optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`
- unconfined_domtrans(firstboot_t)
- unconfined_domain(firstboot_t)
+ # The big hammer
+ unconfined_domain_noaudit(firstboot_t)
')
optional_policy(`
- gnome_manage_generic_home_content(firstboot_t)
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+ gnome_manage_config(firstboot_t)
')
optional_policy(`
diff --git a/fprintd.if b/fprintd.if
index 8081132cd..4fb5a13bc 100644
--- a/fprintd.if
+++ b/fprintd.if
@@ -19,6 +19,25 @@ interface(`fprintd_domtrans',`
domtrans_pattern($1, fprintd_exec_t, fprintd_t)
')
+######################################
+## <summary>
+## Execute fprintd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fprintd_exec',`
+ gen_require(`
+ type fprintd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, fprintd_exec_t)
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -39,3 +58,22 @@ interface(`fprintd_dbus_chat',`
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
')
+
+########################################
+
+## <summary>
+## Mounton fprintd lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fprintd_mounton_var_lib',`
+ gen_require(`
+ type fprintd_var_lib_t;
+ ')
+
+ allow $1 fprintd_var_lib_t:dir mounton;
+')
diff --git a/fprintd.te b/fprintd.te
index 92a6479a2..f0ef28ef4 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.2.0)
type fprintd_t;
type fprintd_exec_t;
init_daemon_domain(fprintd_t, fprintd_exec_t)
+init_nnp_daemon_domain(fprintd_t)
type fprintd_var_lib_t;
files_type(fprintd_var_lib_t)
@@ -18,25 +19,29 @@ files_type(fprintd_var_lib_t)
#
allow fprintd_t self:capability sys_nice;
+allow fprintd_t self:capability2 wake_alarm;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
kernel_read_system_state(fprintd_t)
+corecmd_exec_bin(fprintd_t)
+
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
-files_read_usr_files(fprintd_t)
-
fs_getattr_all_fs(fprintd_t)
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
+logging_send_syslog_msg(fprintd_t)
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
@@ -54,8 +59,21 @@ optional_policy(`
')
')
+
optional_policy(`
- policykit_domtrans_auth(fprintd_t)
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+ rhcs_dbus_chat_cluster(fprintd_t)
+')
+
+optional_policy(`
+ udev_read_db(fprintd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 000000000..0942a2e39
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 000000000..dc9485309
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,71 @@
+## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
+
+#####################################
+## <summary>
+## Creates types and rules for a basic
+## freeipmi init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`freeipmi_domain_template',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type freeipmi_$1_t, freeipmi_domain;
+ type freeipmi_$1_exec_t;
+ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+ role system_r types freeipmi_$1_t;
+
+ type freeipmi_$1_unit_file_t;
+ systemd_unit_file(freeipmi_$1_unit_file_t)
+
+ type freeipmi_$1_var_run_t, freeipmi_pid;
+ files_pid_file(freeipmi_$1_var_run_t)
+
+ #############################
+ #
+ # Local policy
+ #
+
+ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+ kernel_read_system_state(freeipmi_$1_t)
+
+ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+ auth_use_nsswitch(freeipmi_$1_t)
+
+ logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`freeipmi_stream_connect',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 000000000..0ca4fc3e8
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,79 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+dev_read_rand(freeipmi_domain)
+dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+allow freeipmi_ipmidetectd_t self:tcp_socket listen;
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+dev_read_raw_memory(freeipmi_ipmiseld_t)
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 000000000..3cd9c38fd
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 000000000..190ccc035
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## <summary>policy for freqset</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the freqset domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`freqset_domtrans',`
+ gen_require(`
+ type freqset_t, freqset_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+## <summary>
+## Execute freqset in the freqset domain, and
+## allow the specified role the freqset domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the freqset domain.
+## </summary>
+## </param>
+#
+interface(`freqset_run',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ freqset_domtrans($1)
+ roleattribute $2 freqset_roles;
+')
+
+########################################
+## <summary>
+## Role access for freqset
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`freqset_role',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ roleattribute $1 freqset_roles;
+
+ freqset_domtrans($2)
+
+ ps_process_pattern($2, freqset_t)
+ allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 000000000..0d09fbd62
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c12c..f38075ff8 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
@@ -23,6 +26,7 @@
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd\.log -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/ftp.if b/ftp.if
index 44981434b..84a4858b6 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,67 @@
## <summary>File transfer protocol service.</summary>
+######################################
+## <summary>
+## Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans',`
+ gen_require(`
+ type ftpd_t, ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+## <summary>
+## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ftp_initrc_domtrans',`
+ gen_require(`
+ type ftpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_systemctl',`
+ gen_require(`
+ type ftpd_unit_file_t;
+ type ftpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
+
#######################################
## <summary>
## Execute a dyntransition to run anon sftpd.
@@ -179,8 +241,11 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+ allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -204,5 +269,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+ ftp_systemctl($1)
+ admin_pattern($1, ftpd_unit_file_t)
+ allow $1 ftpd_unit_file_t:service all_service_perms;
+
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
index 36838c202..952bab750 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
## be labeled public_content_rw_t.
## </p>
## </desc>
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
## <desc>
## <p>
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
## all files on the system, governed by DAC.
## </p>
## </desc>
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
## <desc>
## <p>
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
## </p>
## </desc>
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftpd to use ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
## <desc>
## <p>
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
## </p>
## </desc>
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
## <desc>
## <p>
@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
## </desc>
gen_tunable(ftpd_connect_all_unreserved, false)
-## <desc>
-## <p>
-## Determine whether ftpd can read and write
-## files in user home directories.
-## </p>
-## </desc>
-gen_tunable(ftp_home_dir, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd-can read and write
-## files in user home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_enable_homedirs, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd-can login to
-## local users and read and write all
-## files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd can read and write
-## files in user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_write_ssh_home, false)
-
attribute_role ftpdctl_roles;
type anon_sftpd_t;
@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
-allow ftpd_t xferlog_t:dir setattr_dir_perms;
-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-logging_log_filetrans(ftpd_t, xferlog_t, file)
+manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
domain_use_interactive_fds(ftpd_t)
-files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
-miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
@@ -259,32 +228,55 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
+userdom_manage_user_home_content_dirs(ftpd_t)
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
-tunable_policy(`allow_ftpd_anon_write',`
+
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
fs_read_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
+ fs_manage_fusefs_symlinks(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_full_access',`
- allow ftpd_t self:capability { dac_override dac_read_search };
- files_manage_non_auth_files(ftpd_t)
+tunable_policy(`ftpd_full_access',`
+ allow ftpd_t self:capability { dac_read_search };
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftpd_use_passive_mode',`
@@ -304,44 +296,24 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_manage_user_tmp_dirs(ftpd_t)
- userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-')
-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ftpd_t)
fs_manage_nfs_files(ftpd_t)
fs_manage_nfs_symlinks(ftpd_t)
')
-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(ftpd_t)
fs_manage_cifs_files(ftpd_t)
fs_manage_cifs_symlinks(ftpd_t)
')
optional_policy(`
- tunable_policy(`ftp_home_dir',`
- apache_search_sys_content(ftpd_t)
- ')
-')
-
-optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
@@ -363,9 +335,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
-
kerberos_read_keytab(ftpd_t)
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
kerberos_use(ftpd_t)
')
@@ -410,92 +381,49 @@ optional_policy(`
udev_read_db(ftpd_t)
')
+optional_policy(`
+ apache_manage_user_content(ftpd_t)
+')
+
########################################
#
# Ctl local policy
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-files_read_etc_files(ftpdctl_t)
files_search_pids(ftpdctl_t)
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
# Anon sftpd local policy
#
-files_read_etc_files(anon_sftpd_t)
-
miscfiles_read_public_files(anon_sftpd_t)
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(anon_sftpd_t)
-')
-
########################################
#
# Sftpd local policy
#
-files_read_etc_files(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
-tunable_policy(`sftpd_enable_homedirs',`
- allow sftpd_t self:capability { dac_override dac_read_search };
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
userdom_manage_user_home_content_dirs(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
- fs_manage_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
+userdom_home_reader(sftpd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/fwupd.fc b/fwupd.fc
new file mode 100644
index 000000000..859dc40ed
--- /dev/null
+++ b/fwupd.fc
@@ -0,0 +1,10 @@
+/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+
+/etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0)
+
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
+
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
diff --git a/fwupd.if b/fwupd.if
new file mode 100644
index 000000000..daef19015
--- /dev/null
+++ b/fwupd.if
@@ -0,0 +1,281 @@
+
+## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
+
+########################################
+## <summary>
+## Execute fwupd_exec_t in the fwupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fwupd_domtrans',`
+ gen_require(`
+ type fwupd_t, fwupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fwupd_exec_t, fwupd_t)
+')
+
+######################################
+## <summary>
+## Execute fwupd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_exec',`
+ gen_require(`
+ type fwupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, fwupd_exec_t)
+')
+
+########################################
+## <summary>
+## Search fwupd cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_search_cache',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ allow $1 fwupd_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read fwupd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_read_cache_files',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## fwupd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_cache_files',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_cache_dirs',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+
+########################################
+## <summary>
+## Search fwupd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_search_lib',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ allow $1 fwupd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read fwupd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_read_lib_files',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_lib_files',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_lib_dirs',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute fwupd server in the fwupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fwupd_systemctl',`
+ gen_require(`
+ type fwupd_t;
+ type fwupd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 fwupd_unit_file_t:file read_file_perms;
+ allow $1 fwupd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, fwupd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fwupd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_admin',`
+ gen_require(`
+ type fwupd_t;
+ type fwupd_cache_t;
+ type fwupd_var_lib_t;
+ type fwupd_unit_file_t;
+ ')
+
+ allow $1 fwupd_t:process { signal_perms };
+ ps_process_pattern($1, fwupd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fwupd_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, fwupd_cache_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, fwupd_var_lib_t)
+
+ fwupd_systemctl($1)
+ admin_pattern($1, fwupd_unit_file_t)
+ allow $1 fwupd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## fwupd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_dbus_chat',`
+ gen_require(`
+ type fwupd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fwupd_t:dbus send_msg;
+ allow fwupd_t $1:dbus send_msg;
+')
diff --git a/fwupd.te b/fwupd.te
new file mode 100644
index 000000000..7bf263a6c
--- /dev/null
+++ b/fwupd.te
@@ -0,0 +1,70 @@
+policy_module(fwupd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_cert_t;
+miscfiles_cert_type(fwupd_cert_t)
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+files_mountpoint(fwupd_var_lib_t)
+
+type fwupd_unit_file_t;
+systemd_unit_file(fwupd_unit_file_t)
+
+########################################
+#
+# fwupd local policy
+#
+allow fwupd_t self:fifo_file rw_fifo_file_perms;
+allow fwupd_t self:unix_stream_socket create_stream_socket_perms;
+allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;;
+
+manage_dirs_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+manage_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+files_var_filetrans(fwupd_t, fwupd_cache_t, { dir })
+
+allow fwupd_t fwupd_cert_t:dir list_dir_perms;
+read_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t)
+read_lnk_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t)
+
+manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
+
+kernel_dgram_send(fwupd_t)
+
+auth_read_passwd(fwupd_t)
+
+dev_rw_sysfs(fwupd_t)
+dev_rw_generic_usb_dev(fwupd_t)
+dev_read_raw_memory(fwupd_t)
+
+fs_getattr_all_fs(fwupd_t)
+
+logging_send_syslog_msg(fwupd_t)
+
+udev_read_pid_files(fwupd_t)
+
+optional_policy(`
+ dbus_system_domain(fwupd_t,fwupd_exec_t)
+ optional_policy(`
+ policykit_dbus_chat(fwupd_t)
+ ')
+')
+
+optional_policy(`
+ unconfined_domain(fwupd_t)
+')
diff --git a/games.if b/games.if
index e2a3e0dba..50ebd4080 100644
--- a/games.if
+++ b/games.if
@@ -58,3 +58,23 @@ interface(`games_rw_data',`
files_search_var_lib($1)
rw_files_pattern($1, games_data_t, games_data_t)
')
+
+########################################
+## <summary>
+## Manage games data files.
+## games data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_manage_data_files',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
index e5b15fb7e..220622e84 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
logging_send_syslog_msg(games_srv_t)
-miscfiles_read_localization(games_srv_t)
-
userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
corecmd_exec_bin(games_t)
-corenet_all_recvfrom_unlabeled(games_t)
corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
files_list_var(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
files_read_var_files(games_t)
init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
sysnet_dns_name_resolve(games_t)
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
allow games_t self:process execmem;
')
diff --git a/gatekeeper.te b/gatekeeper.te
index 28203689c..88c98f481 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
domain_use_interactive_fds(gatekeeper_t)
-files_read_etc_files(gatekeeper_t)
-
fs_getattr_all_fs(gatekeeper_t)
fs_search_auto_mountpoints(gatekeeper_t)
logging_send_syslog_msg(gatekeeper_t)
-miscfiles_read_localization(gatekeeper_t)
-
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 000000000..98c012c6e
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,7 @@
+/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
+
+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
+
+/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
+/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
index 000000000..d745c675f
--- /dev/null
+++ b/gear.if
@@ -0,0 +1,289 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+## Execute gear in the gear domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gear_domtrans',`
+ gen_require(`
+ type gear_t, gear_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gear_exec_t, gear_t)
+')
+
+########################################
+## <summary>
+## Search gear lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_search_lib',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ allow $1 gear_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Execute gear lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_exec_lib',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ allow $1 gear_var_lib_t:dir search_dir_perms;
+ can_exec($1, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gear lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_read_lib_files',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gear lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_manage_lib_files',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gear lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_manage_lib_dirs',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create objects in a gear var lib directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gear_lib_filetrans',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Read gear PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_read_pid_files',`
+ gen_require(`
+ type gear_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gear_var_run_t, gear_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute gear server in the gear domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gear_systemctl',`
+ gen_require(`
+ type gear_t;
+ type gear_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 gear_unit_file_t:file read_file_perms;
+ allow $1 gear_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gear_t)
+')
+
+########################################
+## <summary>
+## Read and write gear shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_rw_sem',`
+ gen_require(`
+ type gear_t;
+ ')
+
+ allow $1 gear_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+## Read and write the gear pty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_use_ptys',`
+ gen_require(`
+ type gear_devpts_t;
+ ')
+
+ allow $1 gear_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to create gear content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_filetrans_named_content',`
+ gen_require(`
+ type gear_var_lib_t;
+ type gear_var_run_t;
+ ')
+
+ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
+ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gear environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gear_admin',`
+ gen_require(`
+ type gear_t;
+ type gear_var_lib_t, gear_var_run_t;
+ type gear_unit_file_t;
+ type gear_lock_t;
+ type gear_log_t;
+ ')
+
+ allow $1 gear_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gear_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gear_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gear_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, gear_log_t)
+
+ gear_systemctl($1)
+ admin_pattern($1, gear_unit_file_t)
+ allow $1 gear_unit_file_t:service all_service_perms;
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 000000000..f6bf0a10e
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,136 @@
+policy_module(gear, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gear_t;
+type gear_exec_t;
+init_daemon_domain(gear_t, gear_exec_t)
+
+type gear_var_lib_t;
+files_type(gear_var_lib_t)
+
+type gear_log_t;
+logging_log_file(gear_log_t)
+
+type gear_var_run_t;
+files_pid_file(gear_var_run_t)
+
+type gear_unit_file_t;
+systemd_unit_file(gear_unit_file_t)
+
+########################################
+#
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_read_search };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:file read_file_perms;
+allow gear_t gear_unit_file_t:service manage_service_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
+
+gear_filetrans_named_content(gear_t)
+
+manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
+kernel_read_all_sysctls(gear_t)
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
+
+corenet_tcp_bind_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_if(gear_t)
+corenet_tcp_sendrecv_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_list_cgroup_dirs(gear_t)
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+fs_getattr_all_fs(gear_t)
+
+auth_use_nsswitch(gear_t)
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+logging_read_generic_logs(gear_t)
+
+miscfiles_read_localization(gear_t)
+
+mount_domtrans(gear_t)
+
+selinux_validate_context(gear_t)
+
+seutil_read_default_contexts(gear_t)
+seutil_read_config(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+systemd_exec_systemctl(gear_t)
+
+usermanage_domtrans_useradd(gear_t)
+usermanage_domtrans_passwd(gear_t)
+
+optional_policy(`
+ hostname_exec(gear_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
+ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
index 000000000..a97f14fd9
--- /dev/null
+++ b/geoclue.fc
@@ -0,0 +1,4 @@
+
+/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/geoclue.if b/geoclue.if
new file mode 100644
index 000000000..cf9f7bfca
--- /dev/null
+++ b/geoclue.if
@@ -0,0 +1,153 @@
+
+## <summary>Geoclue is a D-Bus service that provides location information</summary>
+
+########################################
+## <summary>
+## Execute geoclue in the geoclue domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`geoclue_domtrans',`
+ gen_require(`
+ type geoclue_t, geoclue_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, geoclue_exec_t, geoclue_t)
+')
+
+########################################
+## <summary>
+## Search geoclue lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`geoclue_search_lib',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ allow $1 geoclue_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read geoclue lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`geoclue_read_lib_files',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage geoclue lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`geoclue_manage_lib_files',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage geoclue lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`geoclue_manage_lib_dirs',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## geoclue over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`geoclue_dbus_chat',`
+ gen_require(`
+ type geoclue_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 geoclue_t:dbus send_msg;
+ allow geoclue_t $1:dbus send_msg;
+ ps_process_pattern(geoclue_t, $1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an geoclue environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`geoclue_admin',`
+ gen_require(`
+ type geoclue_t;
+ type geoclue_var_lib_t;
+ ')
+
+ allow $1 geoclue_t:process { signal_perms };
+ ps_process_pattern($1, geoclue_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 geoclue_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, geoclue_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 000000000..fb8be0d88
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,72 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type geoclue_t;
+type geoclue_exec_t;
+application_domain(geoclue_t, geoclue_exec_t)
+role system_r types geoclue_t;
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+type geoclue_tmp_t;
+files_tmp_file(geoclue_tmp_t)
+
+########################################
+#
+# geoclue local policy
+#
+allow geoclue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
+manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+kernel_read_system_state(geoclue_t)
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+corenet_tcp_connect_http_cache_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+logging_send_syslog_msg(geoclue_t)
+
+miscfiles_read_certs(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+ kerberos_use(geoclue_t)
+')
+
+optional_policy(`
+ dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+ optional_policy(`
+ avahi_dbus_chat(geoclue_t)
+ ')
+ optional_policy(`
+ modemmanager_dbus_chat(geoclue_t)
+ ')
+ optional_policy(`
+ networkmanager_dbus_chat(geoclue_t)
+ ')
+')
+
+optional_policy(`
+ pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
index 8a820face..996b30c16 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
userdom_dontaudit_read_user_home_content_files(gift_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gift_t)
- fs_manage_nfs_files(gift_t)
- fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gift_t)
- fs_manage_cifs_files(gift_t)
- fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
optional_policy(`
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
corenet_tcp_connect_all_ports(giftd_t)
files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
sysnet_dns_name_resolve(giftd_t)
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(giftd_t)
- fs_manage_nfs_files(giftd_t)
- fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(giftd_t)
- fs_manage_cifs_files(giftd_t)
- fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.fc b/git.fc
index 24700f84b..6561d568e 100644
--- a/git.fc
+++ b/git.fc
@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0)
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
diff --git a/git.if b/git.if
index 1e29af196..6c64f55c3 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
- allow $2 git_session_t:process { ptrace signal_perms };
+ allow $2 git_session_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 git_session_t:process ptrace;
+ ')
ps_process_pattern($2, git_session_t)
tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
fs_read_nfs_files($1)
')
')
+
+#######################################
+## <summary>
+## Create Git user content with a
+## named file transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_filetrans_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index dc49c715e..54df5e36e 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
## <desc>
## <p>
-## Determine whether Git session daemons
-## can send syslog messages.
-## </p>
-## </desc>
-gen_tunable(git_session_send_syslog_msg, false)
-
-## <desc>
-## <p>
## Determine whether Git system daemon
## can search home directories.
## </p>
@@ -83,6 +75,7 @@ attribute git_daemon;
attribute_role git_session_roles;
apache_content_template(git)
+apache_content_alias_template(git, git)
type git_system_t, git_daemon;
type gitd_exec_t;
@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
files_type(git_sys_content_t)
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
userdom_user_home_content(git_user_content_t)
+type git_script_tmp_t;
+files_tmp_file(git_script_tmp_t)
+
########################################
#
# Session policy
@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
+kernel_read_system_state(git_session_t)
+
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
-tunable_policy(`git_session_send_syslog_msg',`
- logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
+ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
+manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
tunable_policy(`git_cgi_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_git_script_t)
+ userdom_search_user_home_dirs(git_script_t)
')
+fs_getattr_tmpfs(git_script_t)
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
+ fs_getattr_nfs(git_script_t)
+ fs_list_nfs(git_script_t)
+ fs_read_nfs_files(git_script_t)
',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ fs_dontaudit_read_nfs_files(git_script_t)
')
tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
+ fs_getattr_cifs(git_script_t)
+ fs_list_cifs(git_script_t)
+ fs_read_cifs_files(git_script_t)
',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
+ fs_dontaudit_read_cifs_files(git_script_t)
')
tunable_policy(`git_cgi_use_cifs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
+ fs_getattr_cifs(git_script_t)
+ fs_list_cifs(git_script_t)
+ fs_read_cifs_files(git_script_t)
',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
+ fs_dontaudit_read_cifs_files(git_script_t)
')
tunable_policy(`git_cgi_use_nfs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
+ fs_getattr_nfs(git_script_t)
+ fs_list_nfs(git_script_t)
+ fs_read_nfs_files(git_script_t)
',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ fs_dontaudit_read_nfs_files(git_script_t)
')
########################################
@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
corecmd_exec_bin(git_daemon)
-files_read_usr_files(git_daemon)
-
fs_search_auto_mountpoints(git_daemon)
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 582db0a2e..d77a1a549 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
files_search_var_lib(gitosis_t)
-miscfiles_read_localization(gitosis_t)
-
sysnet_read_config(gitosis_t)
tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.fc b/glance.fc
index c21a528b5..a746a2b16 100644
--- a/glance.fc
+++ b/glance.fc
@@ -1,8 +1,14 @@
/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-scrubber.* -- gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
+
+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
diff --git a/glance.if b/glance.if
index 9eacb2c9c..7b19ad2db 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,38 @@
## <summary>OpenStack image registry and delivery service.</summary>
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## glance daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`glance_basic_types_template',`
+ gen_require(`
+ attribute glance_domain;
+ ')
+
+ type $1_t, glance_domain;
+ type $1_exec_t;
+
+ type $1_unit_file_t;
+ systemd_unit_file($1_unit_file_t)
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ auth_use_nsswitch($1_t)
+
+')
+
########################################
## <summary>
## Execute a domain transition to
@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
## run glance api.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`glance_domtrans_api',`
@@ -242,8 +275,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
- ps_process_pattern($1, { glance_api_t glance_registry_t })
+ allow $1 glance_registry_t:process signal_perms;
+ ps_process_pattern($1, glance_registry_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glance_registry_t:process ptrace;
+ allow $1 glance_api_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd09096a..bd3c3d21b 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether glance-api can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(glance_api_can_network, false)
+
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow glance domain to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(glance_use_execmem, false)
+
attribute glance_domain;
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
@@ -17,13 +38,21 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
init_script_file(glance_api_initrc_exec_t)
+glance_basic_types_template(glance_scrubber)
+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
+
+type glance_scrubber_initrc_exec_t;
+init_script_file(glance_scrubber_initrc_exec_t)
+
type glance_log_t;
logging_log_file(glance_log_t)
@@ -41,6 +70,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
+allow glance_domain self:process signal_perms;
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +86,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
corecmd_exec_bin(glance_domain)
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
libs_exec_ldconfig(glance_domain)
-miscfiles_read_localization(glance_domain)
-
sysnet_dns_name_resolve(glance_domain)
+tunable_policy(`glance_use_fusefs',`
+ fs_manage_fusefs_dirs(glance_domain)
+ fs_manage_fusefs_files(glance_domain)
+ fs_read_fusefs_symlinks(glance_domain)
+ fs_getattr_fusefs(glance_domain)
+')
+
+tunable_policy(`glance_use_execmem',`
+ allow glance_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+ mysql_read_db_lnk_files(glance_domain)
+')
+
########################################
#
# Registry local policy
@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+corenet_tcp_connect_keystone_port(glance_registry_t)
logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_glance_port(glance_api_t)
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
+
+tunable_policy(`glance_api_can_network',`
+ corenet_sendrecv_all_client_packets(glance_api_t)
+ corenet_tcp_connect_all_ports(glance_api_t)
+ corenet_tcp_sendrecv_all_ports(glance_api_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(glance_api_t)
+')
+
+########################################
+#
+# Scrubber local policy
+#
+
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 000000000..e42e81f5f
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+
+/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
+
+/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 000000000..291191f17
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,301 @@
+
+## <summary>policy for glusterd</summary>
+
+
+########################################
+## <summary>
+## Transition to glusterd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glusterd_domtrans',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+## <summary>
+## Execute glusterd server in the glusterd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_initrc_domtrans',`
+ gen_require(`
+ type glusterd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read glusterd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_read_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+## Append to glusterd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_append_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to glusterd named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_filetrans_named_pid',`
+ gen_require(`
+ type glusterd_var_run_t;
+ ')
+ files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
+')
+
+########################################
+## <summary>
+## Manage glusterd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_manage_pid',`
+ gen_require(`
+ type glusterd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+ manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage glusterd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_manage_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to execute gluster's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gluster_execute_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ can_exec($1, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read glusterd's config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_read_conf',`
+ gen_require(`
+ type glusterd_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
+')
+
+######################################
+## <summary>
+## Dontaudit Read /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_dontaudit_read_lib_dirs',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
+')
+
+######################################
+## <summary>
+## Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_rw_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_read_lib_files',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_manage_lib_files',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an glusterd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+ gen_require(`
+ type glusterd_t;
+ type glusterd_initrc_exec_t;
+ type glusterd_log_t;
+ type glusterd_tmp_t;
+ type glusterd_conf_t;
+ ')
+
+ allow $1 glusterd_t:process { signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glusterd_t:process ptrace;
+ ')
+
+ glusterd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 glusterd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, glusterd_log_t)
+
+ admin_pattern($1, glusterd_tmp_t)
+
+ admin_pattern($1, glusterd_conf_t)
+
+')
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 000000000..ffa5ab9b3
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,328 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
+## <p>
+## Allow glusterfsd to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(gluster_anon_write, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_rw, true)
+
+## <desc>
+## <p>
+## Allow glusterd_t domain to use executable memory
+## </p>
+## </desc>
+gen_tunable(gluster_use_execmem, false)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+domain_obj_id_change_exemption(glusterd_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_tmpfs_t;
+files_tmpfs_file(glusterd_tmpfs_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+typealias glusterd_log_t alias ganesha_var_log_t;
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+allow glusterd_t self:rawip_socket create_socket_perms;
+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+corenet_raw_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+corenet_udp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+corenet_tcp_connect_all_rpc_ports(glusterd_t)
+corenet_tcp_connect_all_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
+dev_rw_infiniband_dev(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+fs_getattr_all_dirs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
+files_dontaudit_read_security_files(glusterd_t)
+files_dontaudit_list_security_dirs(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+#needed by /usr/sbin/xfs_db
+storage_raw_read_fixed_disk(glusterd_t)
+storage_raw_write_fixed_disk(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+init_domtrans_script(glusterd_t)
+init_initrc_domain(glusterd_t)
+init_read_script_state(glusterd_t)
+init_rw_script_tmp_files(glusterd_t)
+init_manage_script_status_files(glusterd_t)
+init_status(glusterd_t)
+init_stop_transient_unit(glusterd_t)
+
+systemd_config_systemd_services(glusterd_t)
+systemd_signal_passwd_agent(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+logging_dontaudit_search_audit_logs(glusterd_t)
+
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+userdom_read_user_tmp_files(glusterd_t)
+userdom_delete_user_tmp_files(glusterd_t)
+userdom_rw_user_tmp_files(glusterd_t)
+userdom_kill_all_users(glusterd_t)
+userdom_signal_unpriv_users(glusterd_t)
+
+mount_domtrans(glusterd_t)
+
+fstools_domtrans(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+ miscfiles_manage_public_files(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_ro',`
+ fs_read_noxattr_fs_files(glusterd_t)
+ files_read_non_security_files(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_rw',`
+ fs_manage_noxattr_fs_files(glusterd_t)
+ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
+ files_relabel_base_file_types(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
+')
+
+tunable_policy(`gluster_use_execmem',`
+ allow glusterd_t self:process { execmem };
+')
+
+optional_policy(`
+ ctdbd_domtrans(glusterd_t)
+ ctdbd_signal(glusterd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(glusterd_t)
+ dbus_connect_system_bus(glusterd_t)
+ unconfined_dbus_chat(glusterd_t)
+
+ optional_policy(`
+ policykit_dbus_chat(glusterd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(glusterd_t)
+')
+
+
+optional_policy(`
+ kerberos_read_keytab(glusterd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(glusterd_t)
+')
+
+optional_policy(`
+ mount_domtrans_showmount(glusterd_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(glusterd_t)
+ samba_systemctl(glusterd_t)
+ samba_signal_smbd(glusterd_t)
+ samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(glusterd_t)
+')
+
+optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+ rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
+ rpc_domtrans_nfsd(glusterd_t)
+ rpc_dbus_chat_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+ rpc_manage_nfs_state_data_dir(glusterd_t)
+ rpcbind_stream_connect(glusterd_t)
+')
+
+optional_policy(`
+ rhcs_dbus_chat_cluster(glusterd_t)
+ rhcs_domtrans_cluster(glusterd_t)
+ rhcs_systemctl_cluster(glusterd_t)
+ rhcs_stream_connect_cluster(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade46..000000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c86e..000000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## <summary>Cluster File System binary, daemon and command line.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterfs_admin',`
- gen_require(`
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
- type glusterd_var_run_t;
- ')
-
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- files_search_etc($1)
- admin_pattern($1, glusterd_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, glusterd_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, glusterd_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, glusterd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 4e95c7e2f..000000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,105 +0,0 @@
-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_read_all_domains_state(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de436a..5edcb8330 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,60 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d6195..e1ae96179 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
-########################################
+#######################################
## <summary>
-## Role access for gnome. (Deprecated)
+## Role access for gnome. (Deprecated)
## </summary>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Role allowed access.
+## </summary>
## </param>
## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
+## <summary>
+## User domain for the role.
+## </summary>
## </param>
#
interface(`gnome_role',`
- refpolicywarn(`$0($*) has been deprecated')
+ refpolicywarn(`$0($*) has been deprecated')
+ ')
+
+######################################
+## <summary>
+## The role template for the gnome-keyring-daemon.
+## </summary>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+ refpolicywarn(`$0($*) has been deprecated')
')
-#######################################
+######################################
## <summary>
-## The role template for gnome.
+## The role template for gnome.
## </summary>
## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
## </param>
## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
+## <summary>
+## The role associated with the user domain.
+## </summary>
## </param>
## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
+## <summary>
+## The type of the user domain.
+## </summary>
## </param>
#
template(`gnome_role_template',`
- gen_require(`
- attribute gnomedomain, gkeyringd_domain;
+ gen_require(`
+ attribute gnomedomain, gkeyringd_domain, gnome_home_type;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
- type gconf_home_t;
+ class dbus send_msg;
')
########################################
@@ -74,52 +98,101 @@ template(`gnome_role_template',`
domtrans_pattern($3, gconfd_exec_t, gconfd_t)
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
+ allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
+
########################################
#
# Gkeyringd policy
#
+ allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms };
+
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-
- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+ userdom_home_manager($1_gkeyringd_t)
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ kernel_read_system_state($1_gkeyringd_t)
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
- gnome_stream_connect_gkeyringd($1, $3)
+ gnome_stream_connect_gkeyringd($3)
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ logging_send_syslog_msg($1_gkeyringd_t)
+
+ userdom_rw_user_tmp_sock_files($1_gkeyringd_t)
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
optional_policy(`
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
')
')
')
+#######################################
+## <summary>
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+## </summary>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_run_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+')
+
########################################
## <summary>
-## Execute gconf in the caller domain.
+## gconf connection template.
## </summary>
## <param name="domain">
## <summary>
@@ -127,18 +200,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
gen_require(`
- type gconfd_exec_t;
+ type gconfd_t, gconf_tmp_t;
')
- corecmd_search_bin($1)
- can_exec($1, gconfd_exec_t)
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Read gconf configuration content.
+## Connect to gkeyringd with a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -146,119 +219,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
gen_require(`
- type gconf_etc_t;
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ type cache_home_t;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir list_dir_perms;
- allow $1 gconf_etc_t:file read_file_perms;
- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ userdom_search_user_tmp_dirs($1)
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
')
########################################
## <summary>
-## Do not audit attempts to read
-## inherited gconf configuration files.
+## Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
gen_require(`
- type gconf_etc_t;
+ type gconfd_t, gconfd_exec_t;
')
- dontaudit $1 gconf_etc_t:file read;
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete
-## gconf configuration content.
+## Dontaudit read gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
gen_require(`
- type gconf_etc_t;
+ attribute gnome_home_type;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir manage_dir_perms;
- allow $1 gconf_etc_t:file manage_file_perms;
- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
')
########################################
## <summary>
-## Connect to gconf using a unix
-## domain stream socket.
+## Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ attribute gnome_home_type;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
+## Dontaudit write gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ attribute gnome_home_type;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ dontaudit $1 gnome_home_type:file append;
')
+
########################################
## <summary>
-## Create generic gnome home directories.
+## Dontaudit write gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:dir create_dir_perms;
+ dontaudit $1 gnome_home_type:file write;
')
########################################
## <summary>
-## Set attributes of generic gnome
-## user home directories. (Deprecated)
+## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
@@ -266,15 +334,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
- gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file { manage_file_perms map };
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Set attributes of generic gnome
-## user home directories.
+## Send general signals to all gconf domains.
## </summary>
## <param name="domain">
## <summary>
@@ -282,57 +356,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
gen_require(`
- type gnome_home_t;
+ attribute gnomedomain;
')
- userdom_search_user_home_dirs($1)
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 gnomedomain:process signal;
')
########################################
## <summary>
-## Read generic gnome user home content. (Deprecated)
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`gnome_read_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
- gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Read generic gnome home content.
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
')
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir list_dir_perms;
- allow $1 gnome_home_t:file read_file_perms;
- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
- allow $1 gnome_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gnome user home content. (Deprecated)
+## Read generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -340,15 +446,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
- gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gnome home content.
+## Create generic cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -356,22 +465,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ allow $1 cache_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
')
########################################
## <summary>
-## Search generic gnome home directories.
+## Set attributes of cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -379,53 +484,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms;
')
########################################
## <summary>
-## Create objects in gnome user home
-## directories with a private type.
+## Manage cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')
########################################
## <summary>
-## Create generic gconf home directories.
+## append to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -433,17 +522,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- allow $1 gconf_home_t:dir create_dir_perms;
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Read generic gconf home content.
+## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -451,23 +541,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
+## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -475,22 +560,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
')
########################################
## <summary>
-## Search generic gconf home directories.
+## Manage a sock_file in the generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -498,79 +579,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_manage_generic_cache_sockets',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir search_dir_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
## <summary>
-## Create objects in user home
-## directories with the generic gconf
-## home type.
+## Dontaudit read/write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Create objects in user home
-## directories with the generic gnome
-## home type.
+## read gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+ gnome_read_usr_config($1)
')
########################################
## <summary>
-## Create objects in gnome gconf home
-## directories with a private type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <param name="domain">
## <summary>
@@ -579,12 +640,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param>
## <param name="private_type">
## <summary>
-## Private file type.
+## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
-## Class of the object being created.
+## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -593,18 +654,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
gen_require(`
- type gconf_home_t;
+ type data_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
-########################################
+#######################################
## <summary>
-## Read generic gnome keyring home files.
+## Read generic data home files.
## </summary>
## <param name="domain">
## <summary>
@@ -612,46 +673,58 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
+ type data_home_t, gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
')
-########################################
+######################################
## <summary>
-## Send and receive messages from
-## gnome keyring daemon over dbus.
+## Read generic data home dirs.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+## <summary>
+## Manage gconf data home files
+## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_manage_data',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
+ type data_home_t;
+ type gconf_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
## <summary>
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Read icc data home content.
## </summary>
## <param name="domain">
## <summary>
@@ -659,59 +732,1091 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ allow $1 icc_data_home_t:file map;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
## <summary>
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Read inherited icc data home files.
## </summary>
-## <param name="role_prefix">
+## <param name="domain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain allowed access.
## </summary>
## </param>
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
+ type icc_data_home_t;
+ ')
+
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_home_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## Do not audit attempts to read
+## inherited gconf config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Manage gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Search gconf home data dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gconf_data_dir',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+## Delete gkeyringd temporary
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_gkeyringd_tmp_content',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+#######################################
+## <summary>
+## Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
+## <summary>
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Manage generic gnome home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_files',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+## Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+## manage gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+## Connect to gnome over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+## list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_list_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Set attributes of gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+#######################################
+## <summary>
+## append gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ append_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## Create gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
+## setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+######################################
+## <summary>
+## Allow to execute gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ can_exec($1, gstreamer_home_t)
+')
+
+######################################
+## <summary>
+## Allow to execute config home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_config_home_files',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ can_exec($1, config_home_t)
+')
+
+#######################################
+## <summary>
+## file name transition gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
+')
+
+#######################################
+## <summary>
+## manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_dirs',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
+########################################
+## <summary>
+## Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gconf system service over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gkeyringd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send signull signal to gkeyringd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+## <summary>
+## Allow the domain to read gkeyringd state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gkeyringd_state',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Create directories in user home directories
+## with the gnome home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Check whether sendmail executable
+## files are executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_access_check_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ allow $1 config_usr_t:dir_file_class_set audit_access;;
+')
+
+######################################
+## <summary>
+## Allow read kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+## <summary>
+## Allow manage kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+## Execute gnome-keyring in the user gkeyring domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process transition;
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+ allow gkeyringd_domain $1:process { sigchld signull };
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create gnome content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+########################################
+## <summary>
+## Create gnome dconf dir in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+######################################
+## <summary>
+## File name transition for generic home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_cert_home_content',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ gnome_data_filetrans($1, home_cert_t, dir, "certificates")
+')
+
+########################################
+## <summary>
+## Create gnome directory in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ gnome_filetrans_gstreamer_home_content($1)
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+#####################################
+## <summary>
+## Execute gnome-keyring executable
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
index 63893eb2d..58b4cb17f 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
# Declarations
#
-attribute gkeyringd_domain;
attribute gnomedomain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
attribute_role gconfd_roles;
type gconf_etc_t;
files_config_file(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type dbus_home_t, gnome_home_type;
+userdom_user_home_content(dbus_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,105 +50,229 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t, gnome_home_type;
+userdom_user_home_content(gkeyringd_gnome_home_t)
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
##############################
#
-# Common local Policy
+# Local Policy
#
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
-dev_read_urand(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
-domain_use_interactive_fds(gnomedomain)
-files_read_etc_files(gnomedomain)
-miscfiles_read_localization(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
-logging_send_syslog_msg(gnomedomain)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
-userdom_use_user_terminals(gnomedomain)
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfd_t)
+')
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
')
-##############################
+#######################################
#
-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
#
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_read_search sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+auth_read_passwd(gconfdefaultsm_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
optional_policy(`
- nscd_dontaudit_search_pid(gconfd_t)
+ consolekit_dbus_chat(gconfdefaultsm_t)
')
-##############################
+optional_policy(`
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
+
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
#
-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
#
allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+corecmd_search_bin(gkeyringd_domain)
+
dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
-files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
-selinux_getattr_fs(gkeyringd_domain)
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
optional_policy(`
- ssh_read_user_home_files(gkeyringd_domain)
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
+')
+
+optional_policy(`
+ dbus_dontaudit_stream_connect_system_dbusd(gkeyringd_domain)
')
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_create_home_config_dirs(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
index f9ba8cd99..690630113 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -1,7 +1,10 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702fb..25c7ab82c 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
########################################
## <summary>
-## Execute a domain transition to
-## run gnomeclock.
+## Execute a domain transition to run gnomeclock.
## </summary>
## <param name="domain">
## <summary>
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
type gnomeclock_t, gnomeclock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
')
########################################
## <summary>
-## Execute gnomeclock in the gnomeclock
-## domain, and allow the specified
-## role the gnomeclock domain.
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
## </summary>
## <param name="domain">
## <summary>
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
#
interface(`gnomeclock_run',`
gen_require(`
- attribute_role gnomeclock_roles;
+ type gnomeclock_t;
')
gnomeclock_domtrans($1)
- roleattribute $2 gnomeclock_roles;
+ role $2 types gnomeclock_t;
')
########################################
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
########################################
## <summary>
-## Do not audit attempts to send and
-## receive messages from gnomeclock
-## over dbus.
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
## </summary>
## <param name="domain">
## <summary>
diff --git a/gnomeclock.te b/gnomeclock.te
index 7cd7435e6..eb067c236 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
# Declarations
#
-attribute_role gnomeclock_roles;
-
type gnomeclock_t;
type gnomeclock_exec_t;
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+type gnomeclock_tmp_t;
+files_tmp_file(gnomeclock_tmp_t)
########################################
#
-# Local policy
+# gnomeclock local policy
#
-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search };
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
-files_read_usr_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
fs_getattr_xattr_fs(gnomeclock_t)
auth_use_nsswitch(gnomeclock_t)
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
logging_send_syslog_msg(gnomeclock_t)
-miscfiles_etc_filetrans_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
- chronyd_initrc_domtrans(gnomeclock_t)
+ chronyd_systemctl(gnomeclock_t)
')
optional_policy(`
+ clock_read_adjtime(gnomeclock_t)
clock_domtrans(gnomeclock_t)
')
optional_policy(`
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ consolekit_dbus_chat(gnomeclock_t)
+')
- optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+ consoletype_exec(gnomeclock_t)
+')
- optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+ gnome_manage_home_config(gnomeclock_t)
+ gnome_filetrans_admin_home_content(gnomeclock_t)
')
optional_policy(`
ntp_domtrans_ntpdate(gnomeclock_t)
ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
')
optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c68..c02fa5694 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,10 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 180f1b7cc..3c8757e47 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,57 +2,79 @@
############################################################
## <summary>
-## Role access for gpg.
+## Role access for gpg
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
- type gpg_t, gpg_exec_t, gpg_agent_t;
- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
')
- roleattribute $1 gpg_roles;
- roleattribute $1 gpg_agent_roles;
- roleattribute $1 gpg_helper_roles;
- roleattribute $1 gpg_pinentry_roles;
+ roleattribute $1 gpg_roles;
+ roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_helper_roles;
+ roleattribute $1 gpg_pinentry_roles;
+ # transition from the userdomain to the derived domain
domtrans_pattern($2, gpg_exec_t, gpg_t)
- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
- allow gpg_pinentry_t $2:process signull;
+ # communicate with the user
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+ allow gpg_pinentry_t $2:fifo_file { read write };
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
+
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
')
########################################
## <summary>
-## Execute the gpg in the gpg domain.
+## Transition to a user gpg domain.
## </summary>
## <param name="domain">
## <summary>
@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
type gpg_t, gpg_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
-########################################
+######################################
## <summary>
-## Execute the gpg in the caller domain.
+## Execute gpg in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -88,76 +109,46 @@ interface(`gpg_exec',`
can_exec($1, gpg_exec_t)
')
-########################################
-## <summary>
-## Execute gpg in a specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute gpg in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-#
-interface(`gpg_spec_domtrans',`
- gen_require(`
- type gpg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
-')
-
######################################
## <summary>
-## Execute gpg in the gpg web domain. (Deprecated)
+## Transition to a gpg web domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`gpg_domtrans_web',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
')
######################################
## <summary>
-## Make gpg executable files an
-## entrypoint for the specified domain.
+## Make gpg an entrypoint for
+## the specified domain.
## </summary>
## <param name="domain">
-## <summary>
-## The domain for which gpg_exec_t is an entrypoint.
-## </summary>
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
## </param>
#
interface(`gpg_entry_type',`
- gen_require(`
- type gpg_exec_t;
- ')
+ gen_require(`
+ type gpg_exec_t;
+ ')
- domain_entry_file($1, gpg_exec_t)
+ domain_entry_file($1, gpg_exec_t)
')
########################################
## <summary>
-## Send generic signals to gpg.
+## Send generic signals to user gpg processes.
## </summary>
## <param name="domain">
## <summary>
@@ -175,7 +166,7 @@ interface(`gpg_signal',`
########################################
## <summary>
-## Read and write gpg agent pipes.
+## Read and write GPG agent pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -184,6 +175,7 @@ interface(`gpg_signal',`
## </param>
#
interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
gen_require(`
type gpg_agent_t;
')
@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
########################################
## <summary>
-## Send messages to and from gpg
-## pinentry over DBUS.
+## Send messages to and from GPG
+## Pinentry over DBUS.
## </summary>
## <param name="domain">
## <summary>
@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
########################################
## <summary>
-## List gpg user secrets.
+## List Gnu Privacy Guard user secrets.
## </summary>
## <param name="domain">
## <summary>
@@ -230,3 +222,39 @@ interface(`gpg_list_user_secrets',`
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
')
+###########################
+## <summary>
+## Allow to manage gpg named home content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_manage_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
+ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+########################################
+## <summary>
+## Transition to gpg named home content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_filetrans_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
index 0e97e82f1..4bcee621d 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
#
# Declarations
#
-
-## <desc>
-## <p>
-## Determine whether GPG agent can manage
-## generic user home content files. This is
-## required by the --write-env-file option.
-## </p>
-## </desc>
-gen_tunable(gpg_agent_env_file, false)
+attribute gpgdomain;
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -24,7 +16,15 @@ roleattribute system_r gpg_helper_roles;
attribute_role gpg_pinentry_roles;
-type gpg_t;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -69,95 +69,100 @@ type gpg_pinentry_tmpfs_t;
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
optional_policy(`
- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+ pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
########################################
#
-# Local policy
+# GPG local policy
#
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+allow gpgdomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
-corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
-dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+dev_dontaudit_getattr_all(gpg_t)
fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
-auth_use_nsswitch(gpg_t)
+files_dontaudit_search_var(gpg_t)
-logging_send_syslog_msg(gpg_t)
+auth_use_nsswitch(gpg_t)
-miscfiles_read_localization(gpg_t)
+init_dontaudit_getattr_initctl(gpg_t)
-userdom_use_user_terminals(gpg_t)
+logging_send_syslog_msg(gpg_t)
-userdom_manage_user_tmp_files(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
+userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
+mta_manage_config(gpg_t)
+mta_read_spool(gpg_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
optional_policy(`
- gnome_read_generic_home_content(gpg_t)
- gnome_stream_connect_all_gkeyringd(gpg_t)
+ gpm_dontaudit_getattr_gpmctl(gpg_t)
')
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_t)
+ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
- mta_read_spool_files(gpg_t)
- mta_write_config(gpg_t)
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
@@ -165,37 +170,51 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
-')
-
-optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
+
########################################
#
-# Helper local policy
+# GPG helper local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
+
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,29 +226,36 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
-# Agent local policy
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process { setrlimit signal_perms };
-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
@@ -239,35 +265,35 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
+miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_filetrans_home_content(gpg_agent_t)
+
+userdom_manage_user_home_content_dirs(gpg_agent_t)
+userdom_manage_user_home_content_files(gpg_agent_t)
+userdom_manage_all_user_tmp_content(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')
-tunable_policy(`gpg_agent_env_file',`
- userdom_manage_user_home_content_dirs(gpg_agent_t)
- userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
-')
+userdom_home_manager(gpg_agent_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_agent_t)
- fs_manage_nfs_files(gpg_agent_t)
- fs_manage_nfs_symlinks(gpg_agent_t)
+optional_policy(`
+ gnome_manage_config(gpg_agent_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_agent_t)
- fs_manage_cifs_files(gpg_agent_t)
- fs_manage_cifs_symlinks(gpg_agent_t)
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+ pcscd_stream_connect(gpg_agent_t)
')
##############################
@@ -277,8 +303,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
@@ -287,53 +322,88 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-can_exec(gpg_pinentry_t, pinentry_exec_t)
-
+# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)
-domain_use_interactive_fds(gpg_pinentry_t)
-
-files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_all_fs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmp_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmp_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
+userdom_map_tmp_files(gpg_pinentry_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+optional_policy(`
+ gnome_manage_home_config(gpg_pinentry_t)
')
optional_policy(`
- dbus_all_session_bus_client(gpg_pinentry_t)
+ dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
index 69734fd15..8cda8e166 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
init_script_file(gpm_initrc_exec_t)
type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
# Local policy
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { setpcap setuid dac_read_search sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
-files_read_etc_files(gpm_t)
fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t)
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
logging_send_syslog_msg(gpm_t)
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
index fe3895ece..1a96553d4 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
allow gpsd_t self:tcp_socket { accept listen };
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
+term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
logging_send_syslog_msg(gpsd_t)
-miscfiles_read_localization(gpsd_t)
-
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 000000000..f4659d125
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 000000000..8a2013af9
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,217 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_var_run_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_var_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_file_t)
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_noatsecure',`
+ gen_require(`
+ type gssproxy_t;
+ ')
+
+ allow $1 gssproxy_t:process { noatsecure rlimitinh };
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 000000000..800eb43a1
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,75 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid dac_read_search };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+kernel_read_network_state(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ ipa_read_lib(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_use(gssproxy_t)
+ kerberos_filetrans_named_content(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssproxy, gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te
index 19cdbe1d7..060577633 100644
--- a/guest.te
+++ b/guest.te
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
index e15137840..04d173d1d 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
domain_use_interactive_fds(hadoop_t)
files_dontaudit_search_spool(hadoop_t)
-files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
corecmd_exec_bin(hadoop_initrc_domain)
corecmd_exec_shell(hadoop_initrc_domain)
-files_read_etc_files(hadoop_initrc_domain)
-files_read_usr_files(hadoop_initrc_domain)
files_search_locks(hadoop_initrc_domain)
files_search_pids(hadoop_initrc_domain)
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
domain_use_interactive_fds(zookeeper_t)
-files_read_usr_files(zookeeper_t)
auth_use_nsswitch(zookeeper_t)
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
dev_read_sysfs(zookeeper_server_t)
dev_read_urand(zookeeper_server_t)
-files_read_usr_files(zookeeper_server_t)
fs_getattr_xattr_fs(zookeeper_server_t)
diff --git a/hal.te b/hal.te
index bbccc79f1..ef689e4b8 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
# Common local policy
#
-files_read_usr_files(hald_domain)
miscfiles_read_localization(hald_domain)
@@ -72,7 +71,7 @@ hal_stream_connect(hald_domain)
# Local policy
#
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
kernel_rw_net_sysctls(hald_t)
-kernel_setsched(hald_t)
+kernel_dontaudit_setsched(hald_t)
kernel_request_load_module(hald_t)
corecmd_exec_all_executables(hald_t)
@@ -339,7 +338,7 @@ optional_policy(`
# ACL local policy
#
-allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:capability { dac_read_search fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
-files_read_etc_files(hald_keymap_t)
logging_search_logs(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
index 1728071d0..6e2d333d9 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',`
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
')
+########################################
+## <summary>
+## Execute hddtemp in the hddtemp domain, and
+## allow the specified role the hddtemp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`hddtemp_run',`
+ gen_require(`
+ type hddtemp_t;
+ attribute_role hddtemp_roles;
+ ')
+
+ hddtemp_domtrans($1)
+ roleattribute $2 hddtemp_roles;
+')
+
######################################
## <summary>
## Execute hddtemp in the caller domain.
@@ -60,9 +86,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
- allow $1 hddtemp_t:process { ptrace signal_perms };
+ allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hddtemp_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
index 9e11b9822..6338ea761 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0)
#
# Declarations
#
+attribute_role hddtemp_roles;
type hddtemp_t;
type hddtemp_exec_t;
init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+role hddtemp_roles types hddtemp_t;
type hddtemp_initrc_exec_t;
init_script_file(hddtemp_initrc_exec_t)
@@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
-corenet_all_recvfrom_unlabeled(hddtemp_t)
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
@@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_search_etc(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
@@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
diff --git a/hostapd.fc b/hostapd.fc
new file mode 100644
index 000000000..0ca97b84b
--- /dev/null
+++ b/hostapd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/hostapd.service -- gen_context(system_u:object_r:hostapd_unit_file_t,s0)
+
+/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
\ No newline at end of file
diff --git a/hostapd.if b/hostapd.if
new file mode 100644
index 000000000..d0016da91
--- /dev/null
+++ b/hostapd.if
@@ -0,0 +1,101 @@
+
+## <summary>policy for hostapd</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the hostapd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hostapd_domtrans',`
+ gen_require(`
+ type hostapd_t, hostapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hostapd_exec_t, hostapd_t)
+')
+########################################
+## <summary>
+## Execute hostapd server in the hostapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hostapd_systemctl',`
+ gen_require(`
+ type hostapd_t;
+ type hostapd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 hostapd_unit_file_t:file read_file_perms;
+ allow $1 hostapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hostapd_t)
+')
+
+
+########################################
+## <summary>
+## Read hostapd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hostapd_read_pid_files',`
+ gen_require(`
+ type hostapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an hostapd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hostapd_admin',`
+ gen_require(`
+ type hostapd_t;
+ type hostapd_unit_file_t;
+ type hostapd_var_run_t;
+ ')
+
+ allow $1 hostapd_t:process { signal_perms };
+ ps_process_pattern($1, hostapd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hostapd_t:process ptrace;
+ ')
+
+ hostapd_systemctl($1)
+ admin_pattern($1, hostapd_unit_file_t)
+ allow $1 hostapd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
+ admin_pattern($1, hostapd_var_run_t)
+')
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
index 000000000..438573dfa
--- /dev/null
+++ b/hostapd.te
@@ -0,0 +1,53 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_unit_file_t;
+systemd_unit_file(hostapd_unit_file_t)
+
+########################################
+#
+# hostapd local policy
+#
+allow hostapd_t self:capability { fsetid chown net_admin net_raw };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_generic_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+files_read_etc_files(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)
diff --git a/howl.te b/howl.te
index b9e60ecfb..0477728a0 100644
--- a/howl.te
+++ b/howl.te
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_all_recvfrom_unlabeled(howl_t)
corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_generic_if(howl_t)
corenet_udp_sendrecv_generic_if(howl_t)
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
logging_send_syslog_msg(howl_t)
-miscfiles_read_localization(howl_t)
-
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hsqldb.fc b/hsqldb.fc
new file mode 100644
index 000000000..aa92d7118
--- /dev/null
+++ b/hsqldb.fc
@@ -0,0 +1,7 @@
+/usr/lib/hsqldb/hsqldb-post -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-stop -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-wrapper -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+
+/usr/lib/systemd/system/hsqldb.* -- gen_context(system_u:object_r:hsqldb_unit_file_t,s0)
+
+/var/lib/hsqldb(/.*)? gen_context(system_u:object_r:hsqldb_var_lib_t,s0)
diff --git a/hsqldb.if b/hsqldb.if
new file mode 100644
index 000000000..f43f7489f
--- /dev/null
+++ b/hsqldb.if
@@ -0,0 +1,241 @@
+
+## <summary>Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.</summary>
+
+########################################
+## <summary>
+## Execute hsqldb_exec_t in the hsqldb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hsqldb_domtrans',`
+ gen_require(`
+ type hsqldb_t, hsqldb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hsqldb_exec_t, hsqldb_t)
+')
+
+######################################
+## <summary>
+## Execute hsqldb in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_exec',`
+ gen_require(`
+ type hsqldb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, hsqldb_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## hsqldb tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hsqldb_dontaudit_read_tmp_files',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ dontaudit $1 hsqldb_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read hsqldb tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_read_tmp_files',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage hsqldb tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_manage_tmp',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+ manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+ manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+## <summary>
+## Search hsqldb lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_search_lib',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ allow $1 hsqldb_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read hsqldb lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_read_lib_files',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage hsqldb lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_manage_lib_files',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage hsqldb lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_manage_lib_dirs',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute hsqldb server in the hsqldb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hsqldb_systemctl',`
+ gen_require(`
+ type hsqldb_t;
+ type hsqldb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 hsqldb_unit_file_t:file read_file_perms;
+ allow $1 hsqldb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hsqldb_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an hsqldb environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hsqldb_admin',`
+ gen_require(`
+ type hsqldb_t;
+ type hsqldb_tmp_t;
+ type hsqldb_var_lib_t;
+ type hsqldb_unit_file_t;
+ ')
+
+ allow $1 hsqldb_t:process { signal_perms };
+ ps_process_pattern($1, hsqldb_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hsqldb_t:process ptrace;
+ ')
+
+ files_search_tmp($1)
+ admin_pattern($1, hsqldb_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, hsqldb_var_lib_t)
+
+ hsqldb_systemctl($1)
+ admin_pattern($1, hsqldb_unit_file_t)
+ allow $1 hsqldb_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/hsqldb.te b/hsqldb.te
new file mode 100644
index 000000000..28816b4fd
--- /dev/null
+++ b/hsqldb.te
@@ -0,0 +1,57 @@
+policy_module(hsqldb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hsqldb_t;
+type hsqldb_exec_t;
+init_daemon_domain(hsqldb_t, hsqldb_exec_t)
+
+type hsqldb_tmp_t;
+files_tmp_file(hsqldb_tmp_t)
+
+type hsqldb_var_lib_t;
+files_type(hsqldb_var_lib_t)
+
+type hsqldb_unit_file_t;
+systemd_unit_file(hsqldb_unit_file_t)
+
+########################################
+#
+# hsqldb local policy
+#
+
+allow hsqldb_t self:process execmem;
+
+allow hsqldb_t self:fifo_file rw_fifo_file_perms;
+allow hsqldb_t self:stream_socket_class_set create_stream_socket_perms;
+
+manage_dirs_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+manage_files_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+files_tmp_filetrans(hsqldb_t, hsqldb_tmp_t, { dir file })
+
+manage_dirs_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_lnk_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_sock_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+files_var_lib_filetrans(hsqldb_t, hsqldb_var_lib_t, { dir })
+
+kernel_read_system_state(hsqldb_t)
+kernel_read_network_state(hsqldb_t)
+
+corecmd_exec_bin(hsqldb_t)
+
+corenet_tcp_bind_generic_node(hsqldb_t)
+corenet_tcp_bind_tor_port(hsqldb_t)
+corenet_tcp_connect_tor_port(hsqldb_t)
+
+dev_list_sysfs(hsqldb_t)
+
+dev_read_urand(hsqldb_t)
+dev_read_rand(hsqldb_t)
+
+auth_use_nsswitch(hsqldb_t)
+
+sysnet_read_config(hsqldb_t)
diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 000000000..d0c5a1502
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 000000000..f98e16612
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,110 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+ ')
+
+ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain, and
+## allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+ gen_require(`
+ attribute_role hwloc_dhwd_roles;
+ ')
+
+ hwloc_domtrans_dhwd($1)
+ roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_exec_t;
+ ')
+
+ can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+## Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+ gen_require(`
+ type hwloc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_var_run_t;
+ ')
+
+ allow $1 hwloc_dhwd_t:process { signal_perms };
+ ps_process_pattern($1, hwloc_dhwd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hwloc_dhwd_t:process ptrace;
+ ')
+
+ admin_pattern($1, hwloc_var_run_t)
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 000000000..0f45fd50e
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+systemd_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130ef5..e2ae3b22b 100644
--- a/hypervkvp.fc
+++ b/hypervkvp.fc
@@ -1,3 +1,10 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
index 6517fadbb..f1837481b 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
@@ -1,32 +1,135 @@
-## <summary>HyperV key value pair (KVP).</summary>
+
+## <summary>policy for hypervkvp</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the hypervkvp domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_domtrans',`
+ gen_require(`
+ type hypervkvp_t, hypervkvp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
+
+########################################
+## <summary>
+## Search hypervkvp lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_search_lib',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read hypervkvp lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_read_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
########################################
## <summary>
-## All of the rules required to
-## administrate an hypervkvp environment.
+## Create, read, write, and delete
+## hypervkvp lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Execute hypervkvp server in the hypervkvp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_systemctl',`
+ gen_require(`
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 hypervkvp_unit_file_t:file read_file_perms;
+ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hypervkvp_t)
+ ')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an hypervkvp environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
+
+ allow $1 hypervkvp_t:process signal_perms;
+ ps_process_pattern($1, hypervkvp_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hypervkvp_t:process ptrace;
')
- allow $1 hypervkvpd_t:process { ptrace signal_perms };
- ps_process_pattern($1, hypervkvpd_t)
+ hypervkvp_manage_lib_files($1)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ hypervkvp_systemctl($1)
+ admin_pattern($1, hypervkvp_unit_file_t)
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
index 4eb7041ef..180e5b799 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
@@ -5,24 +5,163 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvpd_t;
-type hypervkvpd_exec_t;
-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+attribute hyperv_domain;
-type hypervkvpd_initrc_exec_t;
-init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+type hypervkvp_unit_file_t;
+systemd_unit_file(hypervkvp_unit_file_t)
+
+type hypervkvp_var_lib_t;
+files_type(hypervkvp_var_lib_t)
+
+type hypervkvp_tmp_t;
+files_tmpfs_file(hypervkvp_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
+
+########################################
+#
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
########################################
#
-# Local policy
+# hypervkvp local policy
+#
+
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
+manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvp_t)
+kernel_read_network_state(hypervkvp_t)
+kernel_rw_net_sysctls(hypervkvp_t)
+
+corecmd_getattr_all_executables(hypervkvp_t)
+
+dev_rw_hypervkvp(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+seutil_exec_setfiles(hypervkvp_t)
+seutil_read_file_contexts(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+dev_read_urand(hypervkvp_t)
+
+files_dontaudit_search_home(hypervkvp_t)
+files_dontaudit_getattr_non_security_files(hypervkvp_t)
+
+fs_getattr_all_fs(hypervkvp_t)
+fs_read_hugetlbfs_files(hypervkvp_t)
+fs_list_hugetlbfs(hypervkvp_t)
+
+auth_use_nsswitch(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
+logging_read_syslog_config(hypervkvp_t)
+
+libs_exec_ldconfig(hypervkvp_t)
+
+modutils_domtrans_insmod(hypervkvp_t)
+
+seutil_domtrans_setfiles(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_domtrans_dhcpc(hypervkvp_t)
+sysnet_domtrans_ifconfig(hypervkvp_t)
+
+sysnet_manage_dhcpc_pid(hypervkvp_t)
+sysnet_signal_dhcpc(hypervkvp_t)
+
+sysnet_manage_config(hypervkvp_t)
+sysnet_read_dhcpc_state(hypervkvp_t)
+sysnet_read_dhcp_config(hypervkvp_t)
+sysnet_etc_filetrans_config(hypervkvp_t)
+
+systemd_exec_systemctl(hypervkvp_t)
+
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
+ brctl_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+ dbus_read_pid_files(hypervkvp_t)
+ dbus_system_bus_client(hypervkvp_t)
+')
+
+optional_policy(`
+ hostname_exec(hypervkvp_t)
+')
+
+optional_policy(`
+ firewalld_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(hypervkvp_t)
+ netutils_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+ networkmanager_read_pid_files(hypervkvp_t)
+ networkmanager_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+ sysnet_exec_ifconfig(hypervkvp_t)
+')
+
+optional_policy(`
+ rpm_exec(hypervkvp_t)
+')
+
+########################################
#
+# hypervvssd local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervvssd_t self:capability sys_admin;
+
+dev_rw_hypervvssd(hypervvssd_t)
-logging_send_syslog_msg(hypervkvpd_t)
+files_list_boot(hypervvssd_t)
-miscfiles_read_localization(hypervkvpd_t)
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
index 369a0566b..65fde93d9 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_all_recvfrom_unlabeled(i18n_input_t)
corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_generic_node(i18n_input_t)
@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
fs_search_auto_mountpoints(i18n_input_t)
files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
auth_use_nsswitch(i18n_input_t)
@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
logging_send_syslog_msg(i18n_input_t)
-miscfiles_read_localization(i18n_input_t)
-
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(i18n_input_t)
- fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(i18n_input_t)
- fs_read_cifs_symlinks(i18n_input_t)
-')
+userdom_home_reader(i18n_input_t)
optional_policy(`
canna_stream_connect(i18n_input_t)
diff --git a/icecast.if b/icecast.if
index 580b533ce..c267cea58 100644
--- a/icecast.if
+++ b/icecast.if
@@ -176,6 +176,14 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
+ allow $1 icecast_t:process signal_perms;
+ ps_process_pattern($1, icecast_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 icecast_t:process ptrace;
+ ')
+
+ # Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
index a9e573a50..23f8b5d4c 100644
--- a/icecast.te
+++ b/icecast.te
@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t)
# Local policy
#
-allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:capability { dac_read_search setgid setuid sys_nice };
allow icecast_t self:process { getsched setsched signal };
allow icecast_t self:fifo_file rw_fifo_file_perms;
allow icecast_t self:unix_stream_socket create_stream_socket_perms;
@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
-domain_use_interactive_fds(icecast_t)
-
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
+files_dontaudit_list_tmp(icecast_t)
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
index 899989996..96909ae6a 100644
--- a/ifplugd.if
+++ b/ifplugd.if
@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
type ifplugd_initrc_exec_t;
')
- allow $1 ifplugd_t:process { ptrace signal_perms };
+ allow $1 ifplugd_t:process signal_perms;
ps_process_pattern($1, ifplugd_t)
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
index b0546b43b..98d7326a8 100644
--- a/ifplugd.te
+++ b/ifplugd.te
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
dev_read_sysfs(ifplugd_t)
domain_read_confined_domains_state(ifplugd_t)
-domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
logging_send_syslog_msg(ifplugd_t)
-miscfiles_read_localization(ifplugd_t)
-
netutils_domtrans(ifplugd_t)
sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
index 1eb24d8c8..b320d51ae 100644
--- a/imaze.te
+++ b/imaze.te
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_all_recvfrom_unlabeled(imazesrv_t)
corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
logging_send_syslog_msg(imazesrv_t)
-miscfiles_read_localization(imazesrv_t)
-
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
index fbb54e7d8..05c377768 100644
--- a/inetd.if
+++ b/inetd.if
@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
+ init_domain($1, $2)
+
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
')
########################################
diff --git a/inetd.te b/inetd.te
index c6450df8a..94760a2ec 100644
--- a/inetd.te
+++ b/inetd.te
@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
type inetd_child_t;
type inetd_child_exec_t;
inetd_service_domain(inetd_child_t, inetd_child_exec_t)
+init_daemon_domain(inetd_child_t, inetd_child_exec_t)
type inetd_child_tmp_t;
files_tmp_file(inetd_child_tmp_t)
@@ -37,9 +38,9 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setuid setgid };
dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:process { setsched setexec };
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_exec_shell(inetd_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
+corenet_tcp_bind_time_port(inetd_t)
+corenet_udp_bind_time_port(inetd_t)
+
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
corenet_tcp_bind_git_port(inetd_t)
corenet_udp_bind_git_port(inetd_t)
+dev_read_urand(inetd_t)
+dev_read_rand(inetd_t)
+
dev_read_sysfs(inetd_t)
domain_use_interactive_fds(inetd_t)
@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
-miscfiles_read_localization(inetd_t)
-
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -188,17 +196,13 @@ optional_policy(`
')
optional_policy(`
- tftp_read_config_files(inetd_t)
+ tftp_read_config(inetd_t)
')
optional_policy(`
udev_read_db(inetd_t)
')
-optional_policy(`
- unconfined_domtrans(inetd_t)
-')
-
########################################
#
# Child local policy
@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+corecmd_bin_entry_type(inetd_child_t)
+
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
@@ -230,7 +244,19 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
-miscfiles_read_localization(inetd_child_t)
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+ chronyd_run_chronyc(inetd_child_t,system_r)
+')
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(inetd_child_t)
+')
optional_policy(`
unconfined_domain(inetd_child_t)
diff --git a/inn.fc b/inn.fc
index 8c0a48b1d..b9eabf145 100644
--- a/inn.fc
+++ b/inn.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
+/usr/lib/systemd/system/innd.* -- gen_context(system_u:object_r:innd_unit_file_t,s0)
+
/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
@@ -13,42 +15,43 @@
/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
-/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-/var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0)
+/usr/libexec/news/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/newsinnconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rc.news -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
/var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0)
diff --git a/inn.if b/inn.if
index eb87f2341..d3d32c3ad 100644
--- a/inn.if
+++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
+ files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
')
########################################
## <summary>
+## Write innd inherited news library content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_write_inherited_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read innd news spool content.
## </summary>
## <param name="domain">
@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
+ files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
- type news_spool_t, innd_var_lib_t;
- type innd_var_run_t, innd_initrc_exec_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process signal_perms;
+ ps_process_pattern($1, innd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 innd_t:process ptrace;
')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
index d39f0cc51..81789dd86 100644
--- a/inn.te
+++ b/inn.te
@@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
type innd_initrc_exec_t;
init_script_file(innd_initrc_exec_t)
+type innd_unit_file_t;
+systemd_unit_file(innd_unit_file_t)
+
type innd_log_t;
logging_log_file(innd_log_t)
@@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
########################################
#
# Local policy
#
-allow innd_t self:capability { dac_override kill setgid setuid };
+allow innd_t self:capability { dac_read_search kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
allow innd_t self:fifo_file rw_fifo_file_perms;
@@ -43,10 +47,9 @@ allow innd_t self:tcp_socket { accept listen };
read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
-allow innd_t innd_log_t:dir setattr_dir_perms;
-append_files_pattern(innd_t, innd_log_t, innd_log_t)
-create_files_pattern(innd_t, innd_log_t, innd_log_t)
-setattr_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_dirs_pattern(innd_t, innd_log_t, innd_log_t)
+logging_log_filetrans(innd_t, innd_log_t, { dir file })
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_all_recvfrom_unlabeled(innd_t)
corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_generic_if(innd_t)
corenet_tcp_sendrecv_generic_node(innd_t)
@@ -91,18 +93,18 @@ fs_search_auto_mountpoints(innd_t)
files_list_spool(innd_t)
files_read_etc_runtime_files(innd_t)
-files_read_usr_files(innd_t)
+
+inn_exec_config(innd_t)
auth_use_nsswitch(innd_t)
logging_send_syslog_msg(innd_t)
-miscfiles_read_localization(innd_t)
-
seutil_dontaudit_search_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
mta_send_mail(innd_t)
diff --git a/iodine.fc b/iodine.fc
index ca07a8744..6ea129cf6 100644
--- a/iodine.fc
+++ b/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
+/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
index a0bfbd04f..8dc7c3e31 100644
--- a/iodine.if
+++ b/iodine.if
@@ -2,6 +2,50 @@
########################################
## <summary>
+## Execute NetworkManager with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iodined_domtrans',`
+ gen_require(`
+ type iodined_t, iodined_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iodined_exec_t, iodined_t)
+')
+
+########################################
+## <summary>
+## Execute iodined server in the iodined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iodined_systemctl',`
+ gen_require(`
+ type iodined_t;
+ type iodined_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iodined_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an iodined environment
## </summary>
diff --git a/iodine.te b/iodine.te
index d443feee4..6cbbf7d84 100644
--- a/iodine.te
+++ b/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_unit_file_t;
+systemd_unit_file(iodined_unit_file_t)
+
########################################
#
# Local policy
@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
-files_read_etc_files(iodined_t)
+auth_use_nsswitch(iodined_t)
logging_send_syslog_msg(iodined_t)
diff --git a/iotop.fc b/iotop.fc
new file mode 100644
index 000000000..c8d2deac2
--- /dev/null
+++ b/iotop.fc
@@ -0,0 +1 @@
+/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
diff --git a/iotop.if b/iotop.if
new file mode 100644
index 000000000..7fc3464e6
--- /dev/null
+++ b/iotop.if
@@ -0,0 +1,46 @@
+## <summary>Simple top-like I/O monitor</summary>
+
+########################################
+## <summary>
+## Allow execution of iotop in the iotop domain from the target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition to iotop.
+## </summary>
+## </param>
+#
+interface(`iotop_domtrans',`
+ gen_require(`
+ type iotop_t, iotop_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iotop_exec_t, iotop_t)
+')
+
+########################################
+## <summary>
+## Execute iotop in the iotop domain, and
+## allow the specified role to access the iotop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed into the iotop domain.
+## </summary>
+## </param>
+#
+interface(`iotop_run',`
+ gen_require(`
+ type iotop_t;
+ attribute_role iotop_roles;
+ ')
+
+ iotop_domtrans($1)
+ roleattribute $2 iotop_roles;
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
index 000000000..61f2003c8
--- /dev/null
+++ b/iotop.te
@@ -0,0 +1,39 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
+type iotop_t;
+type iotop_exec_t;
+application_domain(iotop_t, iotop_exec_t)
+
+role iotop_roles types iotop_t;
+
+########################################
+#
+# iotop local policy
+#
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
+allow iotop_t self:netlink_socket create_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
+auth_use_nsswitch(iotop_t)
+
+dev_read_urand(iotop_t)
+
+domain_getsched_all_domains(iotop_t)
+domain_read_all_domains_state(iotop_t)
+
+corecmd_exec_bin(iotop_t)
+
+miscfiles_read_localization(iotop_t)
+
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 000000000..61fd84f00
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,29 @@
+/etc/httpd/alias/ipasession.key -- gen_context(system_u:object_r:ipa_cert_t,s0)
+
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+/usr/libexec/ipa/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+
+/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
+
+/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 000000000..72a6b78ba
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,310 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
+## <summary>
+## Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_domtrans_otpd',`
+ gen_require(`
+ type ipa_otpd_t, ipa_otpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
+########################################
+## <summary>
+## Connect to ipa-otpd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_stream_connect_otpd',`
+ gen_require(`
+ type ipa_otpd_t;
+ ')
+ allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Connect to ipa-ods-exporter over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_stream_connect_ods_exporter',`
+ gen_require(`
+ type ipa_ods_exporter_t;
+ ')
+ allow $1 ipa_ods_exporter_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_domtrans_helper',`
+ gen_require(`
+ type ipa_helper_t, ipa_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
+')
+
+########################################
+## <summary>
+## Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_run_helper',`
+ gen_require(`
+ type ipa_helper_t;
+ attribute_role ipa_helper_roles;
+ ')
+
+ ipa_domtrans_helper($1)
+ roleattribute $2 ipa_helper_roles;
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_search_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_manage_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa log files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_manage_log',`
+ gen_require(`
+ type ipa_log_t;
+ ')
+
+ manage_files_pattern($1, ipa_log_t, ipa_log_t)
+ manage_dirs_pattern($1, ipa_log_t, ipa_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_read_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa run files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_manage_pid_files',`
+ gen_require(`
+ type ipa_var_run_t;
+ ')
+ manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
+ manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## pid directories with the ipa pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`ipa_filetrans_pid',`
+ gen_require(`
+ type ipa_var_run_t;
+ ')
+
+ files_pid_filetrans($1, ipa_var_run_t, file, $2)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_delete_tmp',`
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 ipa_tmp_t:file unlink;
+')
+
+########################################
+## <summary>
+## Create log files with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_named_filetrans_log_dir',`
+ gen_require(`
+ type ipa_log_t;
+ ')
+
+ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
+')
+
+#######################################
+## <summary>
+## Allow domain to create /tmp/ca.p12
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_filetrans_named_content',`
+
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
+')
+
+########################################
+## <summary>
+## Create file ipasession.key in cert_t dir
+## with ipa_cert_t type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_cert_filetrans_named_content',`
+ gen_require(`
+ type ipa_cert_t;
+ type cert_t;
+ ')
+
+ filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
+ manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read ipa tmp files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_read_tmp',`
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 000000000..653c11fb3
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,276 @@
+policy_module(ipa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ipa_domain;
+
+attribute_role ipa_helper_roles;
+roleattribute system_r ipa_helper_roles;
+
+type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
+
+type ipa_dnskey_t, ipa_domain;
+type ipa_dnskey_exec_t;
+init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
+
+type ipa_ods_exporter_t, ipa_domain;
+type ipa_ods_exporter_exec_t;
+init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t)
+
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+type ipa_dnskey_unit_file_t;
+systemd_unit_file(ipa_dnskey_unit_file_t)
+
+type ipa_ods_exporter_unit_file_t;
+systemd_unit_file(ipa_ods_exporter_unit_file_t)
+
+type ipa_log_t;
+logging_log_file(ipa_log_t)
+
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
+type ipa_var_run_t;
+files_pid_file(ipa_var_run_t)
+
+type ipa_helper_t;
+type ipa_helper_exec_t;
+domain_type(ipa_helper_t)
+domain_obj_id_change_exemption(ipa_helper_t)
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
+type ipa_cert_t;
+miscfiles_cert_type(ipa_cert_t)
+
+type ipa_tmp_t;
+files_tmp_file(ipa_tmp_t)
+
+########################################
+#
+# ipa_otpd local policy
+#
+
+allow ipa_otpd_t self:capability2 block_suspend;
+
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+
+manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
+dev_read_urand(ipa_otpd_t)
+dev_read_rand(ipa_otpd_t)
+
+sysnet_dns_name_resolve(ipa_otpd_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_otpd_t)
+')
+
+optional_policy(`
+ kerberos_use(ipa_otpd_t)
+')
+
+########################################
+#
+# ipa-helper local policy
+#
+
+
+allow ipa_helper_t self:capability { net_admin dac_read_search chown };
+
+#kernel bug
+dontaudit ipa_helper_t self:capability2 block_suspend;
+
+allow ipa_helper_t self:process setfscreate;
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
+manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
+
+kernel_read_system_state(ipa_helper_t)
+kernel_read_network_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
+corenet_tcp_connect_http_port(ipa_helper_t)
+corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
+
+corecmd_exec_bin(ipa_helper_t)
+corecmd_exec_shell(ipa_helper_t)
+
+dev_read_urand(ipa_helper_t)
+
+auth_use_nsswitch(ipa_helper_t)
+
+files_list_tmp(ipa_helper_t)
+
+ipa_manage_pid_files(ipa_helper_t)
+ipa_read_lib(ipa_helper_t)
+
+logging_send_syslog_msg(ipa_helper_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(ipa_helper_t)
+')
+
+optional_policy(`
+ memcached_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
+')
+
+optional_policy(`
+ rpm_read_db(ipa_helper_t)
+')
+
+optional_policy(`
+ samba_read_config(ipa_helper_t)
+')
+
+optional_policy(`
+ sssd_manage_lib_files(ipa_helper_t)
+')
+
+########################################
+#
+# ipa-dnskey local policy
+#
+allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms;
+allow ipa_dnskey_t self:udp_socket create_socket_perms;
+allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
+allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
+
+read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t)
+files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file })
+
+kernel_dgram_send(ipa_dnskey_t)
+kernel_read_system_state(ipa_dnskey_t)
+kernel_read_network_state(ipa_dnskey_t)
+
+auth_use_nsswitch(ipa_dnskey_t)
+
+corecmd_exec_bin(ipa_dnskey_t)
+corecmd_exec_shell(ipa_dnskey_t)
+
+corenet_tcp_bind_generic_node(ipa_dnskey_t)
+corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
+corenet_tcp_connect_rndc_port(ipa_dnskey_t)
+
+dev_read_rand(ipa_dnskey_t)
+
+can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
+
+libs_exec_ldconfig(ipa_dnskey_t)
+
+logging_send_syslog_msg(ipa_dnskey_t)
+
+miscfiles_read_certs(ipa_dnskey_t)
+
+sysnet_read_config(ipa_dnskey_t)
+
+optional_policy(`
+ apache_search_config(ipa_dnskey_t)
+')
+
+optional_policy(`
+ bind_domtrans_ndc(ipa_dnskey_t)
+ bind_read_dnssec_keys(ipa_dnskey_t)
+ bind_manage_zone(ipa_dnskey_t)
+ bind_manage_zone_dirs(ipa_dnskey_t)
+ bind_search_cache(ipa_dnskey_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_dnskey_t)
+')
+
+optional_policy(`
+ opendnssec_domtrans(ipa_dnskey_t)
+ opendnssec_manage_config(ipa_dnskey_t)
+ opendnssec_manage_var_files(ipa_dnskey_t)
+ opendnssec_filetrans_etc_content(ipa_dnskey_t)
+')
+
+########################################
+#
+# ipa-ods-exporter local policy
+#
+allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read };
+allow ipa_ods_exporter_t self:udp_socket { connect create getattr };
+allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt };
+
+manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
+
+manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
+manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
+files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file })
+
+kernel_dgram_send(ipa_ods_exporter_t)
+
+auth_use_nsswitch(ipa_ods_exporter_t)
+
+corecmd_exec_bin(ipa_ods_exporter_t)
+corecmd_exec_shell(ipa_ods_exporter_t)
+
+libs_exec_ldconfig(ipa_ods_exporter_t)
+
+logging_send_syslog_msg(ipa_ods_exporter_t)
+
+miscfiles_read_certs(ipa_ods_exporter_t)
+
+sysnet_read_config(ipa_ods_exporter_t)
+
+optional_policy(`
+ bind_search_cache(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ opendnssec_manage_var_files(ipa_ods_exporter_t)
+ opendnssec_stream_connect(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(ipa_ods_exporter_t)
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
index 000000000..0f598ca9f
--- /dev/null
+++ b/ipmievd.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
+
+/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
+
+/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0)
diff --git a/ipmievd.if b/ipmievd.if
new file mode 100644
index 000000000..e86db5418
--- /dev/null
+++ b/ipmievd.if
@@ -0,0 +1,120 @@
+## <summary>IPMI event daemon for sending events to syslog.</summary>
+
+########################################
+## <summary>
+## Execute ipmievd_exec_t in the ipmievd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipmievd_domtrans',`
+ gen_require(`
+ type ipmievd_t, ipmievd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
+')
+
+######################################
+## <summary>
+## Execute ipmievd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipmievd_exec',`
+ gen_require(`
+ type ipmievd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ipmievd_exec_t)
+')
+
+########################################
+## <summary>
+## Read ipmievd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipmievd_read_pid_files',`
+ gen_require(`
+ type ipmievd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute ipmievd server in the ipmievd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipmievd_systemctl',`
+ gen_require(`
+ type ipmievd_t;
+ type ipmievd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ipmievd_unit_file_t:file read_file_perms;
+ allow $1 ipmievd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ipmievd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ipmievd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipmievd_admin',`
+ gen_require(`
+ type ipmievd_t;
+ type ipmievd_var_run_t;
+ type ipmievd_unit_file_t;
+ ')
+
+ allow $1 ipmievd_t:process { signal_perms };
+ ps_process_pattern($1, ipmievd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ipmievd_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, ipmievd_var_run_t)
+
+ ipmievd_systemctl($1)
+ admin_pattern($1, ipmievd_unit_file_t)
+ allow $1 ipmievd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ipmievd.te b/ipmievd.te
new file mode 100644
index 000000000..3990b66b2
--- /dev/null
+++ b/ipmievd.te
@@ -0,0 +1,52 @@
+policy_module(ipmievd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ipmievd_t;
+type ipmievd_exec_t;
+init_daemon_domain(ipmievd_t, ipmievd_exec_t)
+
+type ipmievd_var_run_t;
+files_pid_file(ipmievd_var_run_t)
+
+type ipmievd_lock_t;
+files_lock_file(ipmievd_lock_t)
+
+type ipmievd_unit_file_t;
+systemd_unit_file(ipmievd_unit_file_t)
+
+########################################
+#
+# ipmievd local policy
+#
+
+allow ipmievd_t self:process { fork setpgid };
+allow ipmievd_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
+
+manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t)
+files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
+
+kernel_read_system_state(ipmievd_t)
+kernel_load_module(ipmievd_t)
+
+auth_use_nsswitch(ipmievd_t)
+
+corecmd_exec_bin(ipmievd_t)
+
+dev_manage_ipmi_dev(ipmievd_t)
+dev_filetrans_ipmi(ipmievd_t)
+dev_read_sysfs(ipmievd_t)
+
+files_read_kernel_modules(ipmievd_t)
+
+logging_send_syslog_msg(ipmievd_t)
+
+modutils_exec_insmod(ipmievd_t)
+modutils_read_module_config(ipmievd_t)
+
diff --git a/irc.fc b/irc.fc
index 48e7739f9..1bf0326cd 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
diff --git a/irc.if b/irc.if
index ac00fb0fb..36ef2e59c 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
attribute_role irc_roles;
type irc_t, irc_exec_t, irc_home_t;
type irc_tmp_t, irc_log_home_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
')
########################################
@@ -37,12 +38,42 @@ interface(`irc_role',`
domtrans_pattern($2, irc_exec_t, irc_t)
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process { ptrace signal_perms };
-
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+ allow $2 irc_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irc_t:process ptrace;
+ ')
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+ allow $2 irssi_t:process signal_perms;
+ ps_process_pattern($2, irssi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irssi_t:process ptrace;
+ ')
+
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ irc_filetrans_home_content($2)
+')
+
+#######################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`irc_filetrans_home_content',`
+ gen_require(`
+ type irc_home_t;
+ type irssi_home_t;
+ ')
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
index 263650367..5910c5931 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
userdom_user_home_content(irc_home_t)
-type irc_log_home_t;
-userdom_user_home_content(irc_log_home_t)
-
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_tmp_file(irc_tmp_t)
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+role irc_roles types irssi_t;
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
########################################
#
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
-
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+irc_filetrans_home_content(irc_t)
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
+corecmd_exec_shell(irc_t)
+corecmd_exec_bin(irc_t)
+
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
-
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
@@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
-
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_filetrans_home_content(irc_t)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
+
+userdom_home_manager(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };
@@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
- fs_manage_nfs_files(irc_t)
- fs_manage_nfs_symlinks(irc_t)
+optional_policy(`
+ nis_use_ypbind(irc_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(irc_t)
- fs_manage_cifs_files(irc_t)
- fs_manage_cifs_symlinks(irc_t)
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+irc_filetrans_home_content(irssi_t)
+userdom_search_user_home_dirs(irssi_t)
+
+kernel_read_system_state(irssi_t)
+
+corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# tcp:7000 is often used for SSL irc
+corenet_tcp_connect_gatekeeper_port(irssi_t)
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+
+fs_search_auto_mountpoints(irssi_t)
+
+auth_use_nsswitch(irssi_t)
+
+
+userdom_use_inherited_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
')
+userdom_home_manager(irssi_t)
+
optional_policy(`
seutil_use_newrole_fds(irc_t)
')
diff --git a/ircd.if b/ircd.if
index ade980323..3620c9a67 100644
--- a/ircd.if
+++ b/ircd.if
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
-
- logging_search_log($1)
+
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
index efaf4b10a..bd1a132ac 100644
--- a/ircd.te
+++ b/ircd.te
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_exec_bin(ircd_t)
-corenet_all_recvfrom_unlabeled(ircd_t)
corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_generic_node(ircd_t)
@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
logging_send_syslog_msg(ircd_t)
-miscfiles_read_localization(ircd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
index e1f302ddb..1e5418a2e 100644
--- a/irqbalance.te
+++ b/irqbalance.te
@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
-files_read_etc_files(irqbalance_t)
files_read_etc_runtime_files(irqbalance_t)
fs_getattr_all_fs(irqbalance_t)
@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
logging_send_syslog_msg(irqbalance_t)
-miscfiles_read_localization(irqbalance_t)
-
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
diff --git a/iscsi.fc b/iscsi.fc
index 08b756047..417e63004 100644
--- a/iscsi.fc
+++ b/iscsi.fc
@@ -1,19 +1,18 @@
-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
index 1a354203e..8101022be 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -21,6 +21,52 @@ interface(`iscsid_domtrans',`
########################################
## <summary>
+## Execute iscsid programs in the iscsid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the iscsid domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`iscsid_run',`
+ gen_require(`
+ attribute_role iscsid_roles;
+ ')
+
+ iscsid_domtrans($1)
+ roleattribute $2 iscsid_roles;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## iscsid lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iscsi_manage_lock',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
+ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## iscsid sempaphores.
## </summary>
@@ -80,17 +126,54 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an iscsi environment.
+## Transition to iscsi named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`iscsi_filetrans_named_content',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
+########################################
+## <summary>
+## Execute iscsi server in the iscsi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iscsi_systemctl',`
+ gen_require(`
+ type iscsid_t;
+ type iscsi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file read_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iscsid_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an iscsi environment.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -99,16 +182,16 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
- type iscsi_initrc_exec_t;
+ type iscsi_unit_file_t;
')
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
index ca020faa9..4afdcc8f9 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
# Declarations
#
+attribute_role iscsid_roles;
+
type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
+role iscsid_roles types iscsid_t;
-type iscsi_initrc_exec_t;
-init_script_file(iscsi_initrc_exec_t)
+type iscsi_unit_file_t;
+systemd_unit_file(iscsi_unit_file_t)
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
@@ -32,13 +35,13 @@ files_pid_file(iscsi_var_run_t)
# Local policy
#
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket nlmsg_write;
@@ -55,20 +58,23 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
+kernel_load_module(iscsid_t)
+kernel_request_load_module(iscsid_t)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
+kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
@@ -85,22 +91,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
-dev_read_raw_memory(iscsid_t)
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
+corecmd_exec_bin(iscsid_t)
+corecmd_exec_shell(iscsid_t)
+
+dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+files_read_kernel_modules(iscsid_t)
+
auth_use_nsswitch(iscsid_t)
init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
+
+mount_read_pid_files(iscsid_t)
+
+optional_policy(`
+ iscsi_systemctl(iscsid_t)
+')
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
')
+
+optional_policy(`
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+')
diff --git a/isns.te b/isns.te
index bc1103493..3cda6e9bd 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
allow isnsd_t self:capability kill;
allow isnsd_t self:process signal;
allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen accept };
allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen };
@@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
+kernel_read_system_state(isnsd_t)
+kernel_read_network_state(isnsd_t)
+
corenet_all_recvfrom_unlabeled(isnsd_t)
corenet_all_recvfrom_netlabel(isnsd_t)
corenet_tcp_sendrecv_generic_if(isnsd_t)
@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t)
corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
+corenet_tcp_connect_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
+auth_use_nsswitch(isnsd_t)
logging_send_syslog_msg(isnsd_t)
-
-miscfiles_read_localization(isnsd_t)
-
-sysnet_dns_name_resolve(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index 59ad3b3c4..bd02cc87d 100644
--- a/jabber.fc
+++ b/jabber.fc
@@ -1,25 +1,18 @@
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
+# pyicq-t
-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
index 7eb381121..8075ba5f0 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
-## <summary>Jabber instant messaging servers.</summary>
+## <summary>Jabber instant messaging server</summary>
+
+#####################################
+## <summary>
+## Creates types and rules for a basic
+## jabber init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`jabber_domain_template',`
+ gen_require(`
+ attribute jabberd_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, jabberd_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+')
#######################################
## <summary>
-## The template to define a jabber domain.
+## Execute a domain transition to run jabberd services
## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
## <summary>
-## Domain prefix to be used.
+## Domain allowed to transition.
## </summary>
## </param>
#
-template(`jabber_domain_template',`
+interface(`jabber_domtrans_jabberd',`
gen_require(`
- attribute jabberd_domain;
+ type jabberd_t, jabberd_exec_t;
')
- type $1_t, jabberd_domain;
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
')
-########################################
+######################################
## <summary>
-## Create, read, write, and delete
-## jabber lib files.
+## Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+## Read jabberd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
## </summary>
## </param>
#
-interface(`jabber_manage_lib_files',`
+interface(`jabberd_read_lib_files',`
gen_require(`
type jabberd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
-########################################
+#######################################
+## <summary>
+## Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
## <summary>
-## Connect to jabber over a TCP socket (Deprecated)
+## Create, read, write, and delete
+## jabberd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
## </summary>
## </param>
#
-interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an jabber environment.
+## All of the rules required to administrate
+## an jabber environment
## </summary>
## <param name="domain">
## <summary>
@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the jabber domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`jabber_admin',`
gen_require(`
- attribute jabberd_domain;
- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
+ type jabberd_t, jabberd_var_lib_t;
+ type jabberd_initrc_exec_t, jabberd_router_t;
+ type jabberd_lock_t;
+ type jabberd_var_spool_t;
')
- allow $1 jabberd_domain:process { ptrace signal_perms };
- ps_process_pattern($1, jabberd_domain)
+ allow $1 jabberd_t:process signal_perms;
+ ps_process_pattern($1, jabberd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jabberd_t:process ptrace;
+ allow $1 jabberd_router_t:process ptrace;
+ ')
+
+ allow $1 jabberd_router_t:process signal_perms;
+ ps_process_pattern($1, jabberd_router_t)
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -89,15 +168,9 @@ interface(`jabber_admin',`
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
- logging_search_logs($1)
- admin_pattern($1, jabberd_log_t)
-
files_search_spool($1)
- admin_pattern($1, jabberd_spool_t)
+ admin_pattern($1, jabberd_var_spool_t)
files_search_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
index af67c36ee..4755e0af8 100644
--- a/jabber.te
+++ b/jabber.te
@@ -9,129 +9,137 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-type jabberd_lock_t;
-files_lock_file(jabberd_lock_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_spool_t;
-files_type(jabberd_spool_t)
-
+# type which includes log/pid files pro jabberd components
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
+# pyicq-t types
+type pyicqt_log_t;
+logging_log_file(pyicqt_log_t);
-########################################
-#
-# Common local policy
-#
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
-allow jabberd_domain self:process signal_perms;
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-allow jabberd_domain self:tcp_socket { accept listen };
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
-kernel_read_system_state(jabberd_domain)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-corenet_all_recvfrom_unlabeled(jabberd_domain)
-corenet_all_recvfrom_netlabel(jabberd_domain)
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
-corenet_tcp_bind_generic_node(jabberd_domain)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-dev_read_urand(jabberd_domain)
-dev_read_sysfs(jabberd_domain)
+kernel_read_network_state(jabberd_router_t)
-fs_getattr_all_fs(jabberd_domain)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+corenet_tcp_connect_postgresql_port(jabberd_router_t)
-logging_send_syslog_msg(jabberd_domain)
+fs_getattr_all_fs(jabberd_router_t)
-miscfiles_read_localization(jabberd_domain)
+miscfiles_read_generic_certs(jabberd_router_t)
optional_policy(`
- nis_use_ypbind(jabberd_domain)
+ kerberos_use(jabberd_router_t)
')
optional_policy(`
- seutil_sigchld_newrole(jabberd_domain)
+ nis_use_ypbind(jabberd_router_t)
')
-########################################
+#####################################
#
-# Local policy
+# Local policy for other jabberd components
#
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:tcp_socket create_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+corenet_tcp_connect_postgresql_port(jabberd_t)
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+miscfiles_read_certs(jabberd_t)
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
-kernel_read_kernel_sysctls(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-dev_read_rand(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-domain_use_interactive_fds(jabberd_t)
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
+corecmd_exec_bin(pyicqt_t)
-fs_search_auto_mountpoints(jabberd_t)
+dev_read_urand(pyicqt_t)
-sysnet_read_config(jabberd_t)
+auth_use_nsswitch(pyicqt_t)
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
+# needed for pyicq-t-mysql
+optional_policy(`
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
+')
optional_policy(`
- udev_read_db(jabberd_t)
+ sysnet_use_ldap(pyicqt_t)
')
-########################################
+#######################################
#
-# Router local policy
+# Local policy for jabberd domains
#
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
-kernel_read_network_state(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
+dev_read_sysfs(jabberd_domain)
+dev_read_urand(jabberd_domain)
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
+files_read_etc_runtime_files(jabberd_domain)
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
index a7ae1531b..6341e3119 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
## its stack executable.
## </p>
## </desc>
-gen_tunable(allow_java_execstack, false)
+gen_tunable(java_execstack, false)
attribute java_domain;
@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
-files_read_usr_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
userdom_manage_user_home_content_symlinks(java_domain)
userdom_manage_user_home_content_pipes(java_domain)
userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_filetrans_home_content(java_domain_t)
userdom_write_user_tmp_sockets(java_domain)
-tunable_policy(`allow_java_execstack',`
+tunable_policy(`java_execstack',`
allow java_domain self:process { execmem execstack };
libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 000000000..c7c4fba01
--- /dev/null
+++ b/jetty.fc
@@ -0,0 +1,12 @@
+
+/usr/lib/systemd/system/jetty\.service -- gen_context(system_u:object_r:jetty_unit_file_t,s0)
+
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:jetty_exec_t,s0)
+
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
+
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
+
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
+
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
diff --git a/jetty.if b/jetty.if
new file mode 100644
index 000000000..6679a02aa
--- /dev/null
+++ b/jetty.if
@@ -0,0 +1,415 @@
+
+## <summary>Jetty - HTTP server and Servlet container</summary>
+
+########################################
+## <summary>
+## Execute jetty_exec_t in the jetty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jetty_domtrans',`
+ gen_require(`
+ type jetty_t, jetty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, jetty_exec_t, jetty_t)
+')
+
+######################################
+## <summary>
+## Execute jetty in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_exec',`
+ gen_require(`
+ type jetty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, jetty_exec_t)
+')
+
+########################################
+## <summary>
+## Search jetty cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_search_cache',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ allow $1 jetty_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read jetty cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_read_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## jetty cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+## Manage jetty cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_cache_dirs',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+## Read jetty's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`jetty_read_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+## Append to jetty log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_append_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+## Manage jetty log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
+ manage_files_pattern($1, jetty_log_t, jetty_log_t)
+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`jetty_dontaudit_read_tmp_files',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ dontaudit $1 jetty_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_read_tmp_files',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_tmp',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t)
+ manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+ manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+')
+
+########################################
+## <summary>
+## Search jetty lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_search_lib',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ allow $1 jetty_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read jetty lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_read_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage jetty lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage jetty lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_lib_dirs',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read jetty PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_read_pid_files',`
+ gen_require(`
+ type jetty_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, jetty_var_run_t, jetty_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute jetty server in the jetty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jetty_systemctl',`
+ gen_require(`
+ type jetty_t;
+ type jetty_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 jetty_unit_file_t:file read_file_perms;
+ allow $1 jetty_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, jetty_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an jetty environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`jetty_admin',`
+ gen_require(`
+ type jetty_t;
+ type jetty_cache_t;
+ type jetty_log_t;
+ type jetty_tmp_t;
+ type jetty_var_lib_t;
+ type jetty_var_run_t;
+ type jetty_unit_file_t;
+ ')
+
+ allow $1 jetty_t:process { signal_perms };
+ ps_process_pattern($1, jetty_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jetty_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, jetty_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jetty_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, jetty_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, jetty_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, jetty_var_run_t)
+
+ jetty_systemctl($1)
+ admin_pattern($1, jetty_unit_file_t)
+ allow $1 jetty_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jetty.te b/jetty.te
new file mode 100644
index 000000000..71325e5e6
--- /dev/null
+++ b/jetty.te
@@ -0,0 +1,78 @@
+policy_module(jetty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type jetty_t;
+type jetty_exec_t;
+init_daemon_domain(jetty_t, jetty_exec_t)
+
+type jetty_cache_t;
+files_type(jetty_cache_t)
+
+type jetty_log_t;
+logging_log_file(jetty_log_t)
+
+type jetty_tmp_t;
+files_tmp_file(jetty_tmp_t)
+
+type jetty_var_lib_t;
+files_type(jetty_var_lib_t)
+
+type jetty_var_run_t;
+files_pid_file(jetty_var_run_t)
+
+type jetty_unit_file_t;
+systemd_unit_file(jetty_unit_file_t)
+
+########################################
+#
+# jetty local policy
+#
+
+allow jetty_t self:process execmem;
+allow jetty_t self:process { signal signull };
+
+allow jetty_t self:fifo_file rw_fifo_file_perms;
+allow jetty_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
+manage_files_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
+files_var_filetrans(jetty_t, jetty_cache_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_log_t, jetty_log_t)
+manage_files_pattern(jetty_t, jetty_log_t, jetty_log_t)
+logging_log_filetrans(jetty_t, jetty_log_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
+manage_files_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
+files_tmp_filetrans(jetty_t, jetty_tmp_t, { dir file })
+
+manage_dirs_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
+manage_files_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
+files_var_lib_filetrans(jetty_t, jetty_var_lib_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
+manage_files_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
+files_pid_filetrans(jetty_t, jetty_var_run_t, dir)
+
+kernel_read_system_state(jetty_t)
+kernel_read_network_state(jetty_t)
+
+corecmd_exec_bin(jetty_t)
+corecmd_exec_shell(jetty_t)
+
+corenet_tcp_bind_http_cache_port(jetty_t)
+
+dev_read_rand(jetty_t)
+dev_read_sysfs(jetty_t)
+dev_read_urand(jetty_t)
+
+auth_use_nsswitch(jetty_t)
+
+optional_policy(`
+ #allow access to /etc/abrt/plugins/java.conf
+ abrt_read_config(jetty_t)
+')
diff --git a/jockey.if b/jockey.if
index 2fb7a20fa..c6ba00798 100644
--- a/jockey.if
+++ b/jockey.if
@@ -1 +1,131 @@
-## <summary>Jockey driver manager.</summary>
+
+## <summary>policy for jockey</summary>
+
+########################################
+## <summary>
+## Transition to jockey.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jockey_domtrans',`
+ gen_require(`
+ type jockey_t, jockey_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, jockey_exec_t, jockey_t)
+')
+
+########################################
+## <summary>
+## Search jockey cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jockey_search_cache',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ allow $1 jockey_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read jockey cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jockey_read_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## jockey cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jockey_manage_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+## Manage jockey cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jockey_manage_cache_dirs',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an jockey environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jockey_admin',`
+ gen_require(`
+ type jockey_t;
+ type jockey_cache_t;
+ type jockey_var_log_t;
+ ')
+
+ allow $1 jockey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jockey_t)
+
+ files_search_var($1)
+ admin_pattern($1, jockey_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jockey_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jockey.te b/jockey.te
index d59ec10a2..a46018d04 100644
--- a/jockey.te
+++ b/jockey.te
@@ -15,6 +15,9 @@ files_type(jockey_cache_t)
type jockey_var_log_t;
logging_log_file(jockey_var_log_t)
+type jockey_tmpfs_t;
+files_tmpfs_file(jockey_tmpfs_t)
+
########################################
#
# Local policy
@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file })
+
kernel_read_system_state(jockey_t)
corecmd_exec_bin(jockey_t)
@@ -44,16 +51,19 @@ dev_read_urand(jockey_t)
domain_use_interactive_fds(jockey_t)
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
-miscfiles_read_localization(jockey_t)
+auth_read_passwd(jockey_t)
optional_policy(`
dbus_system_domain(jockey_t, jockey_exec_t)
')
optional_policy(`
+ gnome_dontaudit_search_config(jockey_t)
+')
+
+optional_policy(`
modutils_domtrans_insmod(jockey_t)
modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
')
diff --git a/journalctl.fc b/journalctl.fc
new file mode 100644
index 000000000..f27065286
--- /dev/null
+++ b/journalctl.fc
@@ -0,0 +1 @@
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
index 000000000..17126b64c
--- /dev/null
+++ b/journalctl.if
@@ -0,0 +1,95 @@
+
+## <summary>policy for journalctl</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the journalctl domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`journalctl_domtrans',`
+ gen_require(`
+ type journalctl_t, journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+######################################
+## <summary>
+## Execute journalctl in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`journalctl_exec',`
+ gen_require(`
+ type journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, journalctl_exec_t)
+')
+
+########################################
+## <summary>
+## Execute journalctl in the journalctl domain, and
+## allow the specified role the journalctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the journalctl domain.
+## </summary>
+## </param>
+#
+interface(`journalctl_run',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ journalctl_domtrans($1)
+ roleattribute $2 journalctl_roles;
+')
+
+########################################
+## <summary>
+## Role access for journalctl
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`journalctl_role',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ roleattribute $1 journalctl_roles;
+
+ journalctl_domtrans($2)
+
+ ps_process_pattern($2, journalctl_t)
+ allow $2 journalctl_t:process { signull signal sigkill };
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
index 000000000..68dd2b7d6
--- /dev/null
+++ b/journalctl.te
@@ -0,0 +1,47 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+auth_use_nsswitch(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+
+logging_read_generic_logs(journalctl_t)
+logging_read_syslog_pid(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_rw_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 000000000..25e4b6817
--- /dev/null
+++ b/kde.fc
@@ -0,0 +1 @@
+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
diff --git a/kde.if b/kde.if
new file mode 100644
index 000000000..cf6557769
--- /dev/null
+++ b/kde.if
@@ -0,0 +1,22 @@
+## <summary> Policy for KDE components </summary>
+
+#######################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kde_dbus_chat_backlighthelper',`
+ gen_require(`
+ type kdebacklighthelper_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdebacklighthelper_t:dbus send_msg;
+ allow kdebacklighthelper_t $1:dbus send_msg;
+')
diff --git a/kde.te b/kde.te
new file mode 100644
index 000000000..dbe3f038d
--- /dev/null
+++ b/kde.te
@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
+# backlighthelper local policy
+#
+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
+
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
+files_read_etc_runtime_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
+logging_send_syslog_msg(kdebacklighthelper_t)
+
+optional_policy(`
+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdebacklighthelper_t)
+')
+
diff --git a/kdump.fc b/kdump.fc
index a49ae4e91..0c0e987a8 100644
--- a/kdump.fc
+++ b/kdump.fc
@@ -1,13 +1,16 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
index 3a00b3a13..92f125fdf 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
-## <summary>Kernel crash dumping mechanism.</summary>
+## <summary>Kernel crash dumping mechanism</summary>
######################################
## <summary>
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
domtrans_pattern($1, kdump_exec_t, kdump_t)
')
+######################################
+## <summary>
+## Execute kdumpctl in the kdumpctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdumpctl_domtrans',`
+ gen_require(`
+ type kdumpctl_t, kdumpctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
+')
+
+
#######################################
## <summary>
## Execute kdump in the kdump domain.
@@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
+########################################
+## <summary>
+## Execute kdump server in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdump_systemctl',`
+ gen_require(`
+ type kdump_unit_file_t;
+ type kdump_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, kdump_t)
+')
+
#####################################
## <summary>
-## Read kdump configuration files.
+## Read kdump configuration file.
## </summary>
## <param name="domain">
## <summary>
@@ -56,10 +101,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+## <summary>
+## Read kdump crash files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_read_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+## <summary>
+## Read kdump crash files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_manage_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+## <summary>
+## Dontaudit read kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kdump_dontaudit_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
####################################
## <summary>
-## Create, read, write, and delete
-## kdmup configuration files.
+## Manage kdump configuration file.
## </summary>
## <param name="domain">
## <summary>
@@ -76,10 +178,88 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
+#####################################
+## <summary>
+## Read and write kdump lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_rw_lock',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_search_locks($1)
+ rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
+')
+
+###################################
+## <summary>
+## Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+###################################
+## <summary>
+## Manage kdump /var/tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_manage_kdumpctl_tmp_files',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to kdump named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_filetrans_named_content',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_lock_filetrans($1, kdump_lock_t, file, "kdump")
+')
+
######################################
## <summary>
-## All of the rules required to
-## administrate an kdump environment.
+## All of the rules required to administrate
+## an kdump environment
## </summary>
## <param name="domain">
## <summary>
@@ -88,19 +268,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the kdump domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`kdump_admin',`
gen_require(`
- type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
- type kdump_initrc_exec_t, kdumpctl_t;
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
+ type kdump_crash_t;
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { kdump_t kdumpctl_t })
+ allow $1 kdump_t:process signal_perms;
+ ps_process_pattern($1, kdump_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
@@ -110,6 +295,29 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
- files_search_tmp($1)
- admin_pattern($1, kdumpctl_tmp_t)
+ files_search_var($1)
+ admin_pattern($1, kdump_crash_t)
+
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
+
+###################################
+## <summary>
+## Dontaudit Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
diff --git a/kdump.te b/kdump.te
index 715fc211c..e506a7f5d 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
+type kdump_crash_t;
+files_type(kdump_crash_t)
+
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
+type kdump_lock_t;
+files_lock_file(kdump_lock_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
-application_executable_file(kdumpctl_exec_t)
+init_initrc_domain(kdumpctl_t)
type kdumpctl_tmp_t;
files_tmp_file(kdumpctl_tmp_t)
#####################################
#
-# Local policy
+# kdump local policy
#
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { sys_admin sys_boot dac_read_search };
+#allow kdump_t self:capability2 compromise_kernel;
+
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
+files_read_kernel_symbol_table(kdump_t)
+files_read_kernel_modules(kdump_t)
files_read_kernel_img(kdump_t)
+kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
kernel_read_debugfs(kdump_t)
-kernel_read_system_state(kdump_t)
kernel_request_load_module(kdump_t)
+mls_file_read_all_levels(kdump_t)
+
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
@@ -48,22 +71,35 @@ term_use_console(kdump_t)
#######################################
#
-# Ctl local policy
+# kdumpctl local policy
#
-allow kdumpctl_t self:capability { dac_override sys_chroot };
+#cjp:almost all rules are needed by dracut
+
+kdump_domtrans(kdumpctl_t)
+
+allow kdumpctl_t self:capability { dac_read_search sys_chroot };
allow kdumpctl_t self:process setfscreate;
+
allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
+manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
+
+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
kernel_read_system_state(kdumpctl_t)
@@ -71,46 +107,62 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
+# dracut
dev_manage_all_dev_nodes(kdumpctl_t)
domain_use_interactive_fds(kdumpctl_t)
files_create_kernel_img(kdumpctl_t)
-files_read_etc_files(kdumpctl_t)
files_read_etc_runtime_files(kdumpctl_t)
-files_read_usr_files(kdumpctl_t)
files_read_kernel_modules(kdumpctl_t)
files_getattr_all_dirs(kdumpctl_t)
+files_delete_kernel(kdumpctl_t)
fs_getattr_all_fs(kdumpctl_t)
fs_search_all(kdumpctl_t)
-init_domtrans_script(kdumpctl_t)
+application_executable_ioctl(kdumpctl_t)
+
+auth_read_passwd(kdumpctl_t)
+
init_exec(kdumpctl_t)
+systemd_exec_systemctl(kdumpctl_t)
+systemd_read_unit_files(kdumpctl_t)
libs_exec_ld_so(kdumpctl_t)
logging_send_syslog_msg(kdumpctl_t)
+# Need log file from /var/log/dracut.log
+logging_write_generic_logs(kdumpctl_t)
+
+selinux_get_enforce_mode(kdumpctl_t)
-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
+ networkmanager_dbus_chat(kdumpctl_t)
+')
+
+optional_policy(`
+ gpg_exec(kdumpctl_t)
+')
optional_policy(`
- gpg_exec(kdumpctl_t)
+ lvm_read_config(kdumpctl_t)
')
optional_policy(`
- lvm_read_config(kdumpctl_t)
+ modutils_domtrans_insmod(kdumpctl_t)
+ modutils_list_module_config(kdumpctl_t)
+ modutils_read_module_config(kdumpctl_t)
')
optional_policy(`
- modutils_domtrans_insmod(kdumpctl_t)
- modutils_read_module_config(kdumpctl_t)
+ plymouthd_domtrans_plymouth(kdumpctl_t)
')
optional_policy(`
- plymouthd_domtrans_plymouth(kdumpctl_t)
+ ssh_exec(kdumpctl_t)
')
optional_policy(`
- ssh_exec(kdumpctl_t)
+ unconfined_domain(kdumpctl_t)
')
diff --git a/kdumpgui.if b/kdumpgui.if
index 182ab8b58..8b1d9c23c 100644
--- a/kdumpgui.if
+++ b/kdumpgui.if
@@ -1 +1,23 @@
-## <summary>System-config-kdump GUI.</summary>
+## <summary>system-config-kdump GUI</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## kdumpgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdumpgui_dbus_chat',`
+ gen_require(`
+ type kdumpgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdumpgui_t:dbus send_msg;
+ allow kdumpgui_t $1:dbus send_msg;
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
index 2990962b6..6629aaf27 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow s-c-kdump to run bootloader in bootloader_t.
+## </p>
+## </desc>
+gen_tunable(kdumpgui_run_bootloader, false)
+
type kdumpgui_t;
type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
type kdumpgui_tmp_t;
files_tmp_file(kdumpgui_tmp_t)
######################################
#
-# Local policy
+# system-config-kdump local policy
#
allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
-allow kdumpgui_t self:process { setsched sigkill };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdumpgui_t self:process { setsched sigkill };
manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
-kernel_getattr_core_if(kdumpgui_t)
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
+kernel_getattr_core_if(kdumpgui_t)
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
-dev_getattr_all_blk_files(kdumpgui_t)
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t)
+dev_read_nvme(kdumpgui_t)
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
+fs_manage_dos_files(kdumpgui_t)
fs_getattr_all_fs(kdumpgui_t)
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
-storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
+storage_raw_read_removable_device(kdumpgui_t)
+storage_raw_read_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
+logging_send_syslog_msg(kdumpgui_t)
logging_list_logs(kdumpgui_t)
logging_read_generic_logs(kdumpgui_t)
-logging_send_syslog_msg(kdumpgui_t)
-
-miscfiles_read_localization(kdumpgui_t)
mount_exec(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
-optional_policy(`
- bootloader_exec(kdumpgui_t)
- bootloader_rw_config(kdumpgui_t)
-')
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
- consoletype_exec(kdumpgui_t)
+ tunable_policy(`kdumpgui_run_bootloader',`
+ bootloader_domtrans(kdumpgui_t)
+ #if s-c-kdump is involved
+ bootloader_manage_config(kdumpgui_t)
+ ',`
+ bootloader_exec(kdumpgui_t)
+ bootloader_manage_config(kdumpgui_t)
+ ')
')
optional_policy(`
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(kdumpgui_t)
- ')
')
optional_policy(`
@@ -87,4 +98,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
+ kdump_systemctl(kdumpgui_t)
+ kdumpctl_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
')
diff --git a/keepalived.fc b/keepalived.fc
new file mode 100644
index 000000000..9a19f91f3
--- /dev/null
+++ b/keepalived.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0)
+
+/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0)
+
+/usr/libexec/keepalived(/.*)? gen_context(system_u:object_r:keepalived_unconfined_script_exec_t,s0)
+
+/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
diff --git a/keepalived.if b/keepalived.if
new file mode 100644
index 000000000..bd7e7fa17
--- /dev/null
+++ b/keepalived.if
@@ -0,0 +1,80 @@
+
+## <summary> keepalived - load-balancing and high-availability service</summary>
+
+########################################
+## <summary>
+## Execute keepalived in the keepalived domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keepalived_domtrans',`
+ gen_require(`
+ type keepalived_t, keepalived_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, keepalived_exec_t, keepalived_t)
+')
+########################################
+## <summary>
+## Execute keepalived server in the keepalived domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keepalived_systemctl',`
+ gen_require(`
+ type keepalived_t;
+ type keepalived_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keepalived_unit_file_t:file read_file_perms;
+ allow $1 keepalived_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keepalived_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an keepalived environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`keepalived_admin',`
+ gen_require(`
+ type keepalived_t;
+ type keepalived_unit_file_t;
+ ')
+
+ allow $1 keepalived_t:process { signal_perms };
+ ps_process_pattern($1, keepalived_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 keepalived_t:process ptrace;
+ ')
+
+ keepalived_systemctl($1)
+ admin_pattern($1, keepalived_unit_file_t)
+ allow $1 keepalived_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 000000000..d7cf7c7c3
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,102 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type keepalived_t;
+type keepalived_exec_t;
+init_daemon_domain(keepalived_t, keepalived_exec_t)
+
+type keepalived_unit_file_t;
+systemd_unit_file(keepalived_unit_file_t)
+
+type keepalived_var_run_t;
+files_pid_file(keepalived_var_run_t)
+
+type keepalived_unconfined_script_exec_t;
+application_executable_file(keepalived_unconfined_script_exec_t)
+
+########################################
+#
+# keepalived local policy
+#
+
+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
+allow keepalived_t self:process { signal_perms setpgid };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
+allow keepalived_t self:netlink_route_socket nlmsg_write;
+allow keepalived_t self:packet_socket create_socket_perms;
+allow keepalived_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
+files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
+
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
+kernel_rw_usermodehelper_state(keepalived_t)
+kernel_search_network_sysctl(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
+corenet_tcp_connect_http_port(keepalived_t)
+corenet_tcp_connect_mysqld_port(keepalived_t)
+corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
+corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
+domain_getattr_all_domains(keepalived_t)
+
+dev_read_urand(keepalived_t)
+
+modutils_domtrans_insmod(keepalived_t)
+
+logging_send_syslog_msg(keepalived_t)
+
+optional_policy(`
+ iptables_domtrans(keepalived_t)
+')
+
+optional_policy(`
+ rhcs_signull_haproxy(keepalived_t)
+')
+
+optional_policy(`
+ snmp_manage_var_lib_files(keepalived_t)
+ snmp_manage_var_lib_sock_files(keepalived_t)
+ snmp_manage_var_lib_dirs(keepalived_t)
+ snmp_stream_connect(keepalived_t)
+')
+
+########################################
+#
+# keepalived_unconfined_script_script_t local policy
+#
+
+optional_policy(`
+ type keepalived_unconfined_script_t;
+ domain_type(keepalived_unconfined_script_t)
+
+ domain_entry_file(keepalived_unconfined_script_t, keepalived_unconfined_script_exec_t)
+ role system_r types keepalived_unconfined_script_t;
+
+ domtrans_pattern(keepalived_t, keepalived_unconfined_script_exec_t, keepalived_unconfined_script_t)
+
+ allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms;
+ allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms;
+ allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl;
+
+ optional_policy(`
+ unconfined_domain(keepalived_unconfined_script_t)
+ ')
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd63..3504a9bf7 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -1,52 +1,54 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/\_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-
-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/kadmin_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/kiprop_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8e6..1233a5ba2 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
-## <summary>MIT Kerberos admin and KDC.</summary>
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+## <p>
+## This policy supports:
+## </p>
+## <p>
+## Servers:
+## <ul>
+## <li>kadmind</li>
+## <li>krb5kdc</li>
+## </ul>
+## </p>
+## <p>
+## Clients:
+## <ul>
+## <li>kinit</li>
+## <li>kdestroy</li>
+## <li>klist</li>
+## <li>ksu (incomplete)</li>
+## </ul>
+## </p>
+## </desc>
########################################
## <summary>
-## Role access for kerberos.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`kerberos_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Execute kadmind in the caller domain.
+## Execute kadmind in the current domain
## </summary>
## <param name="domain">
## <summary>
@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
type kadmind_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, kadmind_exec_t)
')
@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
type kpropd_t, kpropd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, kpropd_exec_t, kpropd_t)
')
########################################
## <summary>
-## Support kerberos services.
+## Use kerberos services
## </summary>
## <param name="domain">
## <summary>
@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
- type krb5kdc_conf_t, krb5_host_rcache_t;
+ type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
- kerberos_read_config($1)
-
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ list_dirs_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+ #kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
+ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_tcp_connect_kerberos_port($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
-
- corenet_sendrecv_ocsp_client_packets($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_connect_kerberos_port($1)
corenet_tcp_connect_ocsp_port($1)
- corenet_tcp_sendrecv_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
pcscd_stream_connect($1)
')
')
@@ -115,11 +115,16 @@ interface(`kerberos_use',`
optional_policy(`
sssd_read_public_files($1)
')
+
+ # Allow to use kerberos KCM daemon (sssd-kcm)
+ optional_policy(`
+ sssd_run_stream_connect($1)
+ ')
')
########################################
## <summary>
-## Read kerberos configuration files.
+## Read the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
## <summary>
@@ -135,15 +140,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
-
- userdom_search_user_home_dirs($1)
allow $1 krb5_home_t:file read_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to write
-## kerberos configuration files.
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
## <summary>
@@ -156,13 +159,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ dontaudit $1 krb5_conf_t:file write;
')
########################################
## <summary>
-## Read and write kerberos
-## configuration files.
+## Read and write the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
## <summary>
@@ -182,27 +184,27 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos home files.
+## Read the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`kerberos_manage_krb5_home_files',`
+interface(`kerberos_read_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file manage_file_perms;
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file read_file_perms;
')
########################################
## <summary>
-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
@@ -210,220 +212,252 @@ interface(`kerberos_manage_krb5_home_files',`
## </summary>
## </param>
#
-interface(`kerberos_relabel_krb5_home_files',`
+interface(`kerberos_rw_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file relabel_file_perms;
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file rw_file_perms;
')
########################################
## <summary>
-## Create objects in user home
-## directories with the krb5 home type.
+## Create keytab file in /etc
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
-interface(`kerberos_home_filetrans_krb5_home',`
+interface(`kerberos_etc_filetrans_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
')
########################################
## <summary>
-## Read kerberos key table files.
+## Create a derived type for kerberos keytab
## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`kerberos_read_keytab',`
- gen_require(`
- type krb5_keytab_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_keytab_t:file read_file_perms;
+template(`kerberos_keytab_template',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ kerberos_read_keytab($2)
+ kerberos_use($2)
')
########################################
## <summary>
-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`kerberos_rw_keytab',`
+interface(`kerberos_read_kdc_config',`
gen_require(`
- type krb5_keytab_t;
+ type krb5kdc_conf_t;
')
files_search_etc($1)
- allow $1 krb5_keytab_t:file rw_file_perms;
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos key table files.
+## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`kerberos_manage_keytab_files',`
+interface(`kerberos_manage_kdc_config',`
gen_require(`
- type krb5_keytab_t;
+ type krb5kdc_conf_t;
')
files_search_etc($1)
- allow $1 krb5_keytab_t:file manage_file_perms;
+ manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
## <summary>
-## Create specified objects in generic
-## etc directories with the kerberos
-## keytab file type.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_read_host_rcache',`
gen_require(`
- type krb5_keytab_t;
+ type krb5_host_rcache_t;
')
-
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
')
########################################
## <summary>
-## Create a derived type for kerberos
-## keytab files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-template(`kerberos_keytab_template',`
- refpolicywarn(`$0($*) has been deprecated.')
- kerberos_read_keytab($2)
- kerberos_use($2)
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
+ domain_obj_id_change_exemption($1)
+
+ tunable_policy(`kerberos_enabled',`
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_search_tmp($1)
+ ')
')
########################################
## <summary>
-## Read kerberos kdc configuration files.
+## All of the rules required to administrate
+## an kerberos environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kerberos domain.
+## </summary>
+## </param>
## <rolecap/>
#
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_admin',`
gen_require(`
- type krb5kdc_conf_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
')
- files_search_etc($1)
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kadmind_t:process ptrace;
+ allow $1 krb5kdc_t:process ptrace;
+ allow $1 kpropd_t:process ptrace;
+ ')
+
+ allow $1 krb5kdc_t:process signal_perms;
+ ps_process_pattern($1, krb5kdc_t)
+
+ allow $1 kpropd_t:process signal_perms;
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerberos_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, kadmind_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, kadmind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, kadmind_var_run_t)
+
+ admin_pattern($1, krb5_conf_t)
+
+ admin_pattern($1, krb5_host_rcache_t)
+
+ admin_pattern($1, krb5_keytab_t)
+
+ admin_pattern($1, krb5kdc_principal_t)
+
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos host rcache files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`kerberos_manage_host_rcache',`
+interface(`kerberos_tmp_filetrans_host_rcache',`
gen_require(`
type krb5_host_rcache_t;
')
- domain_obj_id_change_exemption($1)
-
- tunable_policy(`allow_kerberos',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
- files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
## <summary>
-## Create objects in generic temporary
-## directories with the kerberos host
-## rcache type.
+## Type transition files created in /tmp
+## to the kadmind_tmp type.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -432,17 +466,18 @@ interface(`kerberos_manage_host_rcache',`
## </summary>
## </param>
#
-interface(`kerberos_tmp_filetrans_host_rcache',`
+interface(`kerberos_tmp_filetrans_kadmin',`
gen_require(`
- type krb5_host_rcache_t;
+ type kadmind_tmp_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
')
########################################
## <summary>
-## Connect to krb524 service.
+## read kerberos homedir content (.k5login)
## </summary>
## <param name="domain">
## <summary>
@@ -450,82 +485,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
## </summary>
## </param>
#
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
+interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an kerberos environment.
+## Manage the kerberos kdc /var/lib files
+## and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
## <rolecap/>
#
-interface(`kerberos_admin',`
+interface(`kerberos_manage_kdc_var_lib',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
+ type krb5kdc_var_lib_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
-
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ files_search_etc($1)
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+')
- logging_list_logs($1)
- admin_pattern($1, kadmind_log_t)
+########################################
+## <summary>
+## create kerberos content in the in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
- files_list_tmp($1)
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+########################################
+## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
+########################################
+## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
-
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-
- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+ kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
index 8833d596d..3030f9b78 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
#
## <desc>
-## <p>
-## Determine whether kerberos is supported.
-## </p>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
## </desc>
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
type kadmind_t;
type kadmind_exec_t;
@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
+# types for general configuration files in /etc
type krb5_keytab_t;
files_security_file(krb5_keytab_t)
+# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
+type krb5kdc_var_lib_t;
+files_type(krb5kdc_var_lib_t)
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search sys_nice };
allow kadmind_t self:capability2 block_suspend;
+dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:tcp_socket { accept listen };
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
allow kadmind_t self:udp_socket create_socket_perms;
-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow kadmind_t kadmind_log_t:file manage_file_perms;
logging_log_filetrans(kadmind_t, kadmind_log_t, file)
allow kadmind_t krb5_conf_t:file read_file_perms;
-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+allow kadmind_t krb5_keytab_t:file read_file_perms;
+
+can_exec(kadmind_t, kadmind_exec_t)
+
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
-can_exec(kadmind_t, kadmind_exec_t)
-
kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-corenet_all_recvfrom_unlabeled(kadmind_t)
+corecmd_exec_bin(kadmind_t)
+corecmd_exec_shell(kadmind_t)
+
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
-
-corenet_sendrecv_all_server_packets(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_bind_kprop_port(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t)
dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
+fs_rw_anon_inodefs_files(kadmind_t)
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
-files_read_usr_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
files_read_var_files(kadmind_t)
selinux_validate_context(kadmind_t)
+auth_read_passwd(kadmind_t)
+
logging_send_syslog_msg(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
miscfiles_read_localization(kadmind_t)
+seutil_read_config(kadmind_t)
seutil_read_file_contexts(kadmind_t)
+sysnet_read_config(kadmind_t)
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -154,11 +180,16 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(kadmind_t)
+')
+
+optional_policy(`
nis_use_ypbind(kadmind_t)
')
optional_policy(`
sssd_read_public_files(kadmind_t)
+ sssd_stream_connect(kadmind_t)
')
optional_policy(`
@@ -174,24 +205,28 @@ optional_policy(`
# Krb5kdc local policy
#
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search sys_nice };
allow krb5kdc_t self:capability2 block_suspend;
+dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket { accept listen };
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
allow krb5kdc_t krb5_conf_t:file read_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -201,71 +236,83 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
-can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_all_recvfrom_unlabeled(krb5kdc_t)
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
corenet_tcp_sendrecv_generic_node(krb5kdc_t)
corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
corenet_tcp_bind_generic_node(krb5kdc_t)
corenet_udp_bind_generic_node(krb5kdc_t)
-
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
corenet_tcp_bind_kerberos_port(krb5kdc_t)
corenet_udp_bind_kerberos_port(krb5kdc_t)
-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
-
-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
corenet_tcp_connect_ocsp_port(krb5kdc_t)
-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
+fs_rw_anon_inodefs_files(krb5kdc_t)
domain_use_interactive_fds(krb5kdc_t)
-files_read_etc_files(krb5kdc_t)
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
selinux_validate_context(krb5kdc_t)
+auth_use_nsswitch(krb5kdc_t)
+
logging_send_syslog_msg(krb5kdc_t)
miscfiles_read_generic_certs(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
+sysnet_read_config(krb5kdc_t)
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
optional_policy(`
+ ipa_stream_connect_otpd(krb5kdc_t)
+')
+
+optional_policy(`
ldap_stream_connect(krb5kdc_t)
')
optional_policy(`
+ dirsrv_stream_connect(krb5kdc_t)
+')
+
+optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
optional_policy(`
- sssd_read_public_files(krb5kdc_t)
+ realmd_read_var_lib(krb5kdc_t)
')
optional_policy(`
@@ -273,6 +320,10 @@ optional_policy(`
')
optional_policy(`
+ sssd_read_public_files(krb5kdc_t)
+')
+
+optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -281,10 +332,12 @@ optional_policy(`
# kpropd local policy
#
+allow kpropd_t self:capability net_bind_service;
allow kpropd_t self:process setfscreate;
-allow kpropd_t self:fifo_file rw_fifo_file_perms;
-allow kpropd_t self:unix_stream_socket { accept listen };
-allow kpropd_t self:tcp_socket { accept listen };
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -301,27 +354,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+kernel_read_system_state(kpropd_t)
+
corecmd_exec_bin(kpropd_t)
-corenet_all_recvfrom_unlabeled(kpropd_t)
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
corenet_tcp_bind_generic_node(kpropd_t)
-
-corenet_sendrecv_kprop_server_packets(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
+corenet_tcp_connect_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
-files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
selinux_validate_context(kpropd_t)
-logging_send_syslog_msg(kpropd_t)
+auth_use_nsswitch(kpropd_t)
-miscfiles_read_localization(kpropd_t)
+logging_send_syslog_msg(kpropd_t)
seutil_read_file_contexts(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
index 714448f8d..fa0c994e5 100644
--- a/kerneloops.if
+++ b/kerneloops.if
@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
+ allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kerneloops_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
index bcdb29599..f6e3736dd 100644
--- a/kerneloops.te
+++ b/kerneloops.te
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
-corenet_all_recvfrom_unlabeled(kerneloops_t)
corenet_all_recvfrom_netlabel(kerneloops_t)
corenet_tcp_sendrecv_generic_if(kerneloops_t)
corenet_tcp_sendrecv_generic_node(kerneloops_t)
@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
-miscfiles_read_localization(kerneloops_t)
-
optional_policy(`
dbus_system_domain(kerneloops_t, kerneloops_exec_t)
')
diff --git a/keyboardd.if b/keyboardd.if
index 8982b9106..6134ef258 100644
--- a/keyboardd.if
+++ b/keyboardd.if
@@ -1,19 +1,39 @@
-## <summary>Xorg.conf keyboard layout callout.</summary>
-######################################
+## <summary>policy for system-setup-keyboard daemon</summary>
+
+########################################
## <summary>
-## Read keyboardd unnamed pipes.
+## Execute a domain transition to run keyboard setup daemon.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`keyboardd_read_pipes',`
+interface(`keyboardd_domtrans',`
gen_require(`
- type keyboardd_t;
+ type keyboardd_t, keyboardd_exec_t;
+ ')
+
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+######################################
+## <summary>
+## Allow attempts to read to
+## keyboardd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keyboardd_read_pipes',`
+ gen_require(`
+ type keyboardd_t;
')
- allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
')
diff --git a/keyboardd.te b/keyboardd.te
index 628b78b4b..fe656175e 100644
--- a/keyboardd.te
+++ b/keyboardd.te
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
files_manage_etc_runtime_files(keyboardd_t)
files_etc_filetrans_etc_runtime(keyboardd_t, file)
-files_read_etc_files(keyboardd_t)
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
index b273d803c..6b2b50d69 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,7 +1,13 @@
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
index e88fb16e0..ec6121a5c 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,219 @@
-## <summary>Python implementation of the OpenStack identity service API.</summary>
+
+## <summary>policy for keystone</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an keystone environment.
+## Transition to keystone.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keystone_domtrans',`
+ gen_require(`
+ type keystone_t, keystone_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, keystone_exec_t, keystone_t)
+')
+########################################
+## <summary>
+## Read keystone's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <rolecap/>
+#
+interface(`keystone_read_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+## Append to keystone log files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_append_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+## Manage keystone log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_manage_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
+ manage_files_pattern($1, keystone_log_t, keystone_log_t)
+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+## Search keystone lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_search_lib',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ allow $1 keystone_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read keystone lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_read_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage keystone lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_manage_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage keystone lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keystone_manage_lib_dirs',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute keystone server in the keystone domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keystone_systemctl',`
+ gen_require(`
+ type keystone_t;
+ type keystone_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
+ allow $1 keystone_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keystone_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an keystone environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`keystone_admin',`
gen_require(`
- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
- type keystone_var_lib_t, keystone_tmp_t;
+ type keystone_t;
+ type keystone_log_t;
+ type keystone_var_lib_t;
+ type keystone_unit_file_t;
')
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
-
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, keystone_tmp_t)
+ keystone_systemctl($1)
+ admin_pattern($1, keystone_unit_file_t)
+ allow $1 keystone_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/keystone.te b/keystone.te
index 992964774..c573d0ed5 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
type keystone_var_lib_t;
files_type(keystone_var_lib_t)
+type keystone_var_run_t;
+files_pid_file(keystone_var_run_t)
+
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
+type keystone_unit_file_t;
+systemd_unit_file(keystone_unit_file_t)
+
########################################
#
# Local policy
#
+allow keystone_t self:process { getsched setsched signal };
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
+manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
+
can_exec(keystone_t, keystone_tmp_t)
kernel_read_system_state(keystone_t)
@@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
+corenet_tcp_connect_ldap_port(keystone_t)
+corenet_tcp_connect_keystone_port(keystone_t)
+corenet_tcp_connect_amqp_port(keystone_t)
+corenet_tcp_connect_osapi_compute_port(keystone_t)
corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
-files_read_usr_files(keystone_t)
+corenet_tcp_bind_keystone_port(keystone_t)
auth_use_pam(keystone_t)
libs_exec_ldconfig(keystone_t)
-miscfiles_read_localization(keystone_t)
+optional_policy(`
+ ldap_stream_connect(keystone_t)
+')
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
+ mysql_read_db_lnk_files(keystone_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(keystone_t)
+')
+
+optional_policy(`
+ rpm_exec(keystone_t)
+')
+
+#######################################
+#
+# Cgi local policy
+#
+
+optional_policy(`
+ apache_content_template(keystone_cgi)
+ apache_content_alias_template(keystone_cgi, keystone_cgi)
+
+ getattr_dirs_pattern(keystone_cgi_script_t, keystone_var_lib_t, keystone_var_lib_t)
+
+ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
+
+ corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t)
+ corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t)
')
diff --git a/kismet.if b/kismet.if
index aa2a3379b..7ff229f32 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
allow $2 system_r;
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
index 8ad0d4d50..e4916885b 100644
--- a/kismet.te
+++ b/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
# Local policy
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_read_search kill net_admin net_raw setuid setgid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
-corenet_all_recvfrom_unlabeled(kismet_t)
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
-corenet_sendrecv_kismet_server_packets(kismet_t)
-corenet_tcp_bind_kismet_port(kismet_t)
-corenet_sendrecv_kismet_client_packets(kismet_t)
-corenet_tcp_connect_kismet_port(kismet_t)
-corenet_tcp_sendrecv_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
-auth_use_nsswitch(kismet_t)
-
-files_read_usr_files(kismet_t)
+corenet_sendrecv_rtsclient_server_packets(kismet_t)
+corenet_tcp_bind_rtsclient_port(kismet_t)
+corenet_sendrecv_rtsclient_client_packets(kismet_t)
+corenet_tcp_connect_rtsclient_port(kismet_t)
-miscfiles_read_localization(kismet_t)
+auth_use_nsswitch(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
+userdom_read_user_tmp_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
diff --git a/kmscon.fc b/kmscon.fc
new file mode 100644
index 000000000..ccd29c079
--- /dev/null
+++ b/kmscon.fc
@@ -0,0 +1,3 @@
+/usr/bin/kmscon -- gen_context(system_u:object_r:kmscon_exec_t,s0)
+/usr/lib/systemd/system/kmscon.*\.* -- gen_context(system_u:object_r:kmscon_unit_file_t,s0)
+/etc/kmscon(/.*)? gen_context(system_u:object_r:kmscon_conf_t,s0)
diff --git a/kmscon.if b/kmscon.if
new file mode 100644
index 000000000..b9347faa9
--- /dev/null
+++ b/kmscon.if
@@ -0,0 +1,25 @@
+## <summary>Terminal emulator for Linux graphical console</summary>
+
+########################################
+## <summary>
+## Execute kmscon in the kmscon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kmscon_systemctl',`
+ gen_require(`
+ type kmscon_unit_file_t;
+ type kmscon_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 kmscon_unit_file_t:file read_file_perms;
+ allow $1 kmscon_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, kmscon_t)
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
index 000000000..32a9e1356
--- /dev/null
+++ b/kmscon.te
@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak@v3.sk>
+
+########################################
+#
+# Declarations
+#
+policy_module(kmscon, 1.0)
+
+type kmscon_t;
+type kmscon_exec_t;
+init_daemon_domain(kmscon_t, kmscon_exec_t)
+
+type kmscon_conf_t;
+files_config_file(kmscon_conf_t)
+
+type kmscon_unit_file_t;
+systemd_unit_file(kmscon_unit_file_t)
+
+type kmscon_devpts_t;
+term_pty(kmscon_devpts_t)
+# Label this as t, so that login_t can read our terminal with use_all_ttys()
+term_tty(kmscon_devpts_t)
+
+########################################
+#
+# zoneminder local policy
+#
+
+# Switch the VT into a graphics mode ; Set DRM master
+allow kmscon_t self:capability {sys_admin sys_tty_config};
+
+dontaudit kmscon_t self:capability2 block_suspend;
+
+# Create an udev monitor
+allow kmscon_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+
+allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(kmscon_t, kmscon_devpts_t)
+
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
+kernel_read_system_state(kmscon_t)
+
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
+dev_read_sysfs(kmscon_t)
+dev_read_framebuffer(kmscon_t)
+dev_write_framebuffer(kmscon_t)
+dev_rw_input_dev(kmscon_t)
+
+# Get allowed path length for directory with modules
+fs_getattr_xattr_fs(kmscon_t)
+
+locallogin_domtrans(kmscon_t)
+
+miscfiles_read_fonts(kmscon_t)
+miscfiles_manage_fonts_cache(kmscon_t)
+
+# Open the tty, so that it can be handed over to the seat manager
+term_use_unallocated_ttys(kmscon_t)
+
+optional_policy(`
+ # Learn about the input devices
+ udev_read_db(kmscon_t)
+')
+
+optional_policy(`
+ # Fontconfig and Pango configuration
+ gnome_read_home_config(kmscon_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(kmscon_t)
+ init_dbus_chat(kmscon_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(kmscon_t)
+
+ # List seats
+ systemd_login_list_pid_dirs(kmscon_t)
+ systemd_login_read_pid_files(kmscon_t)
+
+ kmscon_systemctl(systemd_logind_t)
+ ')
+')
diff --git a/ksmtuned.fc b/ksmtuned.fc
index e736c450c..4b1e1e453 100644
--- a/ksmtuned.fc
+++ b/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
index 93a64bc50..af6d741d6 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',`
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
')
+#######################################
+## <summary>
+## Execute ksmtuned server in the ksmtunedd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_systemctl',`
+ gen_require(`
+ type ksmtuned_unit_file_t;
+ type ksmtuned_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ksmtuned_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -48,30 +72,28 @@ interface(`ksmtuned_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
+ type ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
ps_process_pattern($1, ksmtuned_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
+
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
logging_search_logs($1)
admin_pattern($1, ksmtuned_log_t)
+
+ ksmtuned_systemctl($1)
+ admin_pattern($1, ksmtuned_unit_file_t)
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
index 8eef134ac..9636a5343 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
# Declarations
#
+## <desc>
+## <p>
+## Allow ksmtuned to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(ksmtuned_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow ksmtuned to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(ksmtuned_use_cifs, false)
+
type ksmtuned_t;
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+type ksmtuned_unit_file_t;
+systemd_unit_file(ksmtuned_unit_file_t)
+
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t)
corecmd_exec_bin(ksmtuned_t)
corecmd_exec_shell(ksmtuned_t)
-dev_rw_sysfs(ksmtuned_t)
+dev_manage_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
mls_file_read_to_clearance(ksmtuned_t)
@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t)
logging_send_syslog_msg(ksmtuned_t)
-miscfiles_read_localization(ksmtuned_t)
+tunable_policy(`ksmtuned_use_nfs',`
+ fs_read_nfs_files(ksmtuned_t)
+')
+
+tunable_policy(`ksmtuned_use_cifs',`
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
diff --git a/ktalk.fc b/ktalk.fc
index 38ecb07d1..451067ebd 100644
--- a/ktalk.fc
+++ b/ktalk.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
+
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
index 19777b806..cd721fd6b 100644
--- a/ktalk.if
+++ b/ktalk.if
@@ -1 +1,77 @@
-## <summary>KDE Talk daemon.</summary>
+
+## <summary>talk-server - daemon programs for the Internet talk </summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the ktalkd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ktalk_domtrans',`
+ gen_require(`
+ type ktalkd_t, ktalkd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
+')
+########################################
+## <summary>
+## Execute ktalkd server in the ktalkd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ktalk_systemctl',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ktalkd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ktalkd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ktalk_admin',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ allow $1 ktalkd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ktalkd_t)
+
+ ktalk_systemctl($1)
+ admin_pattern($1, ktalkd_unit_file_t)
+ allow $1 ktalkd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
index c5548c5ed..1356fcbd2 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
type ktalkd_log_t;
logging_log_file(ktalkd_log_t)
+type ktalkd_unit_file_t;
+systemd_unit_file(ktalkd_unit_file_t)
+
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@@ -50,7 +53,8 @@ dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
-term_use_all_terms(ktalkd_t)
+term_search_ptys(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
@@ -58,4 +62,5 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
-miscfiles_read_localization(ktalkd_t)
+userdom_use_user_ptys(ktalkd_t)
+userdom_use_user_ttys(ktalkd_t)
diff --git a/kubernetes.fc b/kubernetes.fc
new file mode 100644
index 000000000..deda99ed6
--- /dev/null
+++ b/kubernetes.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kubelet_unit_file_t,s0)
+/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
+/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_manager_unit_file_t,s0)
+/usr/lib/systemd/system/kube-proxy.* -- gen_context(system_u:object_r:kube_proxy_unit_file_t,s0)
+
+/usr/bin/kubelet -- gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/kube-apiserver -- gen_context(system_u:object_r:kube_apiserver_exec_t,s0)
+/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_manager_exec_t,s0)
+/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0)
+
+
diff --git a/kubernetes.if b/kubernetes.if
new file mode 100644
index 000000000..b2841e526
--- /dev/null
+++ b/kubernetes.if
@@ -0,0 +1,87 @@
+## <summary>SELinux policy for Kubernetes container management</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## kube init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`kubernetes_domain_template',`
+ gen_require(`
+ attribute kubernetes_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, kubernetes_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_unit_file_t;
+ systemd_unit_file($1_unit_file_t)
+')
+
+########################################
+## <summary>
+## Search kubernetes lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kubernetes_search_lib_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ allow $1 kubelet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read kubernetes lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kubernetes_read_lib_files_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage kubernetes lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kubernetes_manage_lib_files_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
diff --git a/kubernetes.te b/kubernetes.te
new file mode 100644
index 000000000..b625b5343
--- /dev/null
+++ b/kubernetes.te
@@ -0,0 +1,76 @@
+policy_module(kubernetes, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute kubernetes_domain;
+
+kubernetes_domain_template(kube_apiserver)
+kubernetes_domain_template(kube_controller_manager)
+kubernetes_domain_template(kube_proxy)
+kubernetes_domain_template(kubelet)
+
+permissive kube_apiserver_t;
+permissive kube_controller_manager_t;
+permissive kube_proxy_t;
+permissive kubelet_t;
+
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+########################################
+#
+# kubernetes domain local policy
+#
+
+# this is kernel bug which is going to be fixed
+# needs to be removed then
+dontaudit kubernetes_domain self:capability2 block_suspend;
+
+allow kubernetes_domain self:tcp_socket create_stream_socket_perms;
+
+kernel_read_unix_sysctls(kubernetes_domain)
+kernel_read_net_sysctls(kubernetes_domain)
+
+auth_read_passwd(kubernetes_domain)
+
+corenet_tcp_bind_generic_node(kubernetes_domain)
+
+corenet_tcp_connect_http_cache_port(kubernetes_domain)
+corenet_tcp_connect_kubernetes_port(kubernetes_domain)
+
+########################################
+#
+# kubelet local policy
+#
+
+allow kubelet_t self:capability net_admin;
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)
+
+corenet_tcp_bind_kubernetes_port(kubelet_t)
+
+########################################
+#
+# kube_controller local policy
+#
+
+
+########################################
+#
+# kube_apiserver local policy
+#
+
+corenet_tcp_bind_http_cache_port(kube_apiserver_t)
+
+########################################
+#
+# kube_proxy local policy
+#
+
+allow kube_proxy_t self:capability net_admin;
diff --git a/kudzu.if b/kudzu.if
index 52970645f..6ba810834 100644
--- a/kudzu.if
+++ b/kudzu.if
@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
type kudzu_tmp_t;
')
- allow $1 kudzu_t:process { ptrace signal_perms };
+ allow $1 kudzu_t:process { signal_perms };
ps_process_pattern($1, kudzu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kudzu_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
index 16640364b..a31b9ba5f 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_read_search sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
kernel_read_kernel_sysctls(kudzu_t)
kernel_read_network_state(kudzu_t)
kernel_read_system_state(kudzu_t)
-kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_usermodehelper_state(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
corecmd_exec_all_executables(kudzu_t)
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_read_kernel_modules(kudzu_t)
-files_read_usr_files(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
sysnet_read_config(kudzu_t)
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
@@ -122,17 +120,9 @@ optional_policy(`
')
optional_policy(`
- nscd_use(kudzu_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
optional_policy(`
udev_read_db(kudzu_t)
')
-
-optional_policy(`
- unconfined_domtrans(kudzu_t)
-')
diff --git a/l2tp.fc b/l2tp.fc
index d5d1572b1..ddc6ef210 100644
--- a/l2tp.fc
+++ b/l2tp.fc
@@ -5,7 +5,9 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+/var/run/*.xl2tpd.* -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803ee..34ca3aa22 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
-## <summary>Layer 2 Tunneling Protocol.</summary>
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
########################################
## <summary>
-## Send to l2tpd with a unix
-## domain dgram socket.
+## Transition to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`l2tpd_domtrans',`
+ gen_require(`
+ type l2tpd_t, l2tpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+########################################
+## <summary>
+## Execute l2tpd server in the l2tpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_initrc_domtrans',`
+ gen_require(`
+ type l2tpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Send to l2tpd via a unix dgram socket.
## </summary>
## <param name="domain">
## <summary>
@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
')
- files_search_pids($1)
files_search_tmp($1)
dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
')
@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
allow $1 l2tpd_t:socket rw_socket_perms;
')
+########################################
+## <summary>
+## Read l2tpd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_read_pid_files',`
+ gen_require(`
+ type l2tpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
#####################################
## <summary>
-## Connect to l2tpd with a unix
-## domain stream socket.
+## Connect to l2tpd over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
- files_search_tmp($1)
- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an l2tp environment.
+## Read and write l2tpd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_rw_pipes',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow send a signal to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_signal',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow send signull to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_signull',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow send sigkill to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_sigkill',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## l2tpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_dbus_chat',`
+ gen_require(`
+ type l2tpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 l2tpd_t:dbus send_msg;
+ allow l2tpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an l2tpd environment
## </summary>
## <param name="domain">
## <summary>
@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`l2tp_admin',`
+interface(`l2tpd_admin',`
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
type l2tp_conf_t, l2tpd_tmp_t;
')
- allow $1 l2tpd_t:process { ptrace signal_perms };
+ allow $1 l2tpd_t:process signal_perms;
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
+
+ l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
index bb06a7fee..3339bd85c 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
#
allow l2tpd_t self:capability net_admin;
-allow l2tpd_t self:process signal;
+allow l2tpd_t self:process signal_perms;
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+can_exec(l2tpd_t, l2tpd_exec_t)
+
corenet_all_recvfrom_unlabeled(l2tpd_t)
corenet_all_recvfrom_netlabel(l2tpd_t)
corenet_raw_sendrecv_generic_if(l2tpd_t)
@@ -75,19 +77,38 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
-files_read_etc_files(l2tpd_t)
-
term_setattr_generic_ptys(l2tpd_t)
term_use_generic_ptys(l2tpd_t)
term_use_ptmx(l2tpd_t)
-logging_send_syslog_msg(l2tpd_t)
+auth_read_passwd(l2tpd_t)
-miscfiles_read_localization(l2tpd_t)
+logging_send_syslog_msg(l2tpd_t)
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
+ dbus_system_bus_client(l2tpd_t)
+ dbus_connect_system_bus(l2tpd_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(l2tpd_t)
+ ')
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(l2tpd_t)
+ ipsec_mgmt_read_pid(l2tpd_t)
+ ipsec_filetrans_key_file(l2tpd_t)
+ ipsec_manage_key_file(l2tpd_t)
+ ipsec_kill_mgmt(l2tpd_t)
+')
+
+optional_policy(`
+ networkmanager_manage_pid_files(l2tpd_t)
+')
+
+optional_policy(`
ppp_domtrans(l2tpd_t)
ppp_signal(l2tpd_t)
ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
index b7e567916..c93db3316 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -1,8 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -22,8 +25,7 @@
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
index 3602712d0..af83a5b6b 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,69 @@
-## <summary>OpenLDAP directory server.</summary>
+## <summary>OpenLDAP directory server</summary>
+
+#######################################
+## <summary>
+## Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+## <summary>
+## Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute slapd server in the slapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ldap_systemctl',`
+ gen_require(`
+ type slapd_unit_file_t;
+ type slapd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
########################################
## <summary>
-## List ldap database directories.
+## Read the contents of the OpenLDAP
+## database directories.
## </summary>
## <param name="domain">
## <summary>
@@ -15,13 +76,31 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
- files_search_etc($1)
allow $1 slapd_db_t:dir list_dir_perms;
')
########################################
## <summary>
-## Read ldap configuration files.
+## Read the contents of the OpenLDAP
+## database files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_read_db_files',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+## <summary>
+## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -41,22 +120,29 @@ interface(`ldap_read_config',`
########################################
## <summary>
-## Use LDAP over TCP connection. (Deprecated)
+## Read the OpenLDAP cert files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`ldap_read_certs',`
+ gen_require(`
+ type slapd_cert_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
## <summary>
-## Connect to slapd over an unix
-## stream socket.
+## Use LDAP over TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -64,18 +150,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
-interface(`ldap_stream_connect',`
- gen_require(`
- type slapd_t, slapd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+interface(`ldap_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Connect to ldap over the network.
+## Connect to slapd over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -83,21 +164,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
-interface(`ldap_tcp_connect',`
+interface(`ldap_stream_connect',`
gen_require(`
- type slapd_t;
+ type slapd_t, slapd_var_run_t;
')
- corenet_sendrecv_ldap_client_packets($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_tcp_recvfrom_labeled($1, slapd_t)
- corenet_tcp_sendrecv_ldap_port($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an ldap environment.
+## All of the rules required to administrate
+## an ldap environment
## </summary>
## <param name="domain">
## <summary>
@@ -106,7 +185,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the ldap domain.
## </summary>
## </param>
## <rolecap/>
@@ -117,11 +196,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
+ type slapd_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
+ allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 slapd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
@@ -130,13 +214,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
- files_list_locks($1)
admin_pattern($1, slapd_lock_t)
- logging_list_logs($1)
- admin_pattern($1, slapd_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
@@ -144,4 +224,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
+ admin_pattern($1, slapd_unit_file_t)
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
index 4c2b1110e..a9444566a 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
type slapd_keytab_t;
files_type(slapd_keytab_t)
@@ -47,9 +50,10 @@ files_pid_file(slapd_var_run_t)
# Local policy
#
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
-allow slapd_t self:process setsched;
+dontaudit slapd_t self:capability2 block_suspend;
+allow slapd_t self:process { setsched signal } ;
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
@@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+allow slapd_t slapd_db_t:file map;
allow slapd_t slapd_etc_t:file read_file_perms;
@@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -80,7 +83,8 @@ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
-files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_lnk_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file lnk_file dir })
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
@@ -93,7 +97,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
@@ -115,25 +118,26 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
-files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
+auth_rw_cache(slapd_t)
logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
-miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
+usermanage_read_crack_db(slapd_t)
+
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
kerberos_use(slapd_t)
')
diff --git a/lightsquid.fc b/lightsquid.fc
index 044390c6e..63e205863 100644
--- a/lightsquid.fc
+++ b/lightsquid.fc
@@ -1,11 +1,11 @@
/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0)
+/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0)
diff --git a/lightsquid.if b/lightsquid.if
index 33a28b9ad..33ffe2484 100644
--- a/lightsquid.if
+++ b/lightsquid.if
@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
files_search_var_lib($1)
admin_pattern($1, lightsquid_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
index 09c4f27ba..6c7855e4e 100644
--- a/lightsquid.te
+++ b/lightsquid.te
@@ -13,38 +13,34 @@ type lightsquid_exec_t;
application_domain(lightsquid_t, lightsquid_exec_t)
role lightsquid_roles types lightsquid_t;
-type lightsquid_rw_content_t;
-files_type(lightsquid_rw_content_t)
+type lightsquid_report_content_t;
+files_type(lightsquid_report_content_t)
########################################
#
# Local policy
#
-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
+manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
corecmd_exec_bin(lightsquid_t)
corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
-files_read_etc_files(lightsquid_t)
-files_read_usr_files(lightsquid_t)
-
-miscfiles_read_localization(lightsquid_t)
-
squid_read_config(lightsquid_t)
squid_read_log(lightsquid_t)
optional_policy(`
apache_content_template(lightsquid)
+ apache_content_alias_template(lightsquid, lightsquid)
- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
')
optional_policy(`
diff --git a/likewise.if b/likewise.if
index bd20e8cc9..3393a01e6 100644
--- a/likewise.if
+++ b/likewise.if
@@ -1,9 +1,22 @@
## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+## <p>
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+## </p>
+## </desc>
#######################################
## <summary>
## The template to define a likewise domain.
## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new likewise daemon.
+## </p>
+## </desc>
## <param name="userdomain_prefix">
## <summary>
## The type of daemon to be used.
@@ -11,6 +24,7 @@
## </param>
#
template(`likewise_domain_template',`
+
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
typeattribute $1_t likewise_domains;
@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
####################################
#
- # Policy
+ # Local Policy
#
allow $1_t self:process { signal_perms getsched setsched };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_stream_socket { accept listen };
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
## <summary>
-## Connect to lsassd with a unix domain
-## stream socket.
+## Connect to lsassd.
## </summary>
## <param name="domain">
## <summary>
@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
files_search_pids($1)
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an likewise environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`likewise_admin',`
- gen_require(`
- attribute likewise_domains;
- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
- ')
-
- allow $1 likewise_domains:process { ptrace signal_perms };
- ps_process_pattern($1, likewise_domains)
-
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_list_etc($1)
- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
-
- files_search_var_lib($1)
- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
- admin_pattern($1, dcerpcd_var_lib_t)
-
- files_list_tmp($1)
- admin_pattern($1, lsassd_tmp_t)
-
- files_list_pids($1)
- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
index d8c2442a8..0bd8a29a9 100644
--- a/likewise.te
+++ b/likewise.te
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
type likewise_pstore_lock_t;
-files_type(likewise_pstore_lock_t)
+files_lock_file(likewise_pstore_lock_t)
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
-kernel_read_system_state(likewise_domains)
-
dev_read_rand(likewise_domains)
dev_read_urand(likewise_domains)
domain_use_interactive_fds(likewise_domains)
-files_read_etc_files(likewise_domains)
files_search_var_lib(likewise_domains)
-logging_send_syslog_msg(likewise_domains)
-
-miscfiles_read_localization(likewise_domains)
-
#################################
#
# dcerpcd local policy
@@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
# lsassd local policy
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { fowner chown fsetid dac_read_search sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
corecmd_exec_shell(lsassd_t)
corenet_all_recvfrom_netlabel(lsassd_t)
-corenet_all_recvfrom_unlabeled(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
@@ -165,7 +157,7 @@ optional_policy(`
# lwiod local policy
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { fowner chown fsetid dac_read_search sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# netlogond local policy
#
-allow netlogond_t self:capability dac_override;
+allow netlogond_t self:capability { dac_read_search };
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
corenet_all_recvfrom_netlabel(srvsvcd_t)
-corenet_all_recvfrom_unlabeled(srvsvcd_t)
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
diff --git a/linuxptp.fc b/linuxptp.fc
new file mode 100644
index 000000000..d2061a9e4
--- /dev/null
+++ b/linuxptp.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
+
+/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
+
+/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0)
+
+/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0)
+/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0)
+/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0)
+
+/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
index 000000000..7ba50607c
--- /dev/null
+++ b/linuxptp.if
@@ -0,0 +1,121 @@
+## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
+
+########################################
+## <summary>
+## Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_phc2sys',`
+ gen_require(`
+ type phc2sys_t, phc2sys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
+')
+
+########################################
+## <summary>
+## Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_ptp4l',`
+ gen_require(`
+ type ptp4l_t, ptp4l_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
+')
+######################################
+## <summary>
+## Connect to timemaster using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_stream_connect',`
+ gen_require(`
+ type timemaster_t, timemaster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
+########################################
+## <summary>
+## Read timemaster conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_read_pid_files',`
+ gen_require(`
+ type timemaster_var_run_t;
+ ')
+
+ read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
+')
+
+########################################
+## <summary>
+## Read and write timemaster shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_rw_shm',`
+ gen_require(`
+ type timemaster_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 timemaster_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write ptp4l_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ptp4l_rw_shm',`
+ gen_require(`
+ type ptp4l_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 ptp4l_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 000000000..37414ae0d
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,184 @@
+policy_module(linuxptp, 1.0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+type timemaster_t;
+type timemaster_exec_t;
+init_daemon_domain(timemaster_t, timemaster_exec_t)
+
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
+type phc2sys_t;
+type phc2sys_exec_t;
+init_daemon_domain(phc2sys_t, phc2sys_exec_t)
+
+type phc2sys_unit_file_t;
+systemd_unit_file(phc2sys_unit_file_t)
+
+type ptp4l_t;
+type ptp4l_exec_t;
+init_daemon_domain(ptp4l_t, ptp4l_exec_t)
+
+type ptp4l_unit_file_t;
+systemd_unit_file(ptp4l_unit_file_t)
+
+########################################
+#
+# timemaster local policy
+#
+
+allow timemaster_t self:process { signal_perms setcap};
+allow timemaster_t self:fifo_file rw_fifo_file_perms;
+allow timemaster_t self:capability { setuid sys_time kill setgid };
+allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
+allow timemaster_t self:shm create_shm_perms;
+allow timemaster_t self:udp_socket create_socket_perms;
+
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
+
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
+dev_read_urand(timemaster_t)
+
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
+ ntp_domtrans(timemaster_t)
+ ntp_signal(timemaster_t)
+')
+
+optional_policy(`
+ chronyd_domtrans(timemaster_t)
+ chronyd_rw_shm(timemaster_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(timemaster_t)
+')
+
+
+optional_policy(`
+ chronyd_signal(timemaster_t)
+')
+
+
+optional_policy(`
+ linuxptp_domtrans_ptp4l(timemaster_t)
+')
+
+optional_policy(`
+ linuxptp_domtrans_phc2sys(timemaster_t)
+')
+
+########################################
+#
+# phc2sys local policy
+#
+
+allow phc2sys_t self:capability sys_time;
+allow phc2sys_t self:fifo_file rw_fifo_file_perms;
+allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
+allow phc2sys_t self:shm create_shm_perms;
+allow phc2sys_t self:udp_socket create_socket_perms;
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
+ chronyd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ ntp_rw_shm(phc2sys_t)
+')
+
+########################################
+#
+# ptp4l local policy
+#
+
+allow ptp4l_t self:fifo_file rw_fifo_file_perms;
+allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
+allow ptp4l_t self:shm create_shm_perms;
+allow ptp4l_t self:udp_socket create_socket_perms;
+allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { wake_alarm };
+allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+ chronyd_rw_shm(ptp4l_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(ptp4l_t)
+')
diff --git a/lircd.if b/lircd.if
index dff21a7c4..b6981c846 100644
--- a/lircd.if
+++ b/lircd.if
@@ -81,8 +81,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
- allow $1 lircd_t:process { ptrace signal_perms };
+ allow $1 lircd_t:process signal_perms;
ps_process_pattern($1, lircd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lircd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
index 483c87bb6..1bfb75c34 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
-files_type(lircd_etc_t)
+files_config_file(lircd_etc_t)
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t)
# Local policy
#
-allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:capability { setuid setgid dac_read_search chown kill sys_admin };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -39,6 +40,8 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
kernel_request_load_module(lircd_t)
+corecmd_exec_shell(lircd_t)
+
corenet_all_recvfrom_unlabeled(lircd_t)
corenet_all_recvfrom_netlabel(lircd_t)
corenet_tcp_sendrecv_generic_if(lircd_t)
@@ -56,7 +59,7 @@ dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
-dev_read_sysfs(lircd_t)
+dev_rw_sysfs(lircd_t)
files_read_config_files(lircd_t)
files_list_var(lircd_t)
@@ -64,9 +67,11 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
-logging_send_syslog_msg(lircd_t)
+auth_use_nsswitch(lircd_t)
-miscfiles_read_localization(lircd_t)
+logging_send_syslog_msg(lircd_t)
sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.if b/livecd.if
index e3541811a..fc614bac2 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,11 +38,36 @@ interface(`livecd_domtrans',`
#
interface(`livecd_run',`
gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
attribute_role livecd_roles;
')
livecd_domtrans($1)
roleattribute $2 livecd_roles;
+ role_transition $2 livecd_exec_t system_r;
+
+ optional_policy(`
+ rpm_transition_script(livecd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
')
########################################
diff --git a/livecd.te b/livecd.te
index 2f974bf83..f6e97faaf 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
# Local policy
#
-dontaudit livecd_t self:capability2 mac_admin;
+allow livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(livecd_t)
+')
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
optional_policy(`
- mount_run(livecd_t, livecd_roles)
+ mount_run(livecd_t, livecd_roles)
')
optional_policy(`
- rpm_domtrans(livecd_t)
+ seutil_run_setfiles_mac(livecd_t, livecd_roles)
')
optional_policy(`
diff --git a/lldpad.fc b/lldpad.fc
index 8031a78eb..72e56acc3 100644
--- a/lldpad.fc
+++ b/lldpad.fc
@@ -5,3 +5,5 @@
/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
/var/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0)
+
+/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
diff --git a/lldpad.if b/lldpad.if
index d18c96023..b7bd75245 100644
--- a/lldpad.if
+++ b/lldpad.if
@@ -2,6 +2,25 @@
#######################################
## <summary>
+## Transition to lldpad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpad_domtrans',`
+ gen_require(`
+ type lldpad_t, lldpad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
+#######################################
+## <summary>
## Send to lldpad with a unix dgram socket.
## </summary>
## <param name="domain">
@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
type lldpad_var_run_t;
')
- allow $1 lldpad_t:process { ptrace signal_perms };
+ allow $1 lldpad_t:process { signal_perms };
ps_process_pattern($1, lldpad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lldpad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
@@ -56,3 +79,22 @@ interface(`lldpad_admin',`
files_search_pids($1)
admin_pattern($1, lldpad_var_run_t)
')
+
+########################################
+## <summary>
+## Allow relabel lldpad_tmpfs_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_relabel_tmpfs',`
+ gen_require(`
+ type lldpad_tmpfs_t;
+ ')
+
+ allow $1 lldpad_tmpfs_t:file relabelfrom;
+ allow $1 lldpad_tmpfs_t:file relabelto;
+')
diff --git a/lldpad.te b/lldpad.te
index 2a491d96c..3399d597a 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
-allow lldpad_t self:capability { net_admin net_raw };
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
@@ -51,12 +51,20 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
-files_read_etc_files(lldpad_t)
+fs_getattr_tmpfs(lldpad_t)
logging_send_syslog_msg(lldpad_t)
-miscfiles_read_localization(lldpad_t)
+userdom_dgram_send(lldpad_t)
optional_policy(`
fcoe_dgram_send_fcoemon(lldpad_t)
')
+
+optional_policy(`
+ networkmanager_dgram_send(lldpad_t)
+')
+
+optional_policy(`
+ virt_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
index d2f464375..5bacffd37 100644
--- a/loadkeys.te
+++ b/loadkeys.te
@@ -17,7 +17,7 @@ role loadkeys_roles types loadkeys_t;
# Local policy
#
-allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:capability { dac_read_search setuid sys_tty_config };
allow loadkeys_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(loadkeys_t)
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
-files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+auth_read_passwd(loadkeys_t)
+
init_dontaudit_use_fds(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
locallogin_use_fds(loadkeys_t)
-miscfiles_read_localization(loadkeys_t)
-
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
@@ -52,3 +51,8 @@ optional_policy(`
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+optional_policy(`
+ sssd_read_public_files(loadkeys_t)
+ sssd_stream_connect(loadkeys_t)
+')
diff --git a/lockdev.if b/lockdev.if
index 4313b8bc0..cd1435cdf 100644
--- a/lockdev.if
+++ b/lockdev.if
@@ -1,5 +1,25 @@
## <summary>Library for locking devices.</summary>
+#######################################
+## <summary>
+## Create, read, write, and delete
+## lockdev lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lockdev_manage_files',`
+ gen_require(`
+ type lockdev_lock_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
+')
+
########################################
## <summary>
## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index 61db5a0a7..9d5d25524 100644
--- a/lockdev.te
+++ b/lockdev.te
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
index a11d5be99..60f83c5db 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,6 +1,6 @@
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/logrotate.if b/logrotate.if
index dd8e01af3..9cd6b0b8e 100644
--- a/logrotate.if
+++ b/logrotate.if
@@ -1,4 +1,4 @@
-## <summary>Rotates, compresses, removes and mails system log files.</summary>
+## <summary>Rotate and archive system logs</summary>
########################################
## <summary>
@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
########################################
## <summary>
-## Execute logrotate in the logrotate
-## domain, and allow the specified
-## role the logrotate domain.
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
## </summary>
## <param name="domain">
## <summary>
@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
#
interface(`logrotate_run',`
gen_require(`
- attribute_role logrotate_roles;
+ type logrotate_t;
')
logrotate_domtrans($1)
- roleattribute $2 logrotate_roles;
+ role $2 types logrotate_t;
')
########################################
@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
########################################
## <summary>
-## Do not audit attempts to inherit
-## logrotate file descriptors.
+## Do not audit attempts to inherit logrotate file descriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
########################################
## <summary>
-## Read logrotate temporary files.
+## Read a logrotate temporary files.
## </summary>
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84b3..af94fb163 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
# Declarations
#
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
+gen_require(`
+ class passwd passwd;
+')
+
+## <desc>
+## <p>
+## Allow logrotate to manage nfs files
+## </p>
+## </desc>
+gen_tunable(logrotate_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow logrotate to read logs inside
+## </p>
+## </desc>
+gen_tunable(logrotate_read_inside_containers, false)
+
type logrotate_t;
-type logrotate_exec_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
domain_entry_file(logrotate_t, logrotate_exec_t)
-role logrotate_roles types logrotate_t;
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
-mta_base_mail_template(logrotate)
-role system_r types logrotate_mail_t;
-
########################################
#
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+# dontaudited due to systemctl command.
+dontaudit logrotate_t self:process setrlimit;
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow logrotate_t self:passwd { passwd };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:netlink_selinux_socket create_socket_perms;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+can_exec(logrotate_t, logrotate_tmp_t)
+
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-can_exec(logrotate_t, logrotate_tmp_t)
-
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
+dev_write_kmsg(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+fs_dontaudit_getattr_nsfs_files(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+mls_process_write_to_clearance(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
corecmd_getattr_all_executables(logrotate_t)
-dev_read_urand(logrotate_t)
-
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
-files_read_usr_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
+application_exec_all(logrotate_t)
+
+auth_domtrans_chk_passwd(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t)
+init_reload_transient_unit(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
+logging_systemctl_syslogd(logrotate_t)
+
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
+systemd_reload_all_services(logrotate_t)
+systemd_status_all_unit_files(logrotate_t)
+systemd_dbus_chat_logind(logrotate_t)
+init_stream_connect(logrotate_t)
+init_reload_transient_unit(logrotate_t)
-miscfiles_read_localization(logrotate_t)
+miscfiles_read_hwdata(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
+term_dontaudit_use_unallocated_ttys(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
+userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+tunable_policy(`logrotate_use_nfs',`
+ fs_manage_nfs_files(logrotate_t)
+ fs_manage_nfs_dirs(logrotate_t)
+ fs_manage_nfs_symlinks(logrotate_t)
+')
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
can_exec(logrotate_t, logrotate_exec_t)
- logging_check_exec_syslog(logrotate_t)
+ # for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
@@ -135,16 +208,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
+ apache_read_sys_content_rw_dirs(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
- asterisk_domtrans(logrotate_t)
+ awstats_domtrans(logrotate_t)
')
optional_policy(`
- awstats_domtrans(logrotate_t)
+ asterisk_domtrans(logrotate_t)
')
optional_policy(`
@@ -170,6 +244,11 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(logrotate_t)
+')
+
+optional_policy(`
+ fail2ban_domtrans_client(logrotate_t)
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +257,8 @@ optional_policy(`
')
optional_policy(`
- chronyd_read_key_files(logrotate_t)
+ chronyd_read_keys(logrotate_t)
+ chronyd_manage_pid(logrotate_t)
')
optional_policy(`
@@ -198,17 +278,18 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_home_content(logrotate_t)
mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
+ prosody_stream_connect(logrotate_t)
')
optional_policy(`
@@ -216,6 +297,14 @@ optional_policy(`
')
optional_policy(`
+ rabbitmq_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(logrotate_t)
+')
+
+optional_policy(`
samba_exec_log(logrotate_t)
')
@@ -228,26 +317,50 @@ optional_policy(`
')
optional_policy(`
+ openshift_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
+ openvswitch_read_pid_files(logrotate_t)
+ openvswitch_domtrans(logrotate_t)
+')
+
+optional_policy(`
squid_domtrans(logrotate_t)
+ squid_read_config(logrotate_t)
')
optional_policy(`
+ #Red Hat bug 564565
su_exec(logrotate_t)
')
optional_policy(`
+ rpm_read_cache(logrotate_t)
+')
+
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ virt_manage_cache(logrotate_t)
+')
+
+
+optional_policy(`
+ tunable_policy(`logrotate_read_inside_containers',`
+ virt_read_sandbox_files(logrotate_t)
+ ')
+')
+
#######################################
#
-# Mail local policy
+# logrotate_mail local policy
#
-allow logrotate_mail_t logrotate_t:fd use;
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
-allow logrotate_mail_t logrotate_t:process sigchld;
-
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.if b/logwatch.if
index 06c3d36ca..2bb771f02 100644
--- a/logwatch.if
+++ b/logwatch.if
@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',`
files_search_var($1)
allow $1 logwatch_cache_t:dir search_dir_perms;
')
+
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logwatch_dontaudit_leaks',`
+ gen_require(`
+ type logwatch_t;
+ ')
+
+ dontaudit $1 logwatch_t:fifo_file { read write };
+')
diff --git a/logwatch.te b/logwatch.te
index ab650340c..433d37810 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
+init_daemon_domain(logwatch_t, logwatch_exec_t)
+application_domain(logwatch_t, logwatch_exec_t)
type logwatch_cache_t;
files_type(logwatch_cache_t)
@@ -37,7 +38,7 @@ role system_r types logwatch_mail_t;
# Local policy
#
-allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:capability { dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_fifo_file_perms;
allow logwatch_t self:unix_stream_socket { accept listen };
@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
+corenet_all_recvfrom_unlabeled(logwatch_t)
+corenet_all_recvfrom_netlabel(logwatch_t)
+corenet_tcp_sendrecv_generic_if(logwatch_t)
+corenet_tcp_sendrecv_generic_node(logwatch_t)
+
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
@@ -75,10 +82,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
-files_read_usr_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
fs_getattr_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
+fs_getattr_all_dirs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
-miscfiles_read_localization(logwatch_t)
+miscfiles_read_hwdata(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
-userdom_dontaudit_search_user_home_dirs(logwatch_t)
-
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
tunable_policy(`logwatch_can_network_connect_mail',`
- corenet_all_recvfrom_unlabeled(logwatch_t)
- corenet_all_recvfrom_netlabel(logwatch_t)
- corenet_tcp_sendrecv_generic_if(logwatch_t)
- corenet_tcp_sendrecv_generic_node(logwatch_t)
-
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
@@ -160,6 +161,12 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
+ raid_read_conf_files(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -173,7 +180,7 @@ optional_policy(`
# Mail local policy
#
-allow logwatch_mail_t self:capability { dac_read_search dac_override };
+allow logwatch_mail_t self:capability { dac_read_search };
allow logwatch_mail_t logwatch_t:fd use;
allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms;
@@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
')
+
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(logwatch_mail_t)
+ qmail_domtrans_queue(logwatch_mail_t)
+')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2ec2..08974e376 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -19,6 +19,7 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
index 62563717b..ce2acb881 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
-## <summary>Line printer daemon.</summary>
+## <summary>Line printer daemon</summary>
########################################
## <summary>
-## Role access for lpd.
+## Role access for lpd
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`lpd_role',`
gen_require(`
attribute_role lpr_roles;
- type lpr_t, lpr_exec_t;
+ type lpr_t, lpr_exec_t, print_spool_t;
')
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
roleattribute $1 lpr_roles;
- ########################################
- #
- # Policy
- #
+ ########################################
+ #
+ # Policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
- allow $2 lpr_t:process { ptrace signal_perms };
ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process signal_perms;
- dontaudit lpr_t $2:unix_stream_socket { read write };
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 lpr_t:process ptrace;
+ ')
optional_policy(`
cups_read_config($2)
@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
type checkpc_t, checkpc_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, checkpc_exec_t, checkpc_t)
')
########################################
## <summary>
-## Execute amrecover in the lpd
-## domain, and allow the specified
-## role the lpd domain.
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
#
interface(`lpd_run_checkpc',`
gen_require(`
- attribute_role checkpc_roles;
+ type checkpc_t;
')
lpd_domtrans_checkpc($1)
- roleattribute $2 checkpc_roles;
+ role $2 types checkpc_t;
')
########################################
## <summary>
-## List printer spool directories.
+## List the contents of the printer spool directories.
## </summary>
## <param name="domain">
## <summary>
@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
########################################
## <summary>
-## Read printer spool files.
+## Read the printer spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
########################################
## <summary>
-## Create, read, write, and delete
-## printer spool content.
+## Create, read, write, and delete printer spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
manage_dirs_pattern($1, print_spool_t, print_spool_t)
manage_files_pattern($1, print_spool_t, print_spool_t)
manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+ manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
')
########################################
## <summary>
-## Relabel spool files.
+## Relabel from and to the spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
########################################
## <summary>
-## Read printer configuration files.
+## List the contents of the printer spool directories.
## </summary>
## <param name="domain">
## <summary>
@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
gen_require(`
type lpr_t, lpr_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
########################################
## <summary>
-## Execute lpr in the caller domain.
+## Allow the specified domain to execute lpr
+## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
index 39d31640e..1648ef3c7 100644
--- a/lpd.te
+++ b/lpd.te
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
ubac_constrained(print_spool_t)
type printer_t;
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
# Checkpc local policy
#
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { setgid setuid dac_read_search };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
-corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_generic_if(checkpc_t)
corenet_tcp_sendrecv_generic_node(checkpc_t)
@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
domain_use_interactive_fds(checkpc_t)
-files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)
files_search_pids(checkpc_t)
files_search_spool(checkpc_t)
@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
@@ -126,7 +124,7 @@ optional_policy(`
# Lpd local policy
#
-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner };
+allow lpd_t self:capability { setgid setuid dac_read_search chown fowner };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
-corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_generic_if(lpd_t)
corenet_tcp_sendrecv_generic_node(lpd_t)
@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
domain_use_interactive_fds(lpd_t)
files_read_etc_runtime_files(lpd_t)
-files_read_usr_files(lpd_t)
files_list_world_readable(lpd_t)
files_read_world_readable_files(lpd_t)
files_read_world_readable_symlinks(lpd_t)
files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
-files_read_etc_files(lpd_t)
files_search_spool(lpd_t)
fs_getattr_all_fs(lpd_t)
@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
logging_send_syslog_msg(lpd_t)
miscfiles_read_fonts(lpd_t)
-miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
@@ -214,7 +208,7 @@ optional_policy(`
# Lpr local policy
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { setuid dac_read_search net_bind_service chown };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
kernel_read_crypto_sysctls(lpr_t)
kernel_read_kernel_sysctls(lpr_t)
-corenet_all_recvfrom_unlabeled(lpr_t)
corenet_all_recvfrom_netlabel(lpr_t)
corenet_tcp_sendrecv_generic_if(lpr_t)
corenet_tcp_sendrecv_generic_node(lpr_t)
@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
domain_use_interactive_fds(lpr_t)
files_search_spool(lpr_t)
-files_read_usr_files(lpr_t)
files_list_home(lpr_t)
fs_getattr_all_fs(lpr_t)
@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
-logging_send_syslog_msg(lpr_t)
-
miscfiles_read_fonts(lpr_t)
-miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
-userdom_use_user_terminals(lpr_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
+userdom_write_user_tmp_sockets(lpr_t)
+userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
- allow lpr_t lpd_t:process signal;
-
- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_nfs_files(lpr_t)
- fs_read_nfs_symlinks(lpr_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_cifs_files(lpr_t)
- fs_read_cifs_symlinks(lpr_t)
-')
+userdom_home_reader(lpr_t)
optional_policy(`
cups_read_config(lpr_t)
@@ -298,5 +284,13 @@ optional_policy(`
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(lpr_t)
+ gnome_stream_connect_gkeyringd(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/lsm.fc b/lsm.fc
index c45573053..6e1466794 100644
--- a/lsm.fc
+++ b/lsm.fc
@@ -1,3 +1,7 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
index d3143334d..27ede090c 100644
--- a/lsm.if
+++ b/lsm.if
@@ -1,25 +1,86 @@
-## <summary>Storage array management library.</summary>
+
+## <summary>libStorageMgmt plug-in daemon </summary>
########################################
## <summary>
-## All of the rules required to administrate
-## an lsmd environment.
+## Execute TEMPLATE in the lsmd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_domtrans',`
+ gen_require(`
+ type lsmd_t, lsmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+## <summary>
+## Read lsmd PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
+ type lsmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute lsmd server in the lsmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_systemctl',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lsmd environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t, type lsmd_var_run_t;
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -27,4 +88,13 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/lsm.te b/lsm.te
index 4ec0eea30..1400ca864 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Determine whether lsmd_plugin can
+## connect to all TCP ports.
+## </p>
+## </desc>
+gen_tunable(lsmd_plugin_connect_any, false)
type lsmd_t;
type lsmd_exec_t;
@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+type lsmd_plugin_t;
+type lsmd_plugin_exec_t;
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
+role system_r types lsmd_plugin_t;
+
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
########################################
#
# Local policy
#
-allow lsmd_t self:capability setgid;
+allow lsmd_t self:capability { setuid setgid };
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+auth_use_nsswitch(lsmd_t)
+
+corecmd_exec_bin(lsmd_t)
+corecmd_getattr_all_executables(lsmd_t)
+
logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
+# Local lsmd plugin policy
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow lsmd_plugin_t self:capability { sys_admin sys_rawio } ;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
+stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
+tunable_policy(`lsmd_plugin_connect_any',`
+ corenet_tcp_connect_all_ports(lsmd_plugin_t)
+ corenet_sendrecv_all_packets(lsmd_plugin_t)
+ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
+')
+
+kernel_read_system_state(lsmd_plugin_t)
+
+auth_read_passwd(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+dev_read_sysfs(lsmd_plugin_t)
+dev_getattr_sysfs_fs(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
+corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_https_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_http_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
+auth_use_nsswitch(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
+libs_exec_ldconfig(lsmd_plugin_t)
+
+logging_send_syslog_msg(lsmd_plugin_t)
+
+miscfiles_read_certs(lsmd_plugin_t)
+miscfiles_read_hwdata(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
+
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
+storage_create_fixed_disk_dev(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
diff --git a/lttng-tools.fc b/lttng-tools.fc
new file mode 100644
index 000000000..bdd17ca85
--- /dev/null
+++ b/lttng-tools.fc
@@ -0,0 +1,5 @@
+/usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0)
+
+/usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0)
+
+/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
diff --git a/lttng-tools.if b/lttng-tools.if
new file mode 100644
index 000000000..e86897d29
--- /dev/null
+++ b/lttng-tools.if
@@ -0,0 +1,117 @@
+
+## <summary>LTTng 2.x central tracing registry session daemon.</summary>
+
+########################################
+## <summary>
+## Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lttng_sessiond_domtrans',`
+ gen_require(`
+ type lttng_sessiond_t, lttng_sessiond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
+')
+
+######################################
+## <summary>
+## Execute lttng_sessiond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lttng_sessiond_exec',`
+ gen_require(`
+ type lttng_sessiond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, lttng_sessiond_exec_t)
+')
+
+########################################
+## <summary>
+## Execute lttng_sessiond server in the lttng_sessiond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lttng_sessiond_systemctl',`
+ gen_require(`
+ type lttng_sessiond_t;
+ type lttng_sessiond_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
+ allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lttng_sessiond_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lttng_sessiond environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lttng_sessiond_admin',`
+ gen_require(`
+ type lttng_sessiond_t;
+ type lttng_sessiond_unit_file_t;
+ ')
+
+ allow $1 lttng_sessiond_t:process { signal_perms };
+ ps_process_pattern($1, lttng_sessiond_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lttng_sessiond_t:process ptrace;
+ ')
+
+ lttng_sessiond_systemctl($1)
+ admin_pattern($1, lttng_sessiond_unit_file_t)
+ allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read and write lttng-tools shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lttng_read_shm',`
+ gen_require(`
+ type lttng_sessiond_tmpfs_t;
+ ')
+
+ read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/lttng-tools.te b/lttng-tools.te
new file mode 100644
index 000000000..1d2ca2224
--- /dev/null
+++ b/lttng-tools.te
@@ -0,0 +1,60 @@
+policy_module(lttng-tools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lttng_sessiond_t;
+type lttng_sessiond_exec_t;
+init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t)
+
+type lttng_sessiond_tmpfs_t;
+files_tmpfs_file(lttng_sessiond_tmpfs_t)
+
+type lttng_sessiond_var_run_t;
+files_pid_file(lttng_sessiond_var_run_t)
+
+type lttng_sessiond_unit_file_t;
+systemd_unit_file(lttng_sessiond_unit_file_t)
+
+########################################
+#
+# lttng_sessiond local policy
+#
+
+allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
+allow lttng_sessiond_t self:capability2 block_suspend;
+allow lttng_sessiond_t self:process { setrlimit signal_perms };
+allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
+allow lttng_sessiond_t self:tcp_socket listen;
+allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir })
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file })
+
+kernel_read_system_state(lttng_sessiond_t)
+kernel_read_net_sysctls(lttng_sessiond_t)
+kernel_read_fs_sysctls(lttng_sessiond_t)
+
+corecmd_exec_shell(lttng_sessiond_t)
+
+corenet_tcp_bind_generic_node(lttng_sessiond_t)
+corenet_tcp_bind_lltng_port(lttng_sessiond_t)
+
+dev_read_sysfs(lttng_sessiond_t)
+
+fs_getattr_tmpfs(lttng_sessiond_t)
+
+auth_use_nsswitch(lttng_sessiond_t)
+
+modutils_exec_insmod(lttng_sessiond_t)
+modutils_read_module_config(lttng_sessiond_t)
+files_read_kernel_modules(lttng_sessiond_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5d3..3d40d59d2 100644
--- a/mailman.fc
+++ b/mailman.fc
@@ -2,10 +2,12 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
diff --git a/mailman.if b/mailman.if
index 108c0f1f5..a2485018e 100644
--- a/mailman.if
+++ b/mailman.if
@@ -1,44 +1,70 @@
-## <summary>Manage electronic mail discussion and e-newsletter lists.</summary>
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
#######################################
## <summary>
-## The template to define a mailman domain.
+## The template to define a mailmain domain.
## </summary>
-## <param name="domain_prefix">
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new mailman daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
## <summary>
-## Domain prefix to be used.
+## The type of daemon to be used eg, cgi would give mailman_cgi_
## </summary>
## </param>
#
-template(`mailman_domain_template',`
- gen_require(`
- attribute mailman_domain;
- ')
+template(`mailman_domain_template', `
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
- type mailman_$1_t;
- type mailman_$1_exec_t;
+ gen_require(`
+ attribute mailman_domain;
+ ')
+
+ type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
+ type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
role system_r types mailman_$1_t;
type mailman_$1_tmp_t;
files_tmp_file(mailman_$1_tmp_t)
- ####################################
- #
- # Policy
- #
+ ####################################
+ #
+ # Policy
+ #
manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_generic_node(mailman_$1_t)
+ corenet_udp_bind_generic_node(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
auth_use_nsswitch(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
')
#######################################
@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
########################################
## <summary>
-## Execute the mailman program in the
-## mailman domain and allow the
-## specified role the mailman domain.
+## Execute the mailman program in the mailman domain.
## </summary>
## <param name="domain">
## <summary>
@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the mailman domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`mailman_run',`
gen_require(`
- attribute_role mailman_roles;
+ type mailman_mail_t;
')
mailman_domtrans($1)
- roleattribute $2 mailman_roles;
+ role $2 types mailman_mail_t;
')
#######################################
@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
@@ -122,13 +144,12 @@ interface(`mailman_exec',`
type mailman_mail_exec_t;
')
- libs_search_lib($1)
can_exec($1, mailman_mail_exec_t)
')
#######################################
## <summary>
-## Send generic signals to mailman cgi.
+## Send generic signals to the mailman cgi domain.
## </summary>
## <param name="domain">
## <summary>
@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
#######################################
## <summary>
-## Search mailman data directories.
+## Allow domain to search data directories.
## </summary>
## <param name="domain">
## <summary>
@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir search_dir_perms;
')
#######################################
## <summary>
-## Read mailman data content.
+## Allow domain to to read mailman data files.
## </summary>
## <param name="domain">
## <summary>
@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
#######################################
## <summary>
-## Create, read, write, and delete
-## mailman data files.
+## Allow domain to to create mailman data files
+## and write the directory.
## </summary>
## <param name="domain">
## <summary>
@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
#######################################
## <summary>
-## List mailman data directories.
+## List the contents of mailman data directories.
## </summary>
## <param name="domain">
## <summary>
@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir list_dir_perms;
')
#######################################
## <summary>
-## Read mailman data symbolic links.
+## Allow read acces to mailman data symbolic links.
## </summary>
## <param name="domain">
## <summary>
@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
#######################################
## <summary>
-## Read mailman log files.
+## Read mailman logs.
## </summary>
## <param name="domain">
## <summary>
@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
type mailman_log_t;
')
- logging_search_logs($1)
read_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
## <summary>
-## Append mailman log files.
+## Append to mailman logs.
## </summary>
## <param name="domain">
## <summary>
@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
type mailman_log_t;
')
- logging_search_logs($1)
append_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
## <summary>
## Create, read, write, and delete
-## mailman log content.
+## mailman logs.
## </summary>
## <param name="domain">
## <summary>
@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
- logging_search_logs($1)
manage_files_pattern($1, mailman_log_t, mailman_log_t)
manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
## <summary>
-## Read mailman archive content.
+## Allow domain to read mailman archive files.
## </summary>
## <param name="domain">
## <summary>
@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
- files_search_var_lib($1)
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
#######################################
## <summary>
-## Execute mailman_queue in the
-## mailman_queue domain.
+## Execute mailman_queue in the mailman_queue domain.
## </summary>
## <param name="domain">
## <summary>
@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
index ac81c7fa9..b01b07ac3 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow mailman to access FUSE file systems
+## </p>
+## </desc>
+gen_tunable(mailman_use_fusefs, false)
attribute mailman_domain;
@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
files_lock_filetrans(mailman_domain, mailman_lock_t, file)
-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
-kernel_read_system_state(mailman_domain)
-corenet_all_recvfrom_unlabeled(mailman_domain)
-corenet_all_recvfrom_netlabel(mailman_domain)
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
-logging_send_syslog_msg(mailman_domain)
-
-miscfiles_read_localization(mailman_domain)
-
########################################
#
# CGI local policy
@@ -103,7 +100,7 @@ optional_policy(`
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
- apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+ apache_rw_stream_sockets(mailman_cgi_t)
')
optional_policy(`
@@ -115,20 +112,23 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_read_search setuid setgid sys_nice sys_tty_config };
+allow mailman_mail_t self:process { setsched signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
corenet_sendrecv_innd_client_packets(mailman_mail_t)
corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
-corenet_tcp_connect_spamd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
cron_read_pipes(mailman_mail_t)
')
@@ -182,3 +186,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
+
+tunable_policy(`mailman_use_fusefs',`
+ fs_manage_fusefs_dirs(mailman_domain)
+ fs_manage_fusefs_files(mailman_domain)
+ fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
index 214cb4498..bd1d48e4f 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
########################################
## <summary>
-## Create, read, write, and delete
-## mscan spool content.
+## Execute a domain transition to run
+## MailScanner.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`mscan_manage_spool_content',`
+interface(`mailscanner_initrc_domtrans',`
gen_require(`
- type mscan_spool_t;
+ type mscan_initrc_exec_t;
')
- files_search_spool($1)
- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an mscan environment
+## All of the rules required to administrate
+## an mailscanner environment.
## </summary>
## <param name="domain">
## <summary>
@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
## </param>
## <rolecap/>
#
-interface(`mscan_admin',`
+interface(`mailscanner_admin',`
gen_require(`
- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
- type mscan_var_run_t, mscan_spool_t;
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
+ type mscan_initrc_exec_t;
')
- allow $1 mscan_t:process { ptrace signal_perms };
- ps_process_pattern($1, mscan_t)
-
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ mailscanner_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ allow $1 mscan_t:process signal_perms;
+ ps_process_pattern($1, mscan_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mscan_t:process ptrace;
+ ')
+
admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
- files_search_pids($1)
admin_pattern($1, mscan_var_run_t)
-
- files_search_spool($1)
- admin_pattern($1, mscan_spool_t)
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
index 6b6e2e130..df90ba417 100644
--- a/mailscanner.te
+++ b/mailscanner.te
@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t)
# Local policy
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { setuid chown setgid dac_read_search };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
dev_read_urand(mscan_t)
-files_read_usr_files(mscan_t)
fs_getattr_xattr_fs(mscan_t)
@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
logging_send_syslog_msg(mscan_t)
-miscfiles_read_localization(mscan_t)
-
optional_policy(`
- clamav_domtrans_clamscan(mscan_t)
+ antivirus_domtrans(mscan_t)
+ antivirus_manage_pid(mscan_t)
')
optional_policy(`
@@ -97,5 +96,6 @@ optional_policy(`
')
optional_policy(`
+ spamassassin_read_home_client(mscan_t)
spamassassin_read_lib_files(mscan_t)
')
diff --git a/man2html.fc b/man2html.fc
index 82f625551..368673237 100644
--- a/man2html.fc
+++ b/man2html.fc
@@ -1,5 +1,5 @@
-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0)
diff --git a/man2html.if b/man2html.if
index 54ec04d3b..53eaf61d6 100644
--- a/man2html.if
+++ b/man2html.if
@@ -1 +1,137 @@
## <summary>A Unix manpage-to-HTML converter.</summary>
+
+########################################
+## <summary>
+## Transition to man2html_script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`man2html_script_domtrans',`
+ gen_require(`
+ type man2html_script_t, man2html_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+')
+
+########################################
+## <summary>
+## Search man2html_script content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`man2html_search_content',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read man2html cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`man2html_read_content_files',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ read_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## man2html content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`man2html_manage_content_files',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ manage_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## man2html content dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`man2html_manage_content_dirs',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an man2html environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`man2html_admin',`
+ gen_require(`
+ type man2html_script_t;
+ type man2html_rw_content_t;
+ type man2html_content_t;
+ ')
+
+ allow $1 man2html_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, man2html_script_t)
+
+ files_search_var($1)
+ admin_pattern($1, man2html_content_t)
+ admin_pattern($1, man2html_rw_content_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/man2html.te b/man2html.te
index e08c55d43..24b56e9ee 100644
--- a/man2html.te
+++ b/man2html.te
@@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0)
# Declarations
#
-apache_content_template(man2html)
-
-type httpd_man2html_script_cache_t;
-files_type(httpd_man2html_script_cache_t)
########################################
#
-# Local policy
+# man2html_script local policy
#
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
+ apache_content_template(man2html)
+ apache_content_alias_template(man2html, man2html)
-files_read_etc_files(httpd_man2html_script_t)
+ allow man2html_script_t self:process fork;
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
+ typealias man2html_rw_content_t alias man2html_script_cache_t;
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5bf..b365cddec 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,12 @@
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
+/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f726..d6ae4eab6 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
-## <summary>On-line manual database.</summary>
+
+## <summary>policy for mandb</summary>
########################################
## <summary>
-## Execute the mandb program in
-## the mandb domain.
+## Transition to mandb.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`mandb_domtrans',`
@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
########################################
## <summary>
-## Execute mandb in the mandb
-## domain, and allow the specified
-## role the mandb domain.
+## Search mandb cache directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`mandb_search_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read mandb cache files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`mandb_run',`
+interface(`mandb_read_cache_files',`
gen_require(`
- attribute_role mandb_roles;
+ type mandb_cache_t;
')
- lightsquid_domtrans($1)
- roleattribute $2 mandb_roles;
+ files_search_var($1)
+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
## <summary>
-## Search mandb cache directories.
+## Mmap mandb cache files.
## </summary>
## <param name="domain">
## <summary>
@@ -56,13 +68,17 @@ interface(`mandb_run',`
## </summary>
## </param>
#
-interface(`mandb_search_cache',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_map_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:file map;
')
########################################
## <summary>
-## Delete mandb cache content.
+## Relabel mandb cache files/directories
## </summary>
## <param name="domain">
## <summary>
@@ -70,13 +86,18 @@ interface(`mandb_search_cache',`
## </summary>
## </param>
#
-interface(`mandb_delete_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_relabel_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir relabel_dir_perms;
+ allow $1 mandb_cache_t:file relabel_file_perms;
')
########################################
## <summary>
-## Read mandb cache content.
+## Set attributes on mandb cache files.
## </summary>
## <param name="domain">
## <summary>
@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',`
## </summary>
## </param>
#
-interface(`mandb_read_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_setattr_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Delete mandb cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_delete_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir list_dir_perms;
+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',`
## </summary>
## </param>
#
-interface(`mandb_manage_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_manage_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an mandb environment.
+## Manage mandb cache dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`mandb_manage_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+')
+
+########################################
+## <summary>
+## Create configuration files in user
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_filetrans_named_home_content',`
+ gen_require(`
+ type mandb_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mandb environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`mandb_admin',`
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
+ type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
ps_process_pattern($1, mandb_t)
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
+ files_search_locks($1)
+ admin_pattern($1, mandb_lock_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/mandb.te b/mandb.te
index e6136fd37..afaa79b11 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,22 +10,46 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_daemon_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+type mandb_home_t;
+userdom_user_home_content(mandb_home_t)
+
+type mandb_lock_t;
+files_lock_file(mandb_lock_t)
+
########################################
#
# Local policy
#
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { setuid setgid fsetid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
+allow mandb_t mandb_cache_t:file map;
+
+userdom_search_user_home_dirs(mandb_t)
+allow mandb_t mandb_home_t:file read_file_perms;
+
+allow mandb_t mandb_lock_t:file manage_file_perms;
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
+
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
+auth_read_passwd(mandb_t)
+
corecmd_exec_bin(mandb_t)
corecmd_exec_shell(mandb_t)
@@ -33,11 +57,14 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
+
+fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
miscfiles_read_man_pages(mandb_t)
-miscfiles_read_localization(mandb_t)
ifdef(`distro_debian',`
optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index f89651e75..c73214d81 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+######################################
+## <summary>
+## Read mcelog logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_read_log',`
+ gen_require(`
+ type mcelog_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mcelog_log_t, mcelog_log_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3dd6..494c4f3a4 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
## </desc>
gen_tunable(mcelog_server, false)
-## <desc>
-## <p>
-## Determine whether mcelog can use syslog.
-## </p>
-## </desc>
-gen_tunable(mcelog_syslog, false)
-
type mcelog_t;
type mcelog_exec_t;
init_daemon_domain(mcelog_t, mcelog_exec_t)
@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
+corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)
-
-files_read_etc_files(mcelog_t)
+dev_rw_cpu_microcode(mcelog_t)
mls_file_read_all_levels(mcelog_t)
+auth_use_nsswitch(mcelog_t)
+
locallogin_use_fds(mcelog_t)
-miscfiles_read_localization(mcelog_t)
+logging_send_syslog_msg(mcelog_t)
tunable_policy(`mcelog_client',`
allow mcelog_t self:unix_stream_socket connectto;
@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
')
-tunable_policy(`mcelog_syslog',`
- logging_send_syslog_msg(mcelog_t)
-')
optional_policy(`
cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/mcollective.fc b/mcollective.fc
new file mode 100644
index 000000000..821bf8822
--- /dev/null
+++ b/mcollective.fc
@@ -0,0 +1,3 @@
+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
+
+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
diff --git a/mcollective.if b/mcollective.if
new file mode 100644
index 000000000..3f433f1e2
--- /dev/null
+++ b/mcollective.if
@@ -0,0 +1,109 @@
+
+## <summary>policy for mcollective</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the mcollective domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mcollective_domtrans',`
+ gen_require(`
+ type mcollective_t, mcollective_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
+')
+
+########################################
+## <summary>
+## Search mcollective conf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcollective_search_conf',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read mcollective conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcollective_read_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage mcollective conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcollective_manage_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mcollective environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcollective_admin',`
+ gen_require(`
+ type mcollective_t;
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mcollective_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mcollective_etc_rw_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
index 000000000..8bc27f4c5
--- /dev/null
+++ b/mcollective.te
@@ -0,0 +1,27 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcollective_t;
+type mcollective_exec_t;
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
+########################################
+#
+# mcollective local policy
+#
+allow mcollective_t self:fifo_file rw_fifo_file_perms;
+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
+
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.fc b/mediawiki.fc
index 99f7c4187..174560318 100644
--- a/mediawiki.fc
+++ b/mediawiki.fc
@@ -1,8 +1,8 @@
-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
+/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4ba3..9b183e62b 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
-## <summary>Open source wiki package written in PHP.</summary>
+## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+ type mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
+
+#######################################
+## <summary>
+## Delete mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+ type mediawiki_tmp_t;
+ ')
+
+ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
index c528b9fa7..fcbc1911c 100644
--- a/mediawiki.te
+++ b/mediawiki.te
@@ -5,13 +5,26 @@ policy_module(mediawiki, 1.0.0)
# Declarations
#
-apache_content_template(mediawiki)
+type mediawiki_tmp_t;
+files_tmp_file(mediawiki_tmp_t)
########################################
#
# Local policy
#
-files_search_var_lib(httpd_mediawiki_script_t)
+optional_policy(`
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+ apache_content_template(mediawiki)
+ apache_content_alias_template(mediawiki, mediawiki)
+
+ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
+
+ files_search_var_lib(mediawiki_script_t)
+
+ miscfiles_read_tetex_data(mediawiki_script_t)
+')
diff --git a/memcached.if b/memcached.if
index 1d4eb19b8..650014e0f 100644
--- a/memcached.if
+++ b/memcached.if
@@ -1,4 +1,4 @@
-## <summary>High-performance memory object caching system.</summary>
+## <summary>high-performance memory object caching system</summary>
########################################
## <summary>
@@ -12,17 +12,16 @@
#
interface(`memcached_domtrans',`
gen_require(`
- type memcached_t,memcached_exec_t;
+ type memcached_t;
+ type memcached_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, memcached_exec_t, memcached_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## memcached pid files.
+## Read memcached PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
## </summary>
## </param>
#
-interface(`memcached_manage_pid_files',`
+interface(`memcached_read_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
+ allow $1 memcached_var_run_t:file read_file_perms;
')
########################################
## <summary>
-## Read memcached pid files.
+## Manage memcached PID files
## </summary>
## <param name="domain">
## <summary>
@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
## </summary>
## </param>
#
-interface(`memcached_read_pid_files',`
+interface(`memcached_manage_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- allow $1 memcached_var_run_t:file read_file_perms;
+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
')
########################################
## <summary>
-## Connect to memcached using a unix
-## domain stream socket.
+## Connect to memcached over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
########################################
## <summary>
-## Connect to memcache over the network.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`memcached_tcp_connect',`
- gen_require(`
- type memcached_t;
- ')
-
- corenet_sendrecv_memcache_client_packets($1)
- corenet_tcp_connect_memcache_port($1)
- corenet_tcp_recvfrom_labeled($1, memcached_t)
- corenet_tcp_sendrecv_memcache_port($1)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an memcached environment.
+## All of the rules required to administrate
+## an memcached environment
## </summary>
## <param name="domain">
## <summary>
@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the memcached domain.
## </summary>
## </param>
## <rolecap/>
@@ -121,14 +98,17 @@ interface(`memcached_admin',`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
- allow $1 memcached_t:process { ptrace signal_perms };
+ allow $1 memcached_t:process signal_perms;
ps_process_pattern($1, memcached_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 memcached_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
index 29b752160..8c41e59db 100644
--- a/memcached.te
+++ b/memcached.te
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
type memcached_t;
type memcached_exec_t;
init_daemon_domain(memcached_t, memcached_exec_t)
+init_nnp_daemon_domain(memcached_t)
type memcached_initrc_exec_t;
init_script_file(memcached_initrc_exec_t)
@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setuid setgid sys_resource };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
index 89409ebbc..67e42f6a9 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db12..562833a81 100644
--- a/milter.if
+++ b/milter.if
@@ -1,47 +1,43 @@
-## <summary>Milter mail filters.</summary>
+## <summary>Milter mail filters</summary>
-#######################################
+########################################
## <summary>
-## The template to define a milter domain.
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
## </summary>
-## <param name="domain_prefix">
+## <param name="milter_name">
## <summary>
-## Domain prefix to be used.
+## The name to be used for deriving type names.
## </summary>
## </param>
#
template(`milter_template',`
+ # attributes common to all milters
gen_require(`
attribute milter_data_type, milter_domains;
')
- ########################################
- #
- # Declarations
- #
-
type $1_milter_t, milter_domains;
type $1_milter_exec_t;
init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
files_pid_file($1_milter_data_t)
- ########################################
- #
- # Policy
- #
+ # Allow communication with MTA over a unix-domain socket
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ # Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- auth_use_nsswitch($1_milter_t)
+ logging_send_syslog_msg($1_milter_t)
')
########################################
## <summary>
-## connect to all milter domains using
-## a unix domain stream socket.
+## MTA communication with milter sockets
## </summary>
## <param name="domain">
## <summary>
@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
')
files_search_pids($1)
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
########################################
## <summary>
-## Get attributes of all milter sock files.
+## Allow getattr of milter sockets
## </summary>
## <param name="domain">
## <summary>
@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
########################################
## <summary>
-## Create, read, write, and delete
-## spamassissin milter data content.
+## Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+## Manage spamassassin milter state
## </summary>
## <param name="domain">
## <summary>
@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+## <summary>
+## Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
index 4dc99f464..51867ef79 100644
--- a/milter.te
+++ b/milter.te
@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
# Declarations
#
+# attributes common to all milters
attribute milter_domains;
attribute milter_data_type;
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+type dkim_milter_tmp_t;
+files_tmp_file(dkim_milter_tmp_t)
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+
#######################################
#
-# Common local policy
+# milter domains local policy
#
+# Allow communication with MTA over a unix-domain socket
+# Note: usage with TCP sockets requires additional policy
+
allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
+allow milter_domains self:process signull;
+
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
kernel_dontaudit_read_system_state(milter_domains)
-corenet_all_recvfrom_unlabeled(milter_domains)
-corenet_all_recvfrom_netlabel(milter_domains)
-corenet_tcp_sendrecv_generic_if(milter_domains)
-corenet_tcp_sendrecv_generic_node(milter_domains)
corenet_tcp_bind_generic_node(milter_domains)
-
corenet_tcp_bind_milter_port(milter_domains)
-corenet_tcp_sendrecv_all_ports(milter_domains)
-miscfiles_read_localization(milter_domains)
+dev_read_rand(milter_domains)
+dev_read_urand(milter_domains)
+
+mta_read_config(milter_domains)
+
+sysnet_read_config(greylist_milter_t)
+
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+corenet_udp_bind_all_ports(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
########################################
#
-# greylist local policy
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
-allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_read_search setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
+# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
kernel_read_kernel_sysctls(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
-
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
-corenet_tcp_bind_kismet_port(greylist_milter_t)
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-
corecmd_exec_bin(greylist_milter_t)
corecmd_exec_shell(greylist_milter_t)
-dev_read_rand(greylist_milter_t)
-dev_read_urand(greylist_milter_t)
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
-files_read_usr_files(greylist_milter_t)
+# perl getgroups() reads a bunch of files in /etc
+# Allow the milter to read a GeoIP database in /usr/share
+# The milter runs from /var/lib/milter-greylist and maintains files there
files_search_var_lib(greylist_milter_t)
-mta_read_config(greylist_milter_t)
-
-miscfiles_read_localization(greylist_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
optional_policy(`
mysql_stream_connect(greylist_milter_t)
@@ -79,30 +123,45 @@ optional_policy(`
########################################
#
-# regex local policy
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
-allow regex_milter_t self:capability { setuid setgid dac_override };
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_read_search };
+# The milter's socket directory lives under /var/spool
files_search_spool(regex_milter_t)
-mta_read_config(regex_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
########################################
#
-# spamass local policy
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
+# The milter runs from /var/lib/spamass-milter
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
kernel_read_system_state(spamass_milter_t)
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
-files_search_var_lib(spamass_milter_t)
+auth_use_nsswitch(spamass_milter_t)
mta_send_mail(spamass_milter_t)
+# The main job of the milter is to pipe spam through spamc and act on the result
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/minissdpd.if b/minissdpd.if
index b3301610f..54509375e 100644
--- a/minissdpd.if
+++ b/minissdpd.if
@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
interface(`minissdpd_admin',`
gen_require(`
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
- type minissdpd_var_run_t
+ type minissdpd_var_run_t;
')
- allow $1 minissdpd_t:process { ptrace signal_perms };
+ allow $1 minissdpd_t:process { signal_perms };
ps_process_pattern($1, minissdpd_t)
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 000000000..767bbad7b
--- /dev/null
+++ b/mip6d.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0)
+
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
index 000000000..861b486dc
--- /dev/null
+++ b/mip6d.if
@@ -0,0 +1,80 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the mip6d domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mip6d_domtrans',`
+ gen_require(`
+ type mip6d_t, mip6d_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mip6d_exec_t, mip6d_t)
+')
+########################################
+## <summary>
+## Execute mip6d server in the mip6d domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mip6d_systemctl',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mip6d_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mip6d environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mip6d_admin',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ allow $1 mip6d_t:process { signal_perms };
+ ps_process_pattern($1, mip6d_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mip6d_t:process ptrace;
+ ')
+
+ mip6d_systemctl($1)
+ admin_pattern($1, mip6d_unit_file_t)
+ allow $1 mip6d_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mip6d.te b/mip6d.te
new file mode 100644
index 000000000..0f290e9d4
--- /dev/null
+++ b/mip6d.te
@@ -0,0 +1,33 @@
+policy_module(mip6d, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mip6d_t;
+type mip6d_exec_t;
+init_daemon_domain(mip6d_t, mip6d_exec_t)
+
+type mip6d_unit_file_t;
+systemd_unit_file(mip6d_unit_file_t)
+
+########################################
+#
+# mip6d local policy
+#
+allow mip6d_t self:capability { net_admin net_raw };
+allow mip6d_t self:process { setpgid fork signal };
+allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
+allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow mip6d_t self:rawip_socket create_socket_perms;
+allow mip6d_t self:udp_socket create_socket_perms;
+allow mip6d_t self:fifo_file rw_fifo_file_perms;
+allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_rw_net_sysctls(mip6d_t)
+kernel_read_network_state(mip6d_t)
+kernel_request_load_module(mip6d_t)
+
+logging_send_syslog_msg(mip6d_t)
+
diff --git a/mirrormanager.fc b/mirrormanager.fc
new file mode 100644
index 000000000..abd53a4c7
--- /dev/null
+++ b/mirrormanager.fc
@@ -0,0 +1,7 @@
+/usr/share/mirrormanager/server/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_exec_t,s0)
+
+/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
+
+/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0)
+
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
index 000000000..86467cffb
--- /dev/null
+++ b/mirrormanager.if
@@ -0,0 +1,256 @@
+
+## <summary>policy for mirrormanager</summary>
+
+########################################
+## <summary>
+## Execute mirrormanager in the mirrormanager domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_domtrans',`
+ gen_require(`
+ type mirrormanager_t, mirrormanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
+')
+
+########################################
+## <summary>
+## Read mirrormanager's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mirrormanager_read_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+## Append to mirrormanager log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_append_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+## Manage mirrormanager log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_manage_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+## Search mirrormanager lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_search_lib',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mirrormanager lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_read_lib_files',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mirrormanager lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_manage_lib_files',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mirrormanager lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_manage_lib_dirs',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read mirrormanager PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_read_pid_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage mirrormanager PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_manage_pid_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage mirrormanager PID sock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_manage_pid_sock_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mirrormanager environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_admin',`
+ gen_require(`
+ type mirrormanager_t;
+ type mirrormanager_log_t;
+ type mirrormanager_var_lib_t;
+ type mirrormanager_var_run_t;
+ ')
+
+ allow $1 mirrormanager_t:process { signal_perms };
+ ps_process_pattern($1, mirrormanager_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mirrormanager_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, mirrormanager_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, mirrormanager_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, mirrormanager_var_run_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mirrormanager.te b/mirrormanager.te
new file mode 100644
index 000000000..f59af1b98
--- /dev/null
+++ b/mirrormanager.te
@@ -0,0 +1,46 @@
+policy_module(mirrormanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mirrormanager_t;
+type mirrormanager_exec_t;
+application_domain(mirrormanager_t, mirrormanager_exec_t)
+
+type mirrormanager_log_t;
+logging_log_file(mirrormanager_log_t)
+
+type mirrormanager_var_lib_t;
+files_type(mirrormanager_var_lib_t)
+
+type mirrormanager_var_run_t;
+files_pid_file(mirrormanager_var_run_t)
+
+########################################
+#
+# mirrormanager local policy
+#
+
+allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
+allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
+
+optional_policy(`
+ cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
+')
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 000000000..394bc4658
--- /dev/null
+++ b/mock.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/usr/libexec/mock/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
index 000000000..f5b98e6de
--- /dev/null
+++ b/mock.if
@@ -0,0 +1,311 @@
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+## <summary>
+## Search mock lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Getattr on mock lib file,dir,sock_file ...
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_getattr_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+## <summary>
+## Manage mock lib symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_symlinks',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_dontaudit_write_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ dontaudit $1 mock_var_lib_t:chr_file write;
+')
+
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mock_dontaudit_leaks',`
+ gen_require(`
+ type mock_tmp_t;
+ ')
+
+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mock domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ type mock_build_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
+
+ mount_run(mock_t, $2)
+')
+
+########################################
+## <summary>
+## Role access for mock
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
+
+ optional_policy(`
+ mock_read_lib_files($2)
+ ')
+')
+
+#######################################
+## <summary>
+## Send a generic signal to mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_signal',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ allow $1 mock_t:process signal;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mock environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
+ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
+ allow $1 mock_t:process signal_perms;
+ ps_process_pattern($1, mock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mock_t:process ptrace;
+ allow $1 mock_build_t:process ptrace;
+ ')
+
+ allow $1 mock_build_t:process signal_perms;
+ ps_process_pattern($1, mock_build_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, mock_tmp_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mock_etc_t)
+')
diff --git a/mock.te b/mock.te
new file mode 100644
index 000000000..4ba88ac4b
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,288 @@
+policy_module(mock,1.0.0)
+
+## <desc>
+## <p>
+## Allow mock to read files in home directories.
+## </p>
+## </desc>
+gen_tunable(mock_enable_homedirs, false)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+type mock_build_t;
+type mock_build_exec_t;
+application_domain(mock_build_t, mock_build_exec_t)
+role system_r types mock_build_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+type mock_var_run_t;
+files_pid_file(mock_var_run_t)
+
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search sys_nice mknod fsetid setgid fowner };
+allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
+
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
+# we run mount in mock_t
+kernel_mount_proc(mock_t)
+kernel_unmount_proc(mock_t)
+
+fs_mount_tmpfs(mock_t)
+fs_unmount_tmpfs(mock_t)
+fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
+dev_mount_sysfs_fs(mock_t)
+dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
+files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
+fs_manage_cgroup_dirs(mock_t)
+fs_search_all(mock_t)
+fs_setattr_tmpfs_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
+term_use_generic_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
+term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
+libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+lvm_manage_lock(mock_t)
+lvm_read_config(mock_t)
+lvm_read_metadata(mock_t)
+lvm_getattr_exec_files(mock_t)
+
+miscfiles_dontaudit_write_generic_cert_files(mock_t)
+
+userdom_use_user_ptys(mock_t)
+userdom_use_user_ttys(mock_t)
+
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_manage_user_home_content_dirs(mock_t)
+ userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
+ rpc_search_nfs_state_data(mock_t)
+ fs_list_auto_mountpoints(mock_t)
+ fs_manage_nfs_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mock_t)
+ fs_read_cifs_files(mock_t)
+ fs_manage_cifs_files(mock_t)
+')
+
+optional_policy(`
+ abrt_read_spool_retrace(mock_t)
+ abrt_read_cache_retrace(mock_t)
+ abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_cache(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_manage_tmp_files(mock_t)
+ rpm_read_log(mock_t)
+')
+
+optional_policy(`
+ mount_exec(mock_t)
+ mount_rw_pid_files(mock_t)
+')
+
+
+########################################
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search sys_nice mknod fsetid setgid fowner sys_ptrace };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+# Needed because mock can run java and mono withing build environment
+allow mock_build_t self:process { execmem execstack };
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
+allow mock_build_t self:dir list_dir_perms;
+allow mock_build_t self:dir read_file_perms;
+
+ps_process_pattern(mock_t, mock_build_t)
+allow mock_t mock_build_t:process signal_perms;
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_tmp_t)
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_var_lib_t)
+
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
+can_exec(mock_build_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
+can_exec(mock_build_t, mock_var_lib_t)
+allow mock_build_t mock_var_lib_t:dir mounton;
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_build_t)
+kernel_read_irq_sysctls(mock_build_t)
+kernel_read_system_state(mock_build_t)
+kernel_read_network_state(mock_build_t)
+kernel_read_kernel_sysctls(mock_build_t)
+kernel_request_load_module(mock_build_t)
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
+
+corecmd_exec_bin(mock_build_t)
+corecmd_exec_shell(mock_build_t)
+corecmd_dontaudit_exec_all_executables(mock_build_t)
+
+dev_getattr_all_chr_files(mock_build_t)
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
+dev_dontaudit_getattr_all(mock_build_t)
+fs_getattr_all_dirs(mock_build_t)
+dev_read_sysfs(mock_build_t)
+
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
+files_dontaudit_list_boot(mock_build_t)
+
+fs_getattr_all_fs(mock_build_t)
+fs_manage_cgroup_dirs(mock_build_t)
+
+selinux_get_enforce_mode(mock_build_t)
+
+auth_use_nsswitch(mock_build_t)
+
+init_exec(mock_build_t)
+init_dontaudit_stream_connect(mock_build_t)
+
+libs_exec_ldconfig(mock_build_t)
+
+term_use_all_inherited_terms(mock_build_t)
+userdom_use_inherited_user_ptys(mock_build_t)
+term_dontaudit_manage_pty_dirs(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
index a83894c6e..481dca3ff 100644
--- a/modemmanager.fc
+++ b/modemmanager.fc
@@ -1 +1,4 @@
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5d8..24782b35f 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -21,6 +21,31 @@ interface(`modemmanager_domtrans',`
########################################
## <summary>
+## Execute modemmanager server in the modemmanager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modemmanager_systemctl',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, modemmanager_t)
+')
+
+########################################
+## <summary>
## Send and receive messages from
## modemmanager over dbus.
## </summary>
@@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an modemmanager environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modemmanager_admin',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ allow $1 modemmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, modemmanager_t)
+
+ modemmanager_systemctl($1)
+ admin_pattern($1, modemmanager_unit_file_t)
+ allow $1 modemmanager_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b64..ad481cee4 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
########################################
#
# Local policy
@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
allow modemmanager_t self:process { getsched signal };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_system_state(modemmanager_t)
-dev_read_sysfs(modemmanager_t)
-dev_rw_modem(modemmanager_t)
+auth_read_passwd(modemmanager_t)
-files_read_etc_files(modemmanager_t)
+corecmd_exec_bin(modemmanager_t)
+
+dev_rw_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
+dev_rw_modem(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
-miscfiles_read_localization(modemmanager_t)
+xserver_read_state_xdm(modemmanager_t)
logging_send_syslog_msg(modemmanager_t)
@@ -50,6 +57,11 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(modemmanager_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind(modemmanager_t)
+ systemd_write_inhibit_pipes(modemmanager_t)
+ ')
')
optional_policy(`
diff --git a/mojomojo.fc b/mojomojo.fc
index 7b827ca7f..5ee8a0f2b 100644
--- a/mojomojo.fc
+++ b/mojomojo.fc
@@ -1,5 +1,5 @@
-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0)
-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4c9..b19a6ee2d 100644
--- a/mojomojo.if
+++ b/mojomojo.if
@@ -15,7 +15,6 @@
## Role allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
index b94102efd..25d1d33a1 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0)
# Declarations
#
-apache_content_template(mojomojo)
+type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
+files_tmp_file(mojomojo_tmp_t)
########################################
#
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+ apache_content_template(mojomojo)
+ apache_content_alias_template(mojomojo, mojomojo)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
-files_search_var_lib(httpd_mojomojo_script_t)
+ corenet_tcp_connect_postgresql_port(mojomojo_script_t)
+ corenet_tcp_connect_mysqld_port(mojomojo_script_t)
+ corenet_tcp_connect_smtp_port(mojomojo_script_t)
+ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
+ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
+ corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+ files_search_var_lib(mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
+ sysnet_dns_name_resolve(mojomojo_script_t)
+
+ mta_send_mail(mojomojo_script_t)
+
+ optional_policy(`
+ mysql_stream_connect(mojomojo_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(mojomojo_script_t)
+ ')
+')
diff --git a/mon_statd.fc b/mon_statd.fc
new file mode 100644
index 000000000..60c11c060
--- /dev/null
+++ b/mon_statd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/mon_statd -- gen_context(system_u:object_r:mon_statd_initrc_exec_t,s0)
+
+/usr/sbin/mon_fsstatd -- gen_context(system_u:object_r:mon_statd_exec_t,s0)
+/usr/sbin/mon_procd -- gen_context(system_u:object_r:mon_procd_exec_t,s0)
+
+/var/run/procd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
+/var/run/fstatd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
diff --git a/mon_statd.if b/mon_statd.if
new file mode 100644
index 000000000..1ce3e4428
--- /dev/null
+++ b/mon_statd.if
@@ -0,0 +1,39 @@
+## <summary>policy for mon_statd</summary>
+
+########################################
+## <summary>
+## Execute mon_statd in the mon_statd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mon_statd_domtrans',`
+ gen_require(`
+ type mon_statd_t, mon_statd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mon_statd_exec_t, mon_statd_t)
+')
+
+########################################
+## <summary>
+## Execute mon_procd in the mon_procd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mon_procd_domtrans',`
+ gen_require(`
+ type mon_procd_t, mon_procd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mon_procd_exec_t, mon_procd_t)
+')
diff --git a/mon_statd.te b/mon_statd.te
new file mode 100644
index 000000000..e7220a5a8
--- /dev/null
+++ b/mon_statd.te
@@ -0,0 +1,76 @@
+policy_module(mon_statd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mon_statd_domain;
+
+type mon_statd_t, mon_statd_domain;
+type mon_statd_exec_t;
+init_daemon_domain(mon_statd_t, mon_statd_exec_t)
+
+type mon_procd_t, mon_statd_domain;
+type mon_procd_exec_t;
+init_daemon_domain(mon_procd_t, mon_procd_exec_t)
+
+type mon_statd_initrc_exec_t;
+init_script_file(mon_statd_initrc_exec_t)
+
+type mon_statd_var_run_t;
+files_pid_file(mon_statd_var_run_t)
+
+########################################
+#
+# mon_statd domain policy
+#
+
+manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t)
+files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file)
+
+domain_read_all_domains_state(mon_statd_domain)
+
+dev_rw_monitor_dev(mon_statd_domain)
+
+########################################
+#
+# mon_fstatd local policy
+#
+allow mon_statd_t self:process { fork signal };
+allow mon_statd_t self:fifo_file rw_fifo_file_perms;
+
+allow mon_statd_t self:unix_stream_socket create_stream_socket_perms;
+allow mon_statd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(mon_statd_t)
+kernel_read_fs_sysctls(mon_statd_t)
+
+fs_getattr_all_fs(mon_statd_t)
+fs_getattr_all_dirs(mon_statd_t)
+
+fs_search_cgroup_dirs(mon_statd_t)
+
+logging_send_syslog_msg(mon_statd_t)
+
+optional_policy(`
+ rpc_read_nfs_state_data(mon_statd_t)
+')
+
+########################################
+#
+# mon_procd local policy
+#
+allow mon_procd_t self:capability sys_ptrace;
+
+allow mon_procd_t self:unix_dgram_socket { create connect };
+
+auth_read_passwd(mon_procd_t)
+
+kernel_dgram_send(mon_procd_t)
+kernel_read_system_state(mon_procd_t)
+
+init_read_utmp(mon_procd_t)
+
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31b4..e9e6bc51c 100644
--- a/mongodb.fc
+++ b/mongodb.fc
@@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
-/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
-/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
index 169f236e8..eaaeb0d8b 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
type mongod_log_t;
logging_log_file(mongod_log_t)
@@ -21,19 +24,26 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
########################################
#
# Local policy
#
-allow mongod_t self:process signal;
+
+allow mongod_t self:process { setsched signal execmem };
allow mongod_t self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:unix_dgram_socket create_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+allow mongod_t self:tcp_socket { accept listen };
+
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -41,21 +51,46 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
kernel_read_system_state(mongod_t)
+kernel_read_vm_sysctls(mongod_t)
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
dev_read_sysfs(mongod_t)
dev_read_urand(mongod_t)
-files_read_etc_files(mongod_t)
-
fs_getattr_all_fs(mongod_t)
-miscfiles_read_localization(mongod_t)
+auth_use_nsswitch(mongod_t)
+
+logging_send_syslog_msg(mongod_t)
+
+optional_policy(`
+ mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
+')
+
diff --git a/mono.te b/mono.te
index a6a86439f..c0f6cf503 100644
--- a/mono.te
+++ b/mono.te
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
# local policy
#
-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(mono_t)
init_dbus_chat_script(mono_t)
diff --git a/monop.if b/monop.if
index 8fdaecea2..544075765 100644
--- a/monop.if
+++ b/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ logging_search_logs($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
diff --git a/monop.te b/monop.te
index 5f9376384..8596763e7 100644
--- a/monop.te
+++ b/monop.te
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_all_recvfrom_unlabeled(monopd_t)
corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_generic_node(monopd_t)
@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
domain_use_interactive_fds(monopd_t)
-files_read_etc_files(monopd_t)
-
fs_getattr_all_fs(monopd_t)
fs_search_auto_mountpoints(monopd_t)
logging_send_syslog_msg(monopd_t)
-miscfiles_read_localization(monopd_t)
-
sysnet_dns_name_resolve(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/motion.fc b/motion.fc
new file mode 100644
index 000000000..74151069b
--- /dev/null
+++ b/motion.fc
@@ -0,0 +1,9 @@
+/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0)
+
+/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0)
+
+/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0)
+
+/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0)
+
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
index 000000000..edfd26777
--- /dev/null
+++ b/motion.if
@@ -0,0 +1,198 @@
+
+## <summary>Detect motion using a video4linux device</summary>
+
+########################################
+## <summary>
+## Execute motion in the motion domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`motion_domtrans',`
+ gen_require(`
+ type motion_t, motion_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, motion_exec_t, motion_t)
+')
+########################################
+## <summary>
+## Read motion's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`motion_read_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+## Append to motion log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_append_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+## Manage motion log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_manage_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, motion_log_t, motion_log_t)
+ manage_files_pattern($1, motion_log_t, motion_log_t)
+ manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+## Manage motion pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_manage_pid',`
+ gen_require(`
+ type motion_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
+ manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage motion data files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_manage_data',`
+ gen_require(`
+ type motion_data_t;
+ ')
+
+ manage_dirs_pattern($1, motion_data_t, motion_data_t)
+ manage_files_pattern($1, motion_data_t, motion_data_t)
+')
+
+########################################
+## <summary>
+## Execute motion server in the motion domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`motion_systemctl',`
+ gen_require(`
+ type motion_t;
+ type motion_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, motion_t)
+')
+
+########################################
+## <summary>
+## Manage all motion files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`motion_manage_all_files',`
+
+ motion_manage_log($1)
+ motion_manage_pid($1)
+ motion_manage_data($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an motion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`motion_admin',`
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
+ type motion_unit_file_t;
+ ')
+
+ allow $1 motion_t:process { signal_perms };
+ ps_process_pattern($1, motion_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 motion_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
+ motion_systemctl($1)
+ admin_pattern($1, motion_unit_file_t)
+ allow $1 motion_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/motion.te b/motion.te
new file mode 100644
index 000000000..c7f4eb583
--- /dev/null
+++ b/motion.te
@@ -0,0 +1,65 @@
+policy_module(motion, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type motion_t;
+type motion_exec_t;
+init_daemon_domain(motion_t, motion_exec_t)
+
+type motion_log_t;
+logging_log_file(motion_log_t)
+
+type motion_unit_file_t;
+systemd_unit_file(motion_unit_file_t)
+
+type motion_var_run_t;
+files_pid_file(motion_var_run_t)
+
+type motion_data_t;
+files_type(motion_data_t)
+
+########################################
+#
+# motion local policy
+#
+allow motion_t self:udp_socket { create connect getattr };
+allow motion_t self:tcp_socket create_stream_socket_perms;
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
+manage_files_pattern(motion_t, motion_log_t, motion_log_t)
+logging_log_filetrans(motion_t, motion_log_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
+manage_files_pattern(motion_t, motion_data_t, motion_data_t)
+files_var_filetrans(motion_t, motion_data_t, { dir file })
+
+corenet_tcp_bind_http_cache_port(motion_t)
+corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_bind_us_cli_port(motion_t)
+corenet_tcp_connect_http_port(motion_t)
+corenet_tcp_bind_generic_node(motion_t)
+
+dev_read_video_dev(motion_t)
+dev_write_video_dev(motion_t)
+
+domain_use_interactive_fds(motion_t)
+
+logging_send_syslog_msg(motion_t)
+
+sysnet_read_config(motion_t)
+
+userdom_home_manager(motion_t)
+
+optional_policy(`
+ zoneminder_domtrans(motion_t)
+ zoneminder_manage_lib_files(motion_t)
+')
+
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2e4..549fb8cdd 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,72 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-
-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-
-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+')
+
+ifdef(`distro_debian',`
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
+
+#
+# /lib
+#
+
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+/usr/libexec/WebKitPluginProcess -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b806b..e27c53d6e 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
-## <summary>Policy for Mozilla and related web browsers.</summary>
+## <summary>Policy for Mozilla and related web browsers</summary>
########################################
## <summary>
-## Role access for mozilla.
+## Role access for mozilla
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
#
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
attribute_role mozilla_roles;
')
- ########################################
- #
- # Declarations
- #
-
roleattribute $1 mozilla_roles;
- ########################################
- #
- # Policy
- #
-
- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ # Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
-
- allow mozilla_t $2:process signull;
- allow mozilla_t $2:unix_stream_socket connectto;
+ allow $2 mozilla_t:process signal_perms;
allow $2 mozilla_t:fd use;
- allow $2 mozilla_t:shm rw_shm_perms;
-
- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
-
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, mozilla_t)
optional_policy(`
- mozilla_dbus_chat($2)
+ nsplugin_role($1, mozilla_t)
')
-')
-########################################
-## <summary>
-## Role access for mozilla plugin.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`mozilla_role_plugin',`
- gen_require(`
- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
- type mozilla_home_t;
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
')
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
-
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
+ mozilla_filetrans_home_content($2)
- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
- allow $2 mozilla_plugin_t:fd use;
-
- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
- allow mozilla_plugin_t $2:process signull;
- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
- allow mozilla_plugin_t $2:sem create_sem_perms;
-
- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
')
########################################
## <summary>
-## Read mozilla home directory content.
+## Read mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Write mozilla home directory files.
+## Write mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write mozilla home directory files.
+## Dontaudit attempts to read/write mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
- dontaudit $1 mozilla_home_t:file rw_file_perms;
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Do not audit attempt to Create,
-## read, write, and delete mozilla
-## home directory content.
+## Dontaudit attempts to write mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
dontaudit $1 mozilla_home_t:file manage_file_perms;
- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
-## Execute mozilla home directory files. (Deprecated)
+## Execute mozilla home directory content.
## </summary>
## <param name="domain">
## <summary>
@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
## </param>
#
interface(`mozilla_exec_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
- mozilla_exec_user_plugin_home_files($1)
-')
-
-########################################
-## <summary>
-## Execute mozilla plugin home directory files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mozilla_exec_user_plugin_home_files',`
gen_require(`
- type mozilla_home_t, mozilla_plugin_home_t;
+ type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+ can_exec($1, mozilla_home_t)
')
########################################
## <summary>
-## Mozilla home directory file
-## text relocation. (Deprecated)
+## Execmod mozilla home directory content.
## </summary>
## <param name="domain">
## <summary>
@@ -265,140 +173,157 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
')
########################################
## <summary>
-## Mozilla plugin home directory file
-## text relocation.
+## Run mozilla in the mozilla domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`mozilla_execmod_user_plugin_home_files',`
+interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_t, mozilla_exec_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
## <summary>
-## Run mozilla in the mozilla domain.
+## Execute a mozilla_exec_t in the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
#
-interface(`mozilla_domtrans',`
+interface(`mozilla_domtrans_spec',`
gen_require(`
- type mozilla_t, mozilla_exec_t;
+ type mozilla_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ domain_entry_file($2, mozilla_exec_t)
+ domtrans_pattern($1, mozilla_exec_t, $2)
')
########################################
## <summary>
-## Execute a domain transition to
-## run mozilla plugin.
+## Execute a domain transition to run mozilla_plugin.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ type mozilla_plugin_rw_t;
+ class dbus send_msg;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
+ dontaudit mozilla_plugin_t $1:process signal;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+ allow $1 mozilla_plugin_t:sem rw_sem_perms;
+ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+ allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ ps_process_pattern(mozilla_plugin_t, $1)
+ allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
+
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+
+ allow mozilla_plugin_t $1:process signull;
')
########################################
## <summary>
-## Execute mozilla plugin in the
-## mozilla plugin domain, and allow
-## the specified role the mozilla
-## plugin domain.
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed the mozilla_plugin domain.
## </summary>
## </param>
#
interface(`mozilla_run_plugin',`
gen_require(`
- attribute_role mozilla_plugin_roles;
+ type mozilla_plugin_t;
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
')
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
-')
+ roleattribute $2 mozilla_plugin_config_roles;
-########################################
-## <summary>
-## Execute a domain transition to
-## run mozilla plugin config.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`mozilla_domtrans_plugin_config',`
- gen_require(`
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mozilla_plugin_t:process ptrace;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ optional_policy(`
+ lpd_run_lpr(mozilla_plugin_t, $2)
+ ')
')
-########################################
+#######################################
## <summary>
-## Execute mozilla plugin config in
-## the mozilla plugin config domain,
-## and allow the specified role the
-## mozilla plugin config domain.
+## Execute qemu unconfined programs in the role.
## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## The role to allow the mozilla_plugin domain.
+## </summary>
## </param>
+## <rolecap/>
#
-interface(`mozilla_run_plugin_config',`
- gen_require(`
- attribute_role mozilla_plugin_config_roles;
- ')
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
+ ')
- mozilla_domtrans_plugin_config($1)
- roleattribute $2 mozilla_plugin_config_roles;
+ roleattribute $1 mozilla_plugin_roles;
+ roleattribute $1 mozilla_plugin_config_roles;
')
########################################
@@ -424,8 +349,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
-## Send and receive messages from
-## mozilla plugin over dbus.
+## read/write mozilla per user tcp_socket
## </summary>
## <param name="domain">
## <summary>
@@ -433,57 +357,162 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
-interface(`mozilla_dbus_chat_plugin',`
+interface(`mozilla_rw_tcp_sockets',`
gen_require(`
- type mozilla_plugin_t;
- class dbus send_msg;
+ type mozilla_t;
')
- allow $1 mozilla_plugin_t:dbus send_msg;
- allow mozilla_plugin_t $1:dbus send_msg;
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+#######################################
+## <summary>
+## Read mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Read/Write mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
')
########################################
## <summary>
-## Read and write mozilla TCP sockets.
+## Delete mozilla_plugin tmpfs files
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access
## </summary>
## </param>
#
-interface(`mozilla_rw_tcp_sockets',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
gen_require(`
- type mozilla_t;
+ type mozilla_plugin_tmpfs_t;
')
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+#######################################
+## <summary>
+## Dontaudit generict ipc read/write to a mozilla_plugin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_dontaudit_rw_sem',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
+')
+
+#######################################
+## <summary>
+## Allow generict ipc read/write to a mozilla_plugin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_sem',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
')
########################################
## <summary>
-## Create, read, write, and delete
-## mozilla plugin rw files.
+## Dontaudit read/write to a mozilla_plugin leaks
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`mozilla_manage_plugin_rw_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
gen_require(`
- type mozilla_plugin_rw_t;
+ type mozilla_plugin_t;
')
- libs_search_lib($1)
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
+#######################################
+## <summary>
+## Dontaudit read/write to a mozilla_plugin tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type mozilla_plugin_tmp_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
+')
+
+#######################################
+## <summary>
+## Allow read/write to a mozilla_plugin tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmp_files',`
+ gen_require(`
+ type mozilla_plugin_tmp_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
')
########################################
## <summary>
-## Read mozilla_plugin tmpfs files.
+## Create, read, write, and delete
+## mozilla_plugin rw files.
## </summary>
## <param name="domain">
## <summary>
@@ -491,18 +520,18 @@ interface(`mozilla_manage_plugin_rw_files',`
## </summary>
## </param>
#
-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_manage_rw_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
-## Delete mozilla_plugin tmpfs files.
+## read mozilla_plugin rw files.
## </summary>
## <param name="domain">
## <summary>
@@ -510,19 +539,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_read_rw_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic mozilla plugin home content.
+## Create mozilla content in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +558,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
-interface(`mozilla_manage_generic_plugin_home_content',`
+interface(`mozilla_filetrans_home_content',`
+
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_home_t, mozilla_plugin_rw_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
- allow $1 mozilla_plugin_home_t:file manage_file_perms;
- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+ files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
+ ')
')
########################################
## <summary>
-## Create objects in user home
-## directories with the generic mozilla
-## plugin home type.
+## Allow the domain to read mozilla_plugin state files in /proc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`mozilla_home_filetrans_plugin_home',`
+interface(`mozilla_plugin_read_state',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_plugin_t;
')
- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+ kernel_search_proc($1)
+ ps_process_pattern($1, mozilla_plugin_t)
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4fc..bb6533dae 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
#
## <desc>
-## <p>
-## Determine whether mozilla can
-## make its stack executable.
-## </p>
+## <p>
+## Allow mozilla plugin domain to connect to the network using TCP.
+## </p>
## </desc>
-gen_tunable(mozilla_execstack, false)
+gen_tunable(mozilla_plugin_can_network_connect, true)
+
+## <desc>
+## <p>
+## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
+## </p>
+## </desc>
+
+gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to support spice protocols.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_spice, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to support GPS.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_gps, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to use Bluejeans.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_bluejeans, false)
+
+## <desc>
+## <p>
+## Allow confined web browsers to read home directory content
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content, false)
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
attribute_role mozilla_plugin_config_roles;
+roleattribute system_r mozilla_roles;
+roleattribute system_r mozilla_plugin_roles;
+roleattribute system_r mozilla_plugin_config_roles;
+
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role mozilla_plugin_roles types mozilla_plugin_t;
-type mozilla_plugin_home_t;
-userdom_user_home_content(mozilla_plugin_home_t)
-
type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
userdom_user_tmp_file(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
-')
-
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_roles types mozilla_plugin_config_t;
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_tmpfs_t)
-')
-
########################################
#
# Local policy
@@ -75,104 +109,101 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_t self:shm create_shm_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
allow mozilla_t self:sem create_sem_perms;
allow mozilla_t self:socket create_socket_perms;
-allow mozilla_t self:unix_stream_socket { accept listen };
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
-allow mozilla_t mozilla_plugin_t:fd use;
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+# mozilla will manage user_tmp_t, so it will transition to it.
+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+allow mozilla_plugin_t mozilla_tmpfs_t:file map;
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t)
+# Look for plugins
corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
-corenet_all_recvfrom_unlabeled(mozilla_t)
+# Browse the web, connect to printer
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
corenet_tcp_sendrecv_generic_node(mozilla_t)
-
-corenet_sendrecv_http_client_packets(mozilla_t)
-corenet_tcp_connect_http_port(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_t)
-corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_t)
-corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_t)
-corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_t)
-corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_tcp_connect_speech_port(mozilla_t)
-corenet_tcp_sendrecv_speech_port(mozilla_t)
-dev_getattr_sysfs_dirs(mozilla_t)
-dev_read_sound(mozilla_t)
-dev_read_rand(mozilla_t)
dev_read_urand(mozilla_t)
-dev_rw_dri(mozilla_t)
+dev_read_rand(mozilla_t)
dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
-files_read_usr_files(mozilla_t)
-files_read_var_files(mozilla_t)
+# /var/lib
files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)
-fs_getattr_all_fs(mozilla_t)
+fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
-fs_rw_tmpfs_files(mozilla_t)
+fs_rw_inherited_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_t)
- fs_read_dos_files(mozilla_t)
-
- fs_search_removable(mozilla_t)
- fs_read_removable_files(mozilla_t)
- fs_read_removable_symlinks(mozilla_t)
-
- fs_read_iso9660_files(mozilla_t)
+tunable_policy(`selinuxuser_execstack',`
+ allow mozilla_t self:process execstack;
')
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
allow mozilla_t self:process execmem;
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_t self:process { execmem execstack };
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
')
optional_policy(`
@@ -244,19 +292,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_t)
dbus_system_bus_client(mozilla_t)
-
- optional_policy(`
- cups_dbus_chat(mozilla_t)
- ')
-
- optional_policy(`
- mozilla_dbus_chat_plugin(mozilla_t)
- ')
+ dbus_session_bus_client(mozilla_t)
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
@@ -265,33 +306,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
- gnome_manage_generic_gconf_home_content(mozilla_t)
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
- gnome_manage_generic_home_content(mozilla_t)
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
+ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
')
optional_policy(`
@@ -300,259 +340,265 @@ optional_policy(`
########################################
#
-# Plugin local policy
+# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
+dontaudit mozilla_plugin_t self:rawip_socket create_socket_perms;
+
+
+allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot};
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
-allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
-
-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
-
-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-
-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
+allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map;
-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_read_network_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
+kernel_dontaudit_list_all_proc(mozilla_plugin_t)
+kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
+corecmd_getattr_all_executables(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
corenet_tcp_connect_squid_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_whois_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-dev_read_generic_usb_dev(mozilla_plugin_t)
+dev_dontaudit_append_rand(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
-dev_read_realtime_clock(mozilla_plugin_t)
-dev_read_sound(mozilla_plugin_t)
-dev_read_sysfs(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
+dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
-dev_write_sound(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
-dev_rw_dri(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
+dev_map_video_dev(mozilla_plugin_t)
+xserver_dri_domain(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-files_exec_usr_files(mozilla_plugin_t)
-files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
-files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
+files_dontaudit_all_access_check(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+init_read_all_script_files(mozilla_plugin_t)
+
libs_exec_ld_so(mozilla_plugin_t)
libs_exec_lib_files(mozilla_plugin_t)
+libs_legacy_use_shared_libs(mozilla_plugin_t)
logging_send_syslog_msg(mozilla_plugin_t)
-miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
+systemd_read_logind_sessions_files(mozilla_plugin_t)
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
+term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
- fs_search_removable(mozilla_plugin_t)
- fs_read_removable_files(mozilla_plugin_t)
- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
- fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
+optional_policy(`
+ abrt_stream_connect(mozilla_plugin_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_rw_config(mozilla_plugin_config_t)
+ alsa_read_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ apache_list_modules(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ bluetooth_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
- alsa_read_home_files(mozilla_plugin_t)
+ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
+ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
- gnome_manage_generic_home_content(mozilla_plugin_t)
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+ devicekit_dbus_chat_disk(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
optional_policy(`
java_exec(mozilla_plugin_t)
- java_manage_generic_home_content(mozilla_plugin_t)
- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
')
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_dirs(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
')
optional_policy(`
@@ -560,7 +606,11 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ policykit_dbus_chat(mozilla_plugin_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
@@ -568,108 +618,144 @@ optional_policy(`
')
optional_policy(`
- xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
')
########################################
#
-# Plugin config local policy
+# mozilla_plugin_config local policy
#
-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_config_t self:capability { dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
-dev_read_urand(mozilla_plugin_config_t)
-dev_rw_dri(mozilla_plugin_config_t)
-dev_search_sysfs(mozilla_plugin_config_t)
-dev_dontaudit_read_rand(mozilla_plugin_config_t)
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
domain_use_interactive_fds(mozilla_plugin_config_t)
-files_list_tmp(mozilla_plugin_config_t)
-files_read_usr_files(mozilla_plugin_config_t)
files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
+
+term_dontaudit_use_ptmx(mozilla_plugin_config_t)
auth_use_nsswitch(mozilla_plugin_config_t)
-miscfiles_read_localization(mozilla_plugin_config_t)
miscfiles_read_fonts(mozilla_plugin_config_t)
+userdom_search_user_home_content(mozilla_plugin_config_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
-userdom_use_user_ptys(mozilla_plugin_config_t)
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
+')
-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_config_t self:process execmem;
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
+
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
+#')
+
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
- fs_manage_cifs_files(mozilla_plugin_config_t)
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
')
-optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
+ corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t)
+ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
-optional_policy(`
- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce521c..ae93e07eb 100644
--- a/mpd.fc
+++ b/mpd.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
+
/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
@@ -9,3 +11,5 @@
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
+
+/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
index 5fa77c7e6..2e01c7d0a 100644
--- a/mpd.if
+++ b/mpd.if
@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',`
########################################
## <summary>
+## Connect to mpd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_stream_connect',`
+ gen_require(`
+ type mpd_t, mpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an mpd environment.
## </summary>
@@ -344,9 +363,13 @@ interface(`mpd_admin',`
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
- allow $1 mpd_t:process { ptrace signal_perms };
+ allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mpd_t:process ptrace;
+ ')
+
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
index fe7252355..68cf0d724 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
+type mpd_home_t;
+userdom_user_home_content(mpd_home_t)
+
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
########################################
#
# Local policy
#
-allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:capability { dac_read_search kill setgid setuid };
allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+
kernel_getattr_proc(mpd_t)
kernel_read_system_state(mpd_t)
kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
-corenet_all_recvfrom_unlabeled(mpd_t)
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-files_read_usr_files(mpd_t)
fs_getattr_all_fs(mpd_t)
+fs_getattr_all_dirs(mpd_t)
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
+ userdom_stream_connect(mpd_t)
+ userdom_read_home_audio_files(mpd_t)
+ userdom_list_user_tmp(mpd_t)
+ userdom_read_user_tmp_files(mpd_t)
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`mpd_enable_homedirs',`
+ pulseaudio_read_home_files(mpd_t)
+ ')
')
tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(mpd_t)
fs_read_nfs_symlinks(mpd_t)
+
')
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
@@ -191,7 +218,7 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_domtrans(mpd_t)
+ pulseaudio_exec(mpd_t)
')
optional_policy(`
@@ -199,6 +226,16 @@ optional_policy(`
')
optional_policy(`
+ #needed by pulseaudio
+ systemd_read_logind_sessions_files(mpd_t)
+ systemd_login_read_pid_files(mpd_t)
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
udev_read_db(mpd_t)
')
diff --git a/mplayer.if b/mplayer.if
index 861d5e974..1c3d5a538 100644
--- a/mplayer.if
+++ b/mplayer.if
@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',`
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic mplayer
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mplayer_filetrans_home_content',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
index 0f03cd937..e3ed3933d 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
## its stack executable.
## </p>
## </desc>
-gen_tunable(allow_mplayer_execstack, false)
+gen_tunable(mplayer_execstack, false)
attribute_role mencoder_roles;
attribute_role mplayer_roles;
@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
dev_rwx_zero(mencoder_t)
dev_read_video_dev(mencoder_t)
-files_read_usr_files(mencoder_t)
fs_search_auto_mountpoints(mencoder_t)
@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
userdom_manage_user_home_content_dirs(mencoder_t)
userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_filetrans_home_content(mencoder_t)
ifndef(`enable_mls',`
fs_list_dos(mencoder_t)
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mencoder_t)
')
-tunable_policy(`allow_execmem',`
- allow mencoder_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mencoder_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mencoder_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mencoder_t self:process { execmem execstack };
')
@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
files_read_non_security_files(mplayer_t)
files_list_home(mplayer_t)
files_read_etc_runtime_files(mplayer_t)
-files_read_usr_files(mplayer_t)
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_filetrans_home_content(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
-tunable_policy(`allow_execmem',`
- allow mplayer_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mplayer_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t self:process { execmem execstack };
')
@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t mplayer_tmpfs_t:file execute;
')
diff --git a/mrtg.if b/mrtg.if
index c595094a6..23464583b 100644
--- a/mrtg.if
+++ b/mrtg.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Read mrtg lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_read_lib_files',`
+ gen_require(`
+ type mrtg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
diff --git a/mrtg.te b/mrtg.te
index 65a246a52..fa8632064 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
files_read_etc_runtime_files(mrtg_t)
-files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
-miscfiles_read_localization(mrtg_t)
-
selinux_dontaudit_getattr_dir(mrtg_t)
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
index f42896cbf..fce39c1ce 100644
--- a/mta.fc
+++ b/mta.fc
@@ -1,34 +1,39 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-
-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index ed81cac5a..4ea31b5e2 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
-## <summary>Common e-mail transfer agent policy.</summary>
+## <summary>Policy common to all email tranfer agents.</summary>
########################################
## <summary>
@@ -18,23 +18,37 @@ interface(`mta_stub',`
#######################################
## <summary>
-## The template to define a mail domain.
+## Basic mail transfer agent domain template.
## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+## </p>
+## <p>
+## This is the basic types and rules, common
+## to the system agent and user agents.
+## </p>
+## </desc>
## <param name="domain_prefix">
## <summary>
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`mta_base_mail_template',`
+
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
- ########################################
+ ##############################
#
- # Declarations
+ # $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
- ########################################
- #
- # Declarations
- #
-
manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+ kernel_read_system_state($1_mail_t)
+
+ corenet_all_recvfrom_netlabel($1_mail_t)
+
auth_use_nsswitch($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
+
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
########################################
## <summary>
-## Role access for mta.
+## Role access for mta
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
#
interface(`mta_role',`
gen_require(`
attribute mta_user_agent;
- attribute_role user_mail_roles;
- type user_mail_t, sendmail_exec_t, mail_home_t;
- type user_mail_tmp_t, mail_home_rw_t;
+ type user_mail_t, sendmail_exec_t;
')
- roleattribute $1 user_mail_roles;
-
- # this is something i need to fix
- # i dont know if and why it is needed
- # will role attribute work?
- role $1 types mta_user_agent;
+ role $1 types { user_mail_t mta_user_agent };
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
- ps_process_pattern($2, { user_mail_t mta_user_agent })
-
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
optional_policy(`
exim_run($2, $1)
')
optional_policy(`
- mailman_run($2, $1)
+ mailman_run(mta_user_agent, $1)
')
')
@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
-#######################################
-## <summary>
-## Read mta mail home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_read_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file read_file_perms;
-')
-
-#######################################
-## <summary>
-## Create, read, write, and delete
-## mta mail home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_manage_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file manage_file_perms;
-')
-
-########################################
+######################################
## <summary>
-## Create specified objects in user home
-## directories with the generic mail
-## home type.
+## Dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`mta_home_filetrans_mail_home',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
-')
-
-#######################################
-## <summary>
-## Create, read, write, and delete
-## mta mail home rw content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_manage_mail_home_rw_content',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-')
-
-########################################
-## <summary>
-## Create specified objects in user home
-## directories with the generic mail
-## home rw type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`mta_home_filetrans_mail_home_rw',`
+interface(`mta_dontaudit_leaks_system_mail',`
gen_require(`
- type mail_home_rw_t;
+ type system_mail_t;
')
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
')
########################################
@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
')
init_system_domain($1, sendmail_exec_t)
-
typeattribute $1 mailserver_domain;
')
@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
+
+ userdom_home_manager($1)
+
+ optional_policy(`
+ mta_rw_delivery_tcp_sockets($1)
+ ')
+
+ userdom_filetrans_home_content($1)
+
')
#######################################
@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
+
+ optional_policy(`
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
+ ')
')
########################################
@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
+ attribute mta_user_agent;
type system_mail_t;
attribute mta_exec_type;
')
- corecmd_search_bin($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
domtrans_pattern($1, mta_exec_type, system_mail_t)
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
########################################
@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
- type sendmail_exec_t;
+ attribute mta_exec_type;
+ attribute mta_user_agent;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+ files_search_usr($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Send signals to system mail.
+## Send system mail client a signal
## </summary>
## <param name="domain">
## <summary>
@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
-#
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
@@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
-## Send kill signals to system mail.
+## Allow role to access system_mail_t.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_role_access_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
+## Send all user mail client a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_signal_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process signal;
+')
+
+########################################
+## <summary>
+## Send all user mail client a kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_kill_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process sigkill;
+')
+
+########################################
+## <summary>
+## Send system mail client a kill signal
## </summary>
## <param name="domain">
## <summary>
@@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, sendmail_exec_t)
')
########################################
## <summary>
-## Read mail server configuration content.
+## Check whether sendmail executable
+## files are executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_access_check',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
+## Read mail server configuration.
## </summary>
## <param name="domain">
## <summary>
@@ -528,13 +518,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file read_file_perms;
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
## <summary>
-## Write mail server configuration files.
+## write mail server configuration.
## </summary>
## <param name="domain">
## <summary>
@@ -548,33 +538,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
- files_search_etc($1)
write_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
## <summary>
-## Read mail address alias files.
+## Manage mail server configuration.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`mta_read_aliases',`
+interface(`mta_manage_config',`
gen_require(`
- type etc_aliases_t;
+ type etc_mail_t;
')
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## mail address alias content.
+## Read mail address aliases.
## </summary>
## <param name="domain">
## <summary>
@@ -582,84 +570,64 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
-interface(`mta_manage_aliases',`
+interface(`mta_read_aliases',`
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Create specified object in generic
-## etc directories with the mail address
-## alias type.
+## Create, read, write, and delete mail address aliases.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`mta_etc_filetrans_aliases',`
+interface(`mta_manage_aliases',`
gen_require(`
type etc_aliases_t;
')
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ mta_filetrans_named_content($1)
')
########################################
## <summary>
-## Create specified objects in specified
-## directories with a type transition to
-## the mail address alias type.
+## Type transition files created in /etc
+## to the mail address aliases type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
-interface(`mta_spec_filetrans_aliases',`
+interface(`mta_etc_filetrans_aliases',`
gen_require(`
type etc_aliases_t;
')
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
')
########################################
## <summary>
-## Read and write mail alias files.
+## Read and write mail aliases.
## </summary>
## <param name="domain">
## <summary>
@@ -674,14 +642,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file rw_file_perms;
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
## <summary>
-## Do not audit attempts to read
-## and write TCP sockets of mail
-## delivery domains.
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
## </summary>
## <param name="domain">
## <summary>
@@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
+######################################
+## <summary>
+## Allow attempts to read and write TCP
+## sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ allow $1 mailserver_delivery:tcp_socket { read write };
+')
+
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
@@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
-## Do not audit attempts to read
-## mail spool symlinks.
+## Do not audit attempts to read a symlink
+## in the mail spool.
## </summary>
## <param name="domain">
## <summary>
@@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
-## Get attributes of mail spool content.
+## Get the attributes of mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -753,8 +739,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
-## Do not audit attempts to get
-## attributes of mail spool files.
+## Do not audit attempts to get the attributes
+## of mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
-## Create specified objects in the
-## mail spool directory with a
-## private type.
+## Create private objects in the
+## mail spool directory.
## </summary>
## <param name="domain">
## <summary>
@@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
-## Read mail spool files.
+## Read the mail spool.
## </summary>
## <param name="domain">
## <summary>
@@ -819,10 +804,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
-interface(`mta_read_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
+interface(`mta_read_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -830,7 +815,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
-## Read and write mail spool files.
+## Read and write the mail spool.
## </summary>
## <param name="domain">
## <summary>
@@ -845,13 +830,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file rw_file_perms;
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
## <summary>
-## Create, read, and write mail spool files.
+## Create, read, and write the mail spool.
## </summary>
## <param name="domain">
## <summary>
@@ -866,13 +852,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
## <summary>
-## Delete mail spool files.
+## Delete from the mail spool.
## </summary>
## <param name="domain">
## <summary>
@@ -891,8 +878,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
-## Create, read, write, and delete
-## mail spool content.
+## Create, read, write, and delete mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -911,45 +897,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-#######################################
-## <summary>
-## Create specified objects in the
-## mail queue spool directory with a
-## private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`mta_queue_filetrans',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
-')
-
########################################
## <summary>
-## Search mail queue directories.
+## Search mail queue dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -968,7 +918,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
-## List mail queue directories.
+## List the mail queue.
## </summary>
## <param name="domain">
## <summary>
@@ -981,13 +931,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
')
#######################################
## <summary>
-## Read mail queue files.
+## Read the mail queue.
## </summary>
## <param name="domain">
## <summary>
@@ -1000,14 +950,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ files_search_spool($1)
')
#######################################
## <summary>
## Do not audit attempts to read and
-## write mail queue content.
+## write the mail queue.
## </summary>
## <param name="domain">
## <summary>
@@ -1027,7 +977,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
-## mail queue content.
+## mail queue files.
## </summary>
## <param name="domain">
## <summary>
@@ -1047,6 +997,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
+## Create private objects in the
+## mqueue spool directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`mta_spool_filetrans_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
## Read sendmail binary.
## </summary>
## <param name="domain">
@@ -1055,6 +1040,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
+# cjp: added for postfix
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
@@ -1065,8 +1051,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
-## Read and write unix domain stream
-## sockets of all base mail domains.
+## Read and write unix domain stream sockets
+## of user mail domains.
## </summary>
## <param name="domain">
## <summary>
@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Type transition files created in calling dir
+## to the mail address aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Directory to transition on.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+## <summary>
+## ALlow domain to append mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_append_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ append_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+######################################
+## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+## <summary>
+## ALlow domain to mmap mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_mmap_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ allow $1 mail_home_rw_t:file map;
+')
+
+####################################
+## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+## <summary>
+## Allow domain to manage mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_search_admin_dir($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ ')
+')
+
+########################################
+## <summary>
+## create mail content in the in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+## <summary>
+## Transition to mta named home content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+## <summary>
+## Transition to mta named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_named_content',`
+ gen_require(`
+ type etc_aliases_t;
+ type etc_mail_t;
+ ')
+
+ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ mta_etc_filetrans_aliases($1, "__db.aliases.db")
+ mta_etc_filetrans_aliases($1, "virtusertable.db")
+ mta_etc_filetrans_aliases($1, "access.db")
+ mta_etc_filetrans_aliases($1, "domaintable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c6a..ee540eafd 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
attribute user_mail_domain;
-attribute_role user_mail_roles;
-
type etc_aliases_t;
files_type(etc_aliases_t)
@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
type mail_spool_t;
files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -43,11 +43,9 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+userdom_user_application_type(user_mail_t)
userdom_user_tmp_file(user_mail_tmp_t)
########################################
@@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms;
allow user_mail_domain mta_exec_type:file entrypoint;
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
@@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
kernel_read_kernel_sysctls(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)
-corenet_all_recvfrom_netlabel(user_mail_domain)
corenet_tcp_sendrecv_generic_if(user_mail_domain)
corenet_tcp_sendrecv_generic_node(user_mail_domain)
@@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain)
init_dontaudit_rw_utmp(user_mail_domain)
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(user_mail_domain)
fs_manage_cifs_files(user_mail_domain)
@@ -124,6 +114,11 @@ tunable_policy(`use_nfs_home_dirs',`
')
optional_policy(`
+ antivirus_stream_connect(user_mail_domain)
+ antivirus_stream_connect(mta_user_agent)
+')
+
+optional_policy(`
courier_manage_spool_dirs(user_mail_domain)
courier_manage_spool_files(user_mail_domain)
courier_rw_spool_pipes(user_mail_domain)
@@ -150,6 +145,11 @@ optional_policy(`
')
optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
+ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
+optional_policy(`
procmail_exec(user_mail_domain)
')
@@ -166,57 +166,79 @@ optional_policy(`
uucp_manage_spool(user_mail_domain)
')
+mta_filetrans_admin_home_content(user_mail_domain)
+mta_filetrans_home_content(user_mail_domain)
+
########################################
#
# System local policy
#
-allow system_mail_t self:capability { dac_override fowner };
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_read_search fowner };
+dontaudit system_mail_t self:capability net_admin;
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
+kernel_search_network_sysctl(system_mail_t)
corecmd_exec_shell(system_mail_t)
-dev_read_rand(system_mail_t)
dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
fs_rw_anon_inodefs_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
-
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+userdom_dontaudit_list_user_tmp(system_mail_t)
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ apache_dontaudit_rw_fifo_file(user_mail_domain)
+ apache_dontaudit_rw_fifo_file(mta_user_agent)
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+ apache_append_log(mta_user_agent)
')
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+
')
optional_policy(`
@@ -225,17 +247,21 @@ optional_policy(`
')
optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
+ courier_stream_connect_authdaemon(system_mail_t)
')
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_inherited_spool_files(system_mail_t)
+ cron_rw_inherited_user_spool_files(system_mail_t)
')
optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
courier_stream_connect_authdaemon(system_mail_t)
')
@@ -244,9 +270,14 @@ optional_policy(`
')
optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
+ dbus_system_bus_client(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(user_mail_domain)
+ fail2ban_dontaudit_leaks(user_mail_domain)
+ fail2ban_rw_inherited_tmp_files(mta_user_agent)
+ fail2ban_rw_inherited_tmp_files(user_mail_domain)
')
optional_policy(`
@@ -258,10 +289,17 @@ optional_policy(`
')
optional_policy(`
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
milter_getattr_all_sockets(system_mail_t)
')
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+ munin_manage_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
+ nagios_append_spool(system_mail_t)
nagios_read_tmp_files(system_mail_t)
')
@@ -272,6 +310,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(system_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
+ qmail_rw_spool_pipes(system_mail_t)
')
optional_policy(`
@@ -279,6 +330,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inhibit_pipes(system_mail_t)
+')
+
+optional_policy(`
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
@@ -287,42 +342,36 @@ optional_policy(`
')
optional_policy(`
- spamassassin_stream_connect_spamd(system_mail_t)
+ spamd_stream_connect(system_mail_t)
')
optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
- apache_append_log(mta_user_agent)
-')
+# should break this up among sections:
optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(user_mail_domain)
+ domain_dontaudit_leaks(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
#
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +380,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_read_cifs_symlinks(mailserver_delivery)
+optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_read_nfs_symlinks(mailserver_delivery)
+optional_policy(`
+ logwatch_search_cache_dir(mailserver_delivery)
')
optional_policy(`
- arpwatch_search_data(mailserver_delivery)
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+ mailman_domtrans(mailserver_delivery)
+ mailman_read_data_symlinks(mailserver_delivery)
')
optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
+ mailman_manage_data_files(mailserver_domain)
+ mailman_domtrans(mailserver_domain)
+ mailman_append_log(mailserver_domain)
+ mailman_read_log(mailserver_domain)
')
optional_policy(`
- files_search_var_lib(mailserver_delivery)
+ mta_filetrans_home_content(mailserver_domain)
+ mta_filetrans_admin_home_content(mailserver_domain)
+ mta_read_home(mailserver_domain)
+ mta_append_home(mailserver_domain)
+')
- mailman_domtrans(mailserver_delivery)
- mailman_read_data_symlinks(mailserver_delivery)
+optional_policy(`
+ pcp_read_lib_files(mailserver_delivery)
')
optional_policy(`
@@ -381,24 +434,49 @@ optional_policy(`
########################################
#
-# User local policy
+# User send mail local policy
#
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_inherited_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_inherited_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_filetrans_home_content(user_mail_t)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
dev_read_sysfs(user_mail_t)
-userdom_use_user_terminals(user_mail_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
optional_policy(`
- allow user_mail_t self:capability dac_override;
+ allow user_mail_t self:capability {dac_read_search };
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
+
+
diff --git a/munin.fc b/munin.fc
index eb4b72a92..4ea6ce7e2 100644
--- a/munin.fc
+++ b/munin.fc
@@ -1,77 +1,78 @@
-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
-
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+# label all plugins as unconfined_munin_plugin_exec_t
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# selinux plugins
/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
+# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
-
-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
-
-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
-
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index b744fe35e..cb0e2af61 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
-## <summary>Munin network-wide load graphing.</summary>
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
-#######################################
+########################################
## <summary>
-## The template to define a munin plugin domain.
+## Create a set of derived types for various
+## munin plugins,
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## The name to be used for deriving type names.
## </summary>
## </param>
#
@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
gen_require(`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t;
- ')
- ########################################
- #
- # Declarations
- #
+ ')
type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
files_tmp_file($1_munin_plugin_tmp_t)
########################################
- #
- # Policy
- #
+ #
+ # Policy
+ #
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ kernel_read_system_state($1_munin_plugin_t)
+
+ corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
+ corenet_all_recvfrom_netlabel($1_munin_plugin_t)
')
########################################
@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
#######################################
## <summary>
-## Read munin configuration content.
+## Read munin configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -80,15 +84,92 @@ interface(`munin_read_config',`
type munin_etc_t;
')
- files_search_etc($1)
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Read munin library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_read_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+#######################################
+## <summary>
+## Manage munin library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_manage_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Append munin library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_append_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
')
#######################################
## <summary>
-## Append munin log files.
+## Append to the munin log.
## </summary>
## <param name="domain">
## <summary>
@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
## <summary>
-## All of the rules required to
-## administrate an munin environment.
+## All of the rules required to administrate
+## an munin environment
## </summary>
## <param name="domain">
## <summary>
@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the munin domain.
## </summary>
## </param>
## <rolecap/>
@@ -167,11 +248,15 @@ interface(`munin_admin',`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { munin_plugin_domain munin_t })
+ allow $1 munin_t:process signal_perms;
+ ps_process_pattern($1, munin_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 munin_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
@@ -193,5 +278,5 @@ interface(`munin_admin',`
files_list_pids($1)
admin_pattern($1, munin_var_run_t)
- admin_pattern($1, httpd_munin_content_t)
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
index b70870816..e2a5280c3 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
+type munin_script_tmp_t alias httpd_munin_script_tmp_t;
+files_tmp_file(munin_script_tmp_t)
+
################################
#
# Common munin plugin local policy
#
-allow munin_plugin_domain self:process signal;
+allow munin_plugin_domain self:process signal_perms;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
+
allow munin_plugin_domain munin_exec_t:file read_file_perms;
allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
-kernel_read_system_state(munin_plugin_domain)
-
-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
-corenet_all_recvfrom_netlabel(munin_plugin_domain)
corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
corecmd_exec_bin(munin_plugin_domain)
corecmd_exec_shell(munin_plugin_domain)
-files_read_etc_files(munin_plugin_domain)
-files_read_usr_files(munin_plugin_domain)
files_search_var_lib(munin_plugin_domain)
fs_getattr_all_fs(munin_plugin_domain)
-miscfiles_read_localization(munin_plugin_domain)
+auth_read_passwd(munin_plugin_domain)
optional_policy(`
nscd_use(munin_plugin_domain)
@@ -89,7 +88,7 @@ optional_policy(`
# Local policy
#
-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
+allow munin_t self:capability { chown dac_read_search kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { accept connectto listen };
@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
-corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
-files_read_usr_files(munin_t)
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
-miscfiles_read_localization(munin_t)
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
-optional_policy(`
- apache_content_template(munin)
-
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-')
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
@@ -217,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
- postfix_getattr_all_spool_files(munin_t)
')
optional_policy(`
@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+kernel_read_fs_sysctls(disk_munin_plugin_t)
+
corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
-dev_getattr_all_blk_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
+dev_read_all_blk_files(disk_munin_plugin_t)
+dev_raw_memory_reader(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
+storage_read_scsi_generic(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
@@ -272,34 +264,50 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
+optional_policy(`
+ rpc_search_nfs_state_data(disk_munin_plugin_t)
+')
+
####################################
#
# Mail local policy
#
-allow mail_munin_plugin_t self:capability dac_override;
+allow mail_munin_plugin_t self:capability { dac_read_search };
+
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mail_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+kernel_read_net_sysctls(mail_munin_plugin_t)
+
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
+sysnet_read_config(mail_munin_plugin_t)
+
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
+
optional_policy(`
- mta_list_queue(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
- mta_read_queue(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
')
optional_policy(`
- nscd_use(mail_munin_plugin_t)
+ nscd_socket_use(mail_munin_plugin_t)
')
optional_policy(`
- postfix_getattr_all_spool_files(mail_munin_plugin_t)
postfix_read_config(mail_munin_plugin_t)
postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
')
optional_policy(`
@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
- bind_read_config(munin_services_plugin_t)
+ bind_read_config(services_munin_plugin_t)
')
optional_policy(`
@@ -348,6 +356,10 @@ optional_policy(`
')
optional_policy(`
+ fail2ban_domtrans_client(services_munin_plugin_t)
+')
+
+optional_policy(`
lpd_exec_lpr(services_munin_plugin_t)
')
@@ -361,7 +373,11 @@ optional_policy(`
')
optional_policy(`
- nscd_use(services_munin_plugin_t)
+ nscd_socket_use(services_munin_plugin_t)
+')
+
+optional_policy(`
+ ntp_exec(services_munin_plugin_t)
')
optional_policy(`
@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
+kernel_read_fs_sysctls(system_munin_plugin_t)
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -421,3 +438,33 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
+
+
+#######################################
+#
+# Munin CGI script local policy
+#
+
+apache_content_template(munin)
+apache_content_alias_template(munin, munin)
+
+manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
+manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+
+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file })
+
+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
+list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
+manage_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(munin_script_t)
+
+auth_read_passwd(munin_script_t)
+
+optional_policy(`
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666df..2accd90d2 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
-
+# mysql database server
+
+#
+# /HOME
+#
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
-/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqld(-max|-debug)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+#
+# /var
+#
+/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
index 687af38bb..5381f1b39 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
-## <summary>Open source database.</summary>
-
-########################################
-## <summary>
-## Role access for mysql.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`mysql_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
+## <summary>Policy for MySQL</summary>
######################################
## <summary>
@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
type mysqld_t, mysqld_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
-########################################
+######################################
## <summary>
-## Execute mysqld in the mysqld domain, and
-## allow the specified role the mysqld domain.
+## Execute MySQL in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`mysql_run_mysqld',`
+interface(`mysql_exec',`
gen_require(`
- attribute_role mysqld_roles;
+ type mysqld_exec_t;
')
- mysql_domtrans($1)
- roleattribute $2 mysqld_roles;
+ can_exec($1, mysqld_exec_t)
')
########################################
## <summary>
-## Send generic signals to mysqld.
+## Send a generic signal to MySQL.
## </summary>
## <param name="domain">
## <summary>
@@ -81,9 +54,27 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
+#######################################
+## <summary>
+## Send a null signal to mysql.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_signull',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signull;
+')
+
########################################
## <summary>
-## Connect to mysqld with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## <summary>
@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
########################################
## <summary>
-## Connect to mysqld with a unix
-# domain stream socket.
+## Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
')
files_search_pids($1)
- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
########################################
## <summary>
-## Read mysqld configuration content.
+## Read MySQL configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
type mysqld_etc_t;
')
- files_search_etc($1)
allow $1 mysqld_etc_t:dir list_dir_perms;
allow $1 mysqld_etc_t:file read_file_perms;
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
########################################
## <summary>
-## Search mysqld db directories.
+## Search the directories that contain MySQL
+## database storage.
## </summary>
## <param name="domain">
## <summary>
@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
## </summary>
## </param>
#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
interface(`mysql_search_db',`
gen_require(`
type mysqld_db_t;
@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
########################################
## <summary>
-## Read and write mysqld database directories.
+## List the directories that contain MySQL
+## database storage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_list_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
## <summary>
@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
########################################
## <summary>
-## Create, read, write, and delete
-## mysqld database directories.
+## Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
## <summary>
@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
#######################################
## <summary>
-## Append mysqld database files.
+## Append to the MySQL database directory.
## </summary>
## <param name="domain">
## <summary>
@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
files_search_var_lib($1)
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
')
+#######################################
+## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_read_db_lnk_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
#######################################
## <summary>
-## Read and write mysqld database files.
+## Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
## <summary>
@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
#######################################
## <summary>
-## Create, read, write, and delete
-## mysqld database files.
+## Create, read, write, and delete MySQL database files.
## </summary>
## <param name="domain">
## <summary>
@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
-## Read and write mysqld database sockets.
+## Read and write to the MySQL database
## named socket.
## </summary>
## <param name="domain">
@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
## </param>
#
interface(`mysql_rw_db_sockets',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## mysqld home files.
+## Write to the MySQL log.
## </summary>
## <param name="domain">
## <summary>
@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
## </summary>
## </param>
#
-interface(`mysql_manage_mysqld_home_files',`
+interface(`mysql_write_log',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_log_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file manage_file_perms;
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
-########################################
+######################################
## <summary>
-## Relabel mysqld home files.
+## Execute MySQL safe script in the mysql safe domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`mysql_relabel_mysqld_home_files',`
+interface(`mysql_domtrans_mysql_safe',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_safe_t, mysqld_safe_exec_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file relabel_file_perms;
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
-########################################
+######################################
## <summary>
-## Create objects in user home
-## directories with the mysqld home type.
+## Execute MySQL_safe in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
+ type mysqld_safe_exec_t;
+ ')
+
+ can_exec($1, mysqld_safe_exec_t)
+')
+
+#####################################
+## <summary>
+## Read MySQL PID files.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`mysql_home_filetrans_mysqld_home',`
+interface(`mysql_read_pid_files',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_var_run_t;
')
- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-########################################
+#####################################
## <summary>
-## Write mysqld log files.
+## Search MySQL PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+##
#
-interface(`mysql_write_log',`
+interface(`mysql_search_pid_files',`
gen_require(`
- type mysqld_log_t;
+ type mysqld_var_run_t;
')
- logging_search_logs($1)
- allow $1 mysqld_log_t:file write_file_perms;
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-######################################
+########################################
## <summary>
-## Execute mysqld safe in the
-## mysqld safe domain.
+## Execute mysqld server in the mysqld domain.
## </summary>
## <param name="domain">
## <summary>
@@ -374,18 +414,23 @@ interface(`mysql_write_log',`
## </summary>
## </param>
#
-interface(`mysql_domtrans_mysql_safe',`
+interface(`mysql_systemctl',`
gen_require(`
- type mysqld_safe_t, mysqld_safe_exec_t;
+ type mysqld_unit_file_t;
+ type mysqld_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mysqld_t)
')
-#####################################
+########################################
## <summary>
-## Read mysqld pid files.
+## read mysqld homedir content (.k5login)
## </summary>
## <param name="domain">
## <summary>
@@ -393,39 +438,37 @@ interface(`mysql_domtrans_mysql_safe',`
## </summary>
## </param>
#
-interface(`mysql_read_pid_files',`
+interface(`mysql_read_home_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
')
-#####################################
+########################################
## <summary>
-## Search mysqld pid files.
+## Transition to mysqld named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
-##
#
-interface(`mysql_search_pid_files',`
+interface(`mysql_filetrans_named_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
')
########################################
## <summary>
-## All of the rules required to
-## administrate an mysqld environment.
+## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
## <summary>
@@ -434,41 +477,52 @@ interface(`mysql_search_pid_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the mysql domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`
gen_require(`
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+ type mysqld_etc_t;
+ type mysqld_home_t;
+ type mysqld_unit_file_t;
')
- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+ allow $1 mysqld_t:process signal_perms;
+ ps_process_pattern($1, mysqld_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mysqld_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
- files_search_var_lib($1)
admin_pattern($1, mysqld_db_t)
- files_search_etc($1)
- admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
- mysql_run_mysqld($1, $2)
+ userdom_search_user_home_dirs($1)
+ files_list_root($1)
+ admin_pattern($1, mysqld_home_t)
+
+ mysql_systemctl($1)
+ admin_pattern($1, mysqld_unit_file_t)
+ allow $1 mysqld_unit_file_t:service all_service_perms;
+
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 7584bbe7c..327af4639 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
#
## <desc>
-## <p>
-## Determine whether mysqld can
-## connect to all TCP ports.
-## </p>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
## </desc>
gen_tunable(mysql_connect_any, false)
-attribute_role mysqld_roles;
+## <desc>
+## <p>
+## Allow mysqld to connect to http port
+## </p>
+## </desc>
+gen_tunable(mysql_connect_http, false)
type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
-application_domain(mysqld_t, mysqld_exec_t)
-role mysqld_roles types mysqld_t;
type mysqld_safe_t;
type mysqld_safe_exec_t;
@@ -27,7 +29,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
@@ -38,6 +39,9 @@ files_config_file(mysqld_etc_t)
type mysqld_home_t;
userdom_user_home_content(mysqld_home_t)
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_read_search ipc_lock setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
-allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+allow mysqld_t mysqld_db_t:file map;
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+allow mysqld_t mysqld_etc_t:file read_file_perms;
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+manage_fifo_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(mysqld_t)
+usermanage_read_crack_db(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_generic_node(mysqld_t)
-
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_tcp_bind_tram_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
-
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
+corenet_tcp_connect_tram_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
dev_read_sysfs(mysqld_t)
dev_read_urand(mysqld_t)
-domain_use_interactive_fds(mysqld_t)
-
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
+domain_use_interactive_fds(mysqld_t)
+domain_read_all_domains_state(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
-files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+files_search_pids(mysqld_t)
+files_getattr_all_sockets(mysqld_t)
-auth_use_nsswitch(mysqld_t)
+auth_use_pam(mysqld_t)
logging_send_syslog_msg(mysqld_t)
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
+sysnet_exec_ifconfig(mysqld_t)
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ifdef(`distro_redhat',`
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
tunable_policy(`mysql_connect_any',`
- corenet_sendrecv_all_client_packets(mysqld_t)
corenet_tcp_connect_all_ports(mysqld_t)
- corenet_tcp_sendrecv_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
+tunable_policy(`mysql_connect_http',`
+ corenet_tcp_connect_http_port(mysqld_t)
')
optional_policy(`
@@ -146,6 +168,10 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(mysqld_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
@@ -155,21 +181,20 @@ optional_policy(`
#######################################
#
-# Safe local policy
+# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_read_search fowner kill sys_nice sys_resource };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
-
-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
+dev_read_urand(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
-files_read_etc_files(mysqld_safe_t)
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
+files_write_root_dirs(mysqld_safe_t)
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
-miscfiles_read_localization(mysqld_safe_t)
+auth_use_nsswitch(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-userdom_search_user_home_dirs(mysqld_safe_t)
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
optional_policy(`
hostname_exec(mysqld_safe_t)
@@ -209,20 +240,21 @@ optional_policy(`
########################################
#
-# Manager local policy
+# MySQL Manager Policy
#
-allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:capability { dac_read_search kill };
allow mysqlmanagerd_t self:process signal;
allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
-allow mysqlmanagerd_t mysqld_t:process signal;
-
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
-
kernel_read_system_state(mysqlmanagerd_t)
corecmd_exec_shell(mysqlmanagerd_t)
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
corenet_tcp_bind_generic_node(mysqlmanagerd_t)
-
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
dev_read_urand(mysqlmanagerd_t)
-files_read_etc_files(mysqlmanagerd_t)
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 000000000..d62cf886e
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 000000000..e2403dd50
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,152 @@
+
+## <summary>policy for mythtv_script</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the mythtv_script domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mythtv_script_domtrans',`
+ gen_require(`
+ type mythtv_script_t, mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+')
+
+#######################################
+## <summary>
+## read mythtv libs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_read_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mythtv lib content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_manage_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+## read mythtv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_read_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Append mythtv log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_append_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mythtv log content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_manage_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an mythtv environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mythtv_admin',`
+ gen_require(`
+ type mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
+ allow $1 mythtv_script_t:process signal_perms;
+ ps_process_pattern($1, mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, mythtv_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 000000000..0e585e3c5
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,47 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+apache_content_alias_template(mythtv, mythtv)
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# mythtv_script local policy
+#
+#============= httpd_mythtv_script_t ==============
+allow httpd_mythtv_script_t self:process setpgid;
+dev_list_sysfs(httpd_mythtv_script_t)
+
+manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(mythtv_script_t)
+
+files_read_etc_files(mythtv_script_t)
+
+fs_read_nfs_files(mythtv_script_t)
+
+auth_read_passwd(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+ mysql_read_config(mythtv_script_t)
+ mysql_stream_connect(mythtv_script_t)
+ mysql_tcp_connect(mythtv_script_t)
+')
diff --git a/naemon.fc b/naemon.fc
new file mode 100644
index 000000000..85407d337
--- /dev/null
+++ b/naemon.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/naemon -- gen_context(system_u:object_r:naemon_initrc_exec_t,s0)
+
+/usr/bin/naemon -- gen_context(system_u:object_r:naemon_exec_t,s0)
+
+/var/cache/naemon(/.*)? gen_context(system_u:object_r:naemon_cache_t,s0)
+
+/var/lib/naemon(/.*)? gen_context(system_u:object_r:naemon_var_lib_t,s0)
+
+/var/log/naemon(/.*)? gen_context(system_u:object_r:naemon_log_t,s0)
+
+/var/run/naemon(/.*)? gen_context(system_u:object_r:naemon_var_run_t,s0)
diff --git a/naemon.if b/naemon.if
new file mode 100644
index 000000000..e904df027
--- /dev/null
+++ b/naemon.if
@@ -0,0 +1,305 @@
+
+## <summary>New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network.</summary>
+
+########################################
+## <summary>
+## Execute naemon in the naemon domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`naemon_domtrans',`
+ gen_require(`
+ type naemon_t, naemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, naemon_exec_t, naemon_t)
+')
+
+########################################
+## <summary>
+## Execute naemon server in the naemon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_initrc_domtrans',`
+ gen_require(`
+ type naemon_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, naemon_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search naemon cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_search_cache',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ allow $1 naemon_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read naemon cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_read_cache_files',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## naemon cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_manage_cache_files',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+## Manage naemon cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_manage_cache_dirs',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+## Read naemon's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`naemon_read_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+## Append to naemon log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_append_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+## Manage naemon log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_manage_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, naemon_log_t, naemon_log_t)
+ manage_files_pattern($1, naemon_log_t, naemon_log_t)
+ manage_lnk_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+## Search naemon lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_search_lib',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ allow $1 naemon_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read naemon lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_read_lib_files',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage naemon lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_manage_lib_files',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage naemon lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`naemon_manage_lib_dirs',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an naemon environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`naemon_admin',`
+ gen_require(`
+ type naemon_t;
+ type naemon_initrc_exec_t;
+ type naemon_cache_t;
+ type naemon_log_t;
+ type naemon_var_lib_t;
+ ')
+
+ allow $1 naemon_t:process { signal_perms };
+ ps_process_pattern($1, naemon_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 naemon_t:process ptrace;
+ ')
+
+ naemon_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 naemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var($1)
+ admin_pattern($1, naemon_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, naemon_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, naemon_var_lib_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/naemon.te b/naemon.te
new file mode 100644
index 000000000..79f1250eb
--- /dev/null
+++ b/naemon.te
@@ -0,0 +1,59 @@
+policy_module(naemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type naemon_t;
+type naemon_exec_t;
+init_daemon_domain(naemon_t, naemon_exec_t)
+
+type naemon_initrc_exec_t;
+init_script_file(naemon_initrc_exec_t)
+
+type naemon_cache_t;
+files_type(naemon_cache_t)
+
+type naemon_log_t;
+logging_log_file(naemon_log_t)
+
+type naemon_var_lib_t;
+files_type(naemon_var_lib_t)
+
+type naemon_var_run_t;
+files_pid_file(naemon_var_run_t)
+
+########################################
+#
+# naemon local policy
+#
+allow naemon_t self:process { fork setpgid setrlimit signal_perms };
+allow naemon_t self:fifo_file rw_fifo_file_perms;
+allow naemon_t self:unix_stream_socket create_stream_socket_perms;
+allow naemon_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_sock_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+files_var_filetrans(naemon_t, naemon_cache_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_log_t, naemon_log_t)
+manage_files_pattern(naemon_t, naemon_log_t, naemon_log_t)
+logging_log_filetrans(naemon_t, naemon_log_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_sock_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_fifo_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+files_var_lib_filetrans(naemon_t, naemon_var_lib_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+manage_files_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+files_pid_filetrans(naemon_t, naemon_var_run_t, { dir })
+
+kernel_read_system_state(naemon_t)
+
+auth_read_passwd(naemon_t)
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
index d78dfc38d..c781b72bb 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,113 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+
+# admin plugins
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+# check disk plugins
+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
-
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# openshift plugins
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+
+# label all nagios plugin as unconfined by default
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
diff --git a/nagios.if b/nagios.if
index 0641e970f..f3b111172 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
-## <summary>Network monitoring server.</summary>
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
-#######################################
+########################################
## <summary>
-## The template to define a nagios plugin domain.
+## Create a set of derived types for various
+## nagios plugins,
## </summary>
-## <param name="domain_prefix">
+## <param name="plugins_group_name">
## <summary>
-## Domain prefix to be used.
+## The name to be used for deriving type names.
## </summary>
## </param>
#
@@ -16,38 +17,51 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t;
')
- ########################################
- #
- # Declarations
- #
-
type nagios_$1_plugin_t, nagios_plugin_domain;
type nagios_$1_plugin_exec_t;
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
role system_r types nagios_$1_plugin_t;
- ########################################
- #
- # Policy
- #
-
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ # needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ kernel_read_system_state(nagios_$1_plugin_t)
+
+')
+
+########################################
+## <summary>
+## Execute the nagios unconfined plugins with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_unconfined_plugins',`
+ gen_require(`
+ type nagios_unconfined_plugin_t;
+ type nagios_unconfined_plugin_exec_t;
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
')
########################################
## <summary>
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
@@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',`
########################################
## <summary>
-## Read nagios configuration content.
+## Allow the specified domain to read
+## nagios configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -73,15 +88,33 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
- files_search_etc($1)
allow $1 nagios_etc_t:dir list_dir_perms;
allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+######################################
+## <summary>
+## Read nagios lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_lib',`
+ gen_require(`
+ type nagios_var_lib_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
')
######################################
## <summary>
-## Read nagios log files.
+## Read nagios logs.
## </summary>
## <param name="domain">
## <summary>
@@ -100,8 +133,7 @@ interface(`nagios_read_log',`
########################################
## <summary>
-## Do not audit attempts to read or
-## write nagios log files.
+## Do not audit attempts to read or write nagios logs.
## </summary>
## <param name="domain">
## <summary>
@@ -132,13 +164,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
')
########################################
## <summary>
-## Read nagios temporary files.
+## Append nagios spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_append_spool',`
+ gen_require(`
+ type nagios_spool_t;
+ ')
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
########################################
## <summary>
-## Execute nrpe with a domain transition.
+## Execute the nagios NRPE with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
+######################################
+## <summary>
+## Do not audit attempts to write nrpe daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_dontaudit_write_pipes_nrpe',`
+ gen_require(`
+ type nrpe_t;
+ ')
+
+ dontaudit $1 nrpe_t:fifo_file write;
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an nagios environment.
+## All of the rules required to administrate
+## an nagios environment
## </summary>
## <param name="domain">
## <summary>
@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the nagios domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`nagios_admin',`
gen_require(`
- attribute nagios_plugin_domain;
type nagios_t, nrpe_t, nagios_initrc_exec_t;
- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
- type nagios_eventhandler_plugin_tmp_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
+ allow $1 nagios_t:process signal_perms;
+ ps_process_pattern($1, nagios_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nagios_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nagios_initrc_exec_t system_r;
allow $2 system_r;
- files_search_tmp($1)
- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, nagios_log_t)
- files_search_etc($1)
- admin_pattern($1, { nrpe_etc_t nagios_etc_t })
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, nagios_spool_t)
- files_search_pids($1)
- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
- files_search_var_lib($1)
- admin_pattern($1, nagios_var_lib_t)
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
index 7b3e682e6..bbbadba75 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow nagios/nrpe to call sudo from NRPE utils scripts.
+## </p>
+## </desc>
+gen_tunable(nagios_run_sudo, false)
+
+## <desc>
+## <p>
+## Allow nagios run in conjunction with PNP4Nagios.
+## </p>
+## </desc>
+gen_tunable(nagios_run_pnp4nagios, false)
+
+## <desc>
+## <p>
+## Determine whether Nagios, NRPE can
+## access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(nagios_use_nfs, false)
+
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+')
+
attribute nagios_plugin_domain;
type nagios_t;
@@ -27,7 +54,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
type nagios_var_lib_t;
files_type(nagios_var_lib_t)
@@ -39,6 +66,7 @@ nagios_plugin_template(services)
nagios_plugin_template(system)
nagios_plugin_template(unconfined)
nagios_plugin_template(eventhandler)
+nagios_plugin_template(openshift)
type nagios_eventhandler_plugin_tmp_t;
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
@@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
type nagios_system_plugin_tmp_t;
files_tmp_file(nagios_system_plugin_tmp_t)
+type nagios_openshift_plugin_tmp_t;
+files_tmp_file(nagios_openshift_plugin_tmp_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -63,30 +94,33 @@ files_pid_file(nrpe_var_run_t)
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
+
+allow nagios_t nagios_plugin_domain:process signal_perms;
+allow nagios_plugin_domain nagios_t:process signal_perms;
+
+# cjp: leaked file descriptor
dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
dontaudit nagios_plugin_domain nagios_log_t:file { read write };
-kernel_read_system_state(nagios_plugin_domain)
-
dev_read_urand(nagios_plugin_domain)
dev_read_rand(nagios_plugin_domain)
+dev_read_sysfs(nagios_plugin_domain)
-files_read_usr_files(nagios_plugin_domain)
-
-miscfiles_read_localization(nagios_plugin_domain)
-
-userdom_use_user_terminals(nagios_plugin_domain)
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
########################################
#
# Nagios local policy
#
-allow nagios_t self:capability { dac_override setgid setuid };
+allow nagios_t self:capability { dac_read_search setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_fifo_file_perms;
allow nagios_t self:tcp_socket { accept listen };
+allow nagios_t self:unix_stream_socket { connectto };
allow nagios_t nagios_plugin_domain:process signal_perms;
@@ -96,11 +130,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
allow nagios_t nagios_etc_t:file read_file_perms;
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
-allow nagios_t nagios_log_t:dir setattr_dir_perms;
-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-logging_log_filetrans(nagios_t, nagios_log_t, file)
+#allow nagios_t nagios_log_t:dir setattr_dir_perms;
+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
@@ -110,11 +146,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })
+manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -123,7 +162,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
@@ -143,18 +181,16 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
-files_read_usr_files(nagios_t)
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
+fs_search_cgroup_dirs(nagios_t)
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-miscfiles_read_localization(nagios_t)
-
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
@@ -162,6 +198,47 @@ mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
+systemd_exec_systemctl(nagios_t)
+
+tunable_policy(`nagios_run_sudo',`
+ allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nagios_t self:process { setrlimit setsched };
+
+ allow nagios_t self:key write;
+
+ allow nagios_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nagios_t)
+ auth_rw_faillog(nagios_t)
+
+ auth_domtrans_chkpwd(nagios_t)
+
+ selinux_compute_access_vector(nagios_t)
+
+ logging_send_audit_msgs(nagios_t)
+')
+
+optional_policy(`
+ apache_systemctl(nagios_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nagios_t)
+ sudo_manage_db(nagios_t)
+ ')
+')
+
+tunable_policy(`nagios_run_pnp4nagios',`
+ allow nagios_t nagios_log_t:file execute;
+')
+
+tunable_policy(`nagios_use_nfs',`
+ fs_manage_nfs_files(nagios_t)
+ fs_manage_nfs_dirs(nagios_t)
+ fs_manage_nfs_symlinks(nagios_t)
+')
+
optional_policy(`
netutils_kill_ping(nagios_t)
')
@@ -178,35 +255,38 @@ optional_policy(`
#
# CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
- typealias httpd_nagios_script_t alias nagios_cgi_t;
- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+ apache_content_alias_template(nagios, nagios)
+ typealias nagios_script_t alias nagios_cgi_t;
+ typealias nagios_script_exec_t alias nagios_cgi_exec_t;
- allow httpd_nagios_script_t self:process signal_perms;
+ allow nagios_script_t self:process signal_perms;
- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+ read_files_pattern(nagios_script_t, nagios_t, nagios_t)
+ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+ allow nagios_script_t nagios_etc_t:dir list_dir_perms;
+ allow nagios_script_t nagios_etc_t:file read_file_perms;
+ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
- files_search_spool(httpd_nagios_script_t)
- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+ files_search_spool(nagios_script_t)
+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+ read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+ allow nagios_script_t nagios_log_t:dir list_dir_perms;
+ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
- kernel_read_system_state(httpd_nagios_script_t)
+ kernel_read_system_state(nagios_script_t)
- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+ domain_dontaudit_read_all_domains_state(nagios_script_t)
- files_read_etc_runtime_files(httpd_nagios_script_t)
- files_read_kernel_symbol_table(httpd_nagios_script_t)
+ files_read_etc_runtime_files(nagios_script_t)
+ files_read_kernel_symbol_table(nagios_script_t)
- logging_send_syslog_msg(httpd_nagios_script_t)
+ logging_send_syslog_msg(nagios_script_t)
')
########################################
@@ -214,7 +294,7 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { setuid setgid kill };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -229,9 +309,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
@@ -252,8 +332,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
+files_list_var(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
-files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -262,10 +342,40 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
-miscfiles_read_localization(nrpe_t)
-
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+tunable_policy(`nagios_run_sudo',`
+ allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nrpe_t self:process { setrlimit setsched };
+
+ allow nrpe_t self:key write;
+
+ allow nrpe_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nrpe_t)
+ auth_rw_faillog(nrpe_t)
+
+ auth_domtrans_chkpwd(nrpe_t)
+
+ selinux_compute_access_vector(nrpe_t)
+
+ logging_send_audit_msgs(nrpe_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nrpe_t)
+ sudo_manage_db(nrpe_t)
+ ')
+')
+
+
+tunable_policy(`nagios_use_nfs',`
+ fs_manage_nfs_files(nrpe_t)
+ fs_manage_nfs_dirs(nrpe_t)
+ fs_manage_nfs_symlinks(nrpe_t)
+')
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -309,16 +419,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# Mail local policy
#
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
-files_read_etc_files(nagios_mail_plugin_t)
-
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
@@ -345,9 +455,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+corecmd_exec_bin(nagios_checkdisk_plugin_t)
+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+fs_read_configfs_files(nagios_checkdisk_plugin_t)
+fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -357,9 +472,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
-allow nagios_services_plugin_t self:capability net_raw;
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-allow nagios_services_plugin_t self:tcp_socket { accept listen };
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
corecmd_exec_bin(nagios_services_plugin_t)
@@ -391,6 +508,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
+ mysql_read_config(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nagios_services_plugin_t)
')
optional_policy(`
@@ -402,32 +524,40 @@ optional_policy(`
# System local policy
#
-allow nagios_system_plugin_t self:capability dac_override;
+allow nagios_system_plugin_t self:capability { dac_read_search };
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
+allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms;
+allow nagios_system_plugin_t nagios_exec_t:file read_file_perms;
manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
+corecmd_getattr_all_executables(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
-files_read_etc_files(nagios_system_plugin_t)
-
fs_getattr_all_fs(nagios_system_plugin_t)
+auth_read_passwd(nagios_system_plugin_t)
+
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
+optional_policy(`
+ mrtg_read_lib_files(nagios_system_plugin_t)
+')
+
#######################################
#
# Event local policy
@@ -442,9 +572,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
+
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
+
+optional_policy(`
+ unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
########################################
#
-# Unconfined plugin policy
+# nagios openshift plugin policy
+#
+
+allow nagios_openshift_plugin_t self:capability sys_ptrace;
+
+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
+
+corecmd_exec_bin(nagios_openshift_plugin_t)
+corecmd_exec_shell(nagios_openshift_plugin_t)
+
+domain_read_all_domains_state(nagios_openshift_plugin_t)
+
+fs_getattr_all_fs(nagios_openshift_plugin_t)
+
+optional_policy(`
+ apache_read_config(nagios_openshift_plugin_t)
+')
+
+######################################
+#
+# nagios plugin domain policy
#
optional_policy(`
diff --git a/namespace.fc b/namespace.fc
new file mode 100644
index 000000000..ce51c8d4f
--- /dev/null
+++ b/namespace.fc
@@ -0,0 +1,3 @@
+
+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
+
diff --git a/namespace.if b/namespace.if
new file mode 100644
index 000000000..8d7c75157
--- /dev/null
+++ b/namespace.if
@@ -0,0 +1,48 @@
+
+## <summary>policy for namespace</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run namespace_init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`namespace_init_domtrans',`
+ gen_require(`
+ type namespace_init_t, namespace_init_exec_t;
+ ')
+
+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
+')
+
+
+########################################
+## <summary>
+## Execute namespace_init in the namespace_init domain, and
+## allow the specified role the namespace_init domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the namespace_init domain.
+## </summary>
+## </param>
+#
+interface(`namespace_init_run',`
+ gen_require(`
+ type namespace_init_t;
+ ')
+
+ namespace_init_domtrans($1)
+ role $2 types namespace_init_t;
+
+ seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
index 000000000..86c327621
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,41 @@
+policy_module(namespace,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type namespace_init_t;
+type namespace_init_exec_t;
+init_system_domain(namespace_init_t, namespace_init_exec_t)
+role system_r types namespace_init_t;
+
+########################################
+#
+# namespace_init local policy
+#
+
+allow namespace_init_t self:capability { dac_read_search };
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(namespace_init_t)
+
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
+domain_obj_id_change_exemption(namespace_init_t)
+
+files_polyinstantiate_all(namespace_init_t)
+
+fs_getattr_xattr_fs(namespace_init_t)
+
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
+
+userdom_manage_user_home_content(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_filetrans_home_content(namespace_init_t)
diff --git a/ncftool.if b/ncftool.if
index db9578f4e..4309e3da5 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
+ type ncftool_t;
attribute_role ncftool_roles;
')
ncftool_domtrans($1)
roleattribute $2 ncftool_roles;
')
+
diff --git a/ncftool.te b/ncftool.te
index 71f30ba60..d61686078 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(ncftool_t)
-kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_usermodehelper_state(ncftool_t)
kernel_read_network_state(ncftool_t)
kernel_read_system_state(ncftool_t)
kernel_request_load_module(ncftool_t)
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
-files_read_etc_files(ncftool_t)
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
-files_read_usr_files(ncftool_t)
-miscfiles_read_localization(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_run_dhcpc(ncftool_t, ncftool_roles)
@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
@@ -73,11 +76,14 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
+ iptables_systemctl(ncftool_t)
')
optional_policy(`
+ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
modutils_run_insmod(ncftool_t, ncftool_roles)
+
')
optional_policy(`
diff --git a/nessus.te b/nessus.te
index fe1068ba5..98166ee0b 100644
--- a/nessus.te
+++ b/nessus.te
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
-corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
domain_use_interactive_fds(nessusd_t)
files_list_var_lib(nessusd_t)
-files_read_etc_files(nessusd_t)
files_read_etc_runtime_files(nessusd_t)
fs_getattr_all_fs(nessusd_t)
@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
logging_send_syslog_msg(nessusd_t)
-miscfiles_read_localization(nessusd_t)
-
sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
index 94b973407..448a7e836 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -1,44 +1,46 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 86dc29dfa..cb39739a5 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Read and write networkmanager udp sockets.
+## Read and write NetworkManager UDP sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -10,6 +10,7 @@
## </summary>
## </param>
#
+# cjp: added for named.
interface(`networkmanager_rw_udp_sockets',`
gen_require(`
type NetworkManager_t;
@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
########################################
## <summary>
-## Read and write networkmanager packet sockets.
+## Read and write NetworkManager packet sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
## </summary>
## </param>
#
+# cjp: added for named.
interface(`networkmanager_rw_packet_sockets',`
gen_require(`
type NetworkManager_t;
@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
#######################################
## <summary>
-## Relabel networkmanager tun socket.
+## Allow caller to relabel tun_socket
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`networkmanager_attach_tun_iface',`
@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
########################################
## <summary>
-## Read and write networkmanager netlink
+## Read and write NetworkManager netlink
## routing sockets.
## </summary>
## <param name="domain">
@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
## </summary>
## </param>
#
+# cjp: added for named.
interface(`networkmanager_rw_routing_sockets',`
gen_require(`
type NetworkManager_t;
@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
########################################
## <summary>
-## Execute networkmanager with a domain transition.
+## Execute NetworkManager with a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
')
+#######################################
+## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
########################################
## <summary>
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
+## Execute NetworkManager server in the NetworkManager domain.
## </summary>
## <param name="domain">
## <summary>
@@ -104,18 +124,24 @@ interface(`networkmanager_domtrans',`
## </summary>
## </param>
#
-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
')
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
')
########################################
## <summary>
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -155,7 +181,29 @@ interface(`networkmanager_read_state',`
########################################
## <summary>
-## Send generic signals to networkmanager.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
## <summary>
@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
')
########################################
@@ -209,11 +258,33 @@ interface(`networkmanager_read_lib_files',`
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+')
+
+#######################################
+## <summary>
+## Read NetworkManager conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_conf',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ type NetworkManager_etc_rw_t;
+ ')
+
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
+ read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
')
########################################
## <summary>
-## Append networkmanager log files.
+## Read NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -221,19 +292,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_read_pid_files',`
gen_require(`
- type NetworkManager_log_t;
+ type NetworkManager_var_run_t;
')
- logging_search_logs($1)
- allow $1 NetworkManager_log_t:dir list_dir_perms;
- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ files_search_pids($1)
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
## <summary>
-## Read networkmanager pid files.
+## Manage NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -241,13 +311,66 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage NetworkManager PID sock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+## Create objects in /etc with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`networkmanager_pid_filetrans',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
')
####################################
@@ -272,14 +395,33 @@ interface(`networkmanager_stream_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an networkmanager environment.
+## Delete NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+#
+interface(`networkmanager_delete_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
## <param name="role">
## <summary>
## Role allowed access.
@@ -287,33 +429,194 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`networkmanager_admin',`
+interface(`networkmanager_run',`
gen_require(`
- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+ type NetworkManager_t, NetworkManager_exec_t;
')
- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
-
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
- logging_search_etc($1)
- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+########################################
+## <summary>
+## Allow the specified domain to append
+## to Network Manager log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_append_log',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
logging_search_logs($1)
- admin_pattern($1, NetworkManager_log_t)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ allow $1 NetworkManager_var_lib_t:file map;
- files_search_var_lib($1)
- admin_pattern($1, NetworkManager_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to manage
+## to Network Manager lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_manage_lib',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+
+')
+
+#######################################
+## <summary>
+## Read the process state (/proc/pid) of NetworkManager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`NetworkManager_read_state',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:dir search_dir_perms;
+ allow $1 NetworkManager_t:file read_file_perms;
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+## Send to NetworkManager with a unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dgram_send',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_var_run_t;
+ ')
files_search_pids($1)
- admin_pattern($1, NetworkManager_var_run_t)
+ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+## Send sigchld to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`networkmanager_sigchld',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send signull to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`networkmanager_signull',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signull;
+')
+
+########################################
+## <summary>
+## Send sigkill to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`networkmanager_sigkill',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Transition to networkmanager named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ type NetworkManager_var_lib_t;
+ ')
- files_search_tmp($1)
- admin_pattern($1, NetworkManager_tmp_t)
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f20095e..3299cc6c7 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.15.2)
+policy_module(networkmanager, 1.15.3)
########################################
#
@@ -9,15 +9,18 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
type NetworkManager_etc_t;
files_config_file(NetworkManager_etc_t)
type NetworkManager_etc_rw_t;
files_config_file(NetworkManager_etc_rw_t)
-type NetworkManager_initrc_exec_t;
-init_script_file(NetworkManager_initrc_exec_t)
-
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
@@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
+
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+
+allow NetworkManager_t self:process setfscreate;
+selinux_validate_context(NetworkManager_t)
+
+tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
+')
+
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
+manage_lnk_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
-
-kernel_read_crypto_sysctls(NetworkManager_t)
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
+kernel_dontaudit_setsched(NetworkManager_t)
+kernel_signull(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
-
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_udp_bind_isakmp_port(NetworkManager_t)
-
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_udp_bind_dhcpc_port(NetworkManager_t)
-
-corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_tcp_connect_all_ports(NetworkManager_t)
-
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
-corecmd_exec_shell(NetworkManager_t)
-corecmd_exec_bin(NetworkManager_t)
-
+dev_access_check_sysfs(NetworkManager_t)
dev_rw_sysfs(NetworkManager_t)
+dev_write_sysfs_dirs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
-domain_use_interactive_fds(NetworkManager_t)
-domain_read_all_domains_state(NetworkManager_t)
-
-files_read_etc_runtime_files(NetworkManager_t)
-files_read_usr_files(NetworkManager_t)
-files_read_usr_src_files(NetworkManager_t)
-
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
+
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
+
storage_getattr_fixed_disk_dev(NetworkManager_t)
+term_open_unallocated_ttys(NetworkManager_t)
+
init_read_utmp(NetworkManager_t)
init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+init_signull_script(NetworkManager_t)
+init_signal_script(NetworkManager_t)
+init_sigkill_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
+libs_exec_ldconfig(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
+logging_send_audit_msgs(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
-miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_filetrans_named_content(NetworkManager_t)
+sysnet_filetrans_net_conf(NetworkManager_t)
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
+term_use_unallocated_ttys(NetworkManager_t)
+
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(NetworkManager_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(NetworkManager_t)
+')
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
avahi_signull(NetworkManager_t)
+ avahi_dbus_chat(NetworkManager_t)
')
optional_policy(`
@@ -196,10 +252,6 @@ optional_policy(`
')
optional_policy(`
- consolekit_read_pid_files(NetworkManager_t)
-')
-
-optional_policy(`
consoletype_exec(NetworkManager_t)
')
@@ -210,31 +262,34 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
- optional_policy(`
- avahi_dbus_chat(NetworkManager_t)
- ')
+ init_dbus_chat(NetworkManager_t)
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
- ')
-
- optional_policy(`
- policykit_dbus_chat(NetworkManager_t)
+ consolekit_read_pid_files(NetworkManager_t)
')
')
optional_policy(`
dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_dbus_chat(NetworkManager_t)
dnsmasq_delete_pid_files(NetworkManager_t)
dnsmasq_domtrans(NetworkManager_t)
dnsmasq_initrc_domtrans(NetworkManager_t)
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+ dnssec_trigger_domtrans(NetworkManager_t)
+ dnssec_trigger_signull(NetworkManager_t)
+ dnssec_trigger_sigkill(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
+ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
optional_policy(`
@@ -246,10 +301,26 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
+ iscsid_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ iodined_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
+ ipsec_domtrans(NetworkManager_t)
+ ipsec_kill(NetworkManager_t)
+ ipsec_signal(NetworkManager_t)
+ ipsec_signull(NetworkManager_t)
')
optional_policy(`
@@ -257,15 +328,19 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
+ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ lldpad_dgram_send(NetworkManager_t)
')
optional_policy(`
netutils_exec_ping(NetworkManager_t)
+ netutils_exec(NetworkManager_t)
')
optional_policy(`
@@ -274,10 +349,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
+ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
+ # Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
@@ -286,9 +368,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
+ openvpn_stream_connect(NetworkManager_t)
+ openvpn_noatsecure(NetworkManager_t)
')
optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +381,7 @@ optional_policy(`
')
optional_policy(`
- polipo_initrc_domtrans(NetworkManager_t)
+ polipo_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -307,6 +392,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
+ ppp_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -320,14 +406,21 @@ optional_policy(`
')
optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
- udev_read_pid_files(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
+ systemd_dbus_chat_hostnamed(NetworkManager_t)
+ systemd_hostnamed_manage_config(NetworkManager_t)
')
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
+ ssh_exec(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+ udev_read_pid_files(NetworkManager_t)
')
optional_policy(`
@@ -338,12 +431,23 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
+optional_policy(`
+ openfortivpn_domtrans(NetworkManager_t)
+ openfortivpn_sigkill(NetworkManager_t)
+ openfortivpn_signal(NetworkManager_t)
+ openfortivpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ openvswitch_stream_connect(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
#
-allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:capability { dac_read_search };
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
diff --git a/ninfod.fc b/ninfod.fc
new file mode 100644
index 000000000..cc31b9f27
--- /dev/null
+++ b/ninfod.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0)
+
+/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0)
+
+/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0)
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
index 000000000..409de8c3e
--- /dev/null
+++ b/ninfod.if
@@ -0,0 +1,80 @@
+
+## <summary>Respond to IPv6 Node Information Queries</summary>
+
+########################################
+## <summary>
+## Execute ninfod in the ninfod domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ninfod_domtrans',`
+ gen_require(`
+ type ninfod_t, ninfod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ninfod_exec_t, ninfod_t)
+')
+########################################
+## <summary>
+## Execute ninfod server in the ninfod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ninfod_systemctl',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ninfod_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ninfod environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ninfod_admin',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ allow $1 ninfod_t:process { signal_perms };
+ ps_process_pattern($1, ninfod_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ninfod_t:process ptrace;
+ ')
+
+ ninfod_systemctl($1)
+ admin_pattern($1, ninfod_unit_file_t)
+ allow $1 ninfod_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ninfod.te b/ninfod.te
new file mode 100644
index 000000000..b3aa3ce13
--- /dev/null
+++ b/ninfod.te
@@ -0,0 +1,36 @@
+policy_module(ninfod, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ninfod_t;
+type ninfod_exec_t;
+init_daemon_domain(ninfod_t, ninfod_exec_t)
+
+type ninfod_run_t;
+files_pid_file(ninfod_run_t)
+
+type ninfod_unit_file_t;
+systemd_unit_file(ninfod_unit_file_t)
+
+########################################
+#
+# ninfod local policy
+#
+allow ninfod_t self:capability { net_raw setuid };
+allow ninfod_t self:process setcap;
+allow ninfod_t self:fifo_file rw_fifo_file_perms;
+allow ninfod_t self:rawip_socket { create setopt };
+allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
+allow ninfod_t self:rawip_socket read;
+
+manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
+files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
+
+auth_use_nsswitch(ninfod_t)
+
+logging_send_syslog_msg(ninfod_t)
+
+sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa28..cd0e015f8 100644
--- a/nis.fc
+++ b/nis.fc
@@ -2,21 +2,26 @@
/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
-
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
index 46e55c3ff..afe399a0e 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
-## <summary>Policy for NIS (YP) servers and clients.</summary>
+## <summary>Policy for NIS (YP) servers and clients</summary>
########################################
## <summary>
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
')
-
- allow $1 self:capability net_bind_service;
+ dontaudit $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
- allow $1 var_yp_t:file read_file_perms;
allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
- corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
- corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
## <rolecap/>
#
interface(`nis_use_ypbind',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
')
')
########################################
## <summary>
-## Use nis to authenticate passwords.
+## Use the nis to authenticate passwords
## </summary>
## <param name="domain">
## <summary>
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
## <rolecap/>
#
interface(`nis_authenticate',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
## <summary>
-## Execute ypbind in the caller domain.
+## Execute ypbind in the caller domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`nis_exec_ypbind',`
- gen_require(`
- type ypbind_exec_t;
- ')
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
- corecmd_search_bin($1)
can_exec($1, ypbind_exec_t)
')
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
- attribute_role ypbind_roles;
+ type ypbind_t;
')
nis_domtrans_ypbind($1)
- roleattribute $2 ypbind_roles;
+ role $2 types ypbind_t;
')
########################################
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
########################################
## <summary>
-## List nis data directories.
+## List the contents of the NIS data directory.
## </summary>
## <param name="domain">
## <summary>
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
- type ypbind_var_run_t;
+ type ypbind_t;
')
- allow $1 ypbind_var_run_t:file delete_file_perms;
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
')
########################################
@@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
-## All of the rules required to
-## administrate an nis environment.
+## Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
+
+########################################
+## <summary>
+## Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_file_t, ypbind_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
+ ps_process_pattern($1, ypserv_t)
+ ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nis environment
## </summary>
## <param name="domain">
## <summary>
@@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
+ type ypserv_tmp_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ type nis_unit_file_t;
+ type ypbind_unit_file_t;
+ ')
+
+ allow $1 ypbind_t:process signal_perms;
+ ps_process_pattern($1, ypbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ypbind_t:process ptrace;
+ allow $1 yppasswdd_t:process ptrace;
+ allow $1 ypserv_t:process ptrace;
+ allow $1 ypxfr_t:process ptrace;
')
- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
+ allow $1 yppasswdd_t:process signal_perms;
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process signal_perms;
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process signal_perms;
+ ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
nis_initrc_domtrans_ypbind($1)
domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
-
files_list_pids($1)
- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
+ admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
+ admin_pattern($1, ypbind_unit_file_t)
+ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ admin_pattern($1, yppasswdd_var_run_t)
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
- files_search_var($1)
- admin_pattern($1, var_yp_t)
+ admin_pattern($1, ypserv_var_run_t)
+
+ admin_pattern($1, ypserv_tmp_t)
- nis_run_ypbind($1, $2)
+ nis_systemctl($1)
+ admin_pattern($1, nis_unit_file_t)
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
index 3a6b0352e..062e20c8c 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
# Declarations
#
-attribute_role ypbind_roles;
-
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
@@ -16,16 +14,18 @@ files_type(var_yp_t)
type ypbind_t;
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
-role ypbind_roles types ypbind_t;
type ypbind_initrc_exec_t;
init_script_file(ypbind_initrc_exec_t)
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
-type ypbind_var_run_t;
-files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
type yppasswdd_t;
type yppasswdd_exec_t;
@@ -40,7 +40,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
-files_type(ypserv_conf_t)
+files_config_file(ypserv_conf_t)
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
########################################
#
# ypbind local policy
@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
allow ypbind_t self:udp_socket create_socket_perms;
@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_system_state(ypbind_t)
kernel_read_kernel_sysctls(ypbind_t)
-corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_generic_if(ypbind_t)
corenet_udp_sendrecv_generic_if(ypbind_t)
@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
corenet_udp_sendrecv_all_ports(ypbind_t)
corenet_tcp_bind_generic_node(ypbind_t)
corenet_udp_bind_generic_node(ypbind_t)
-
corenet_tcp_bind_generic_port(ypbind_t)
corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
corenet_tcp_bind_all_rpc_ports(ypbind_t)
corenet_udp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
-corenet_sendrecv_all_client_packets(ypbind_t)
-corenet_sendrecv_generic_server_packets(ypbind_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
dev_read_sysfs(ypbind_t)
@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
domain_use_interactive_fds(ypbind_t)
-files_read_etc_files(ypbind_t)
files_list_var(ypbind_t)
-logging_send_syslog_msg(ypbind_t)
+init_search_pid_dirs(ypbind_t)
-miscfiles_read_localization(ypbind_t)
+logging_send_syslog_msg(ypbind_t)
sysnet_read_config(ypbind_t)
@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
optional_policy(`
dbus_system_bus_client(ypbind_t)
dbus_connect_system_bus(ypbind_t)
-
init_dbus_chat_script(ypbind_t)
optional_policy(`
@@ -145,11 +144,12 @@ optional_policy(`
# yppasswdd local policy
#
-allow yppasswdd_t self:capability dac_override;
+allow yppasswdd_t self:capability { dac_read_search };
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
-allow yppasswdd_t self:unix_stream_socket { accept listen };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
allow yppasswdd_t self:udp_socket create_socket_perms;
@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
-can_exec(yppasswdd_t, yppasswdd_exec_t)
+can_exec(yppasswdd_t,yppasswdd_exec_t)
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_all_recvfrom_unlabeled(yppasswdd_t)
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
-
corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
corenet_udp_bind_all_rpc_ports(yppasswdd_t)
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-
-domain_use_interactive_fds(yppasswdd_t)
-
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-
+dev_read_urand(yppasswdd_t)
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
+auth_manage_passwd(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
logging_send_syslog_msg(yppasswdd_t)
-miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
@@ -219,6 +216,14 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(yppasswdd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yppasswdd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
@@ -234,7 +239,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
-allow ypserv_t self:unix_stream_socket { accept listen };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_all_recvfrom_unlabeled(ypserv_t)
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
@@ -264,31 +269,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
-
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
corenet_tcp_bind_all_rpc_ports(ypserv_t)
corenet_udp_bind_all_rpc_ports(ypserv_t)
-corenet_sendrecv_generic_server_packets(ypserv_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+corenet_tcp_connect_portmap_port(ypserv_t)
-corecmd_exec_bin(ypserv_t)
+dev_read_sysfs(ypserv_t)
-files_read_etc_files(ypserv_t)
-files_read_var_files(ypserv_t)
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
-dev_read_sysfs(ypserv_t)
+corecmd_exec_bin(ypserv_t)
domain_use_interactive_fds(ypserv_t)
-fs_getattr_all_fs(ypserv_t)
-fs_search_auto_mountpoints(ypserv_t)
+files_read_var_files(ypserv_t)
logging_send_syslog_msg(ypserv_t)
-miscfiles_read_localization(ypserv_t)
nis_domtrans_ypxfr(ypserv_t)
@@ -310,8 +312,8 @@ optional_policy(`
# ypxfr local policy
#
-allow ypxfr_t self:unix_stream_socket { accept listen };
-allow ypxfr_t self:unix_dgram_socket { accept listen };
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -326,7 +328,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
-corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
@@ -336,23 +337,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
-
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
-
-files_read_etc_files(ypxfr_t)
files_search_usr(ypxfr_t)
logging_send_syslog_msg(ypxfr_t)
-miscfiles_read_localization(ypxfr_t)
sysnet_read_config(ypxfr_t)
diff --git a/nova.fc b/nova.fc
new file mode 100644
index 000000000..b5fab0e6a
--- /dev/null
+++ b/nova.fc
@@ -0,0 +1,25 @@
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-conductor -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cells -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-novncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-serialproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-nova-* -- gen_context(system_u:object_r:nova_unit_file_t,s0)
+
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
+
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
+
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
index 000000000..e32832705
--- /dev/null
+++ b/nova.if
@@ -0,0 +1,47 @@
+## <summary>openstack-nova</summary>
+
+######################################
+## <summary>
+## Manage nova lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nova_manage_lib_files',`
+ gen_require(`
+ type nova_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## openstack-nova systemd daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`nova_domain_template',`
+ gen_require(`
+ type nova_t;
+ type nova_exec_t;
+ type nova_unit_file_t;
+ type nova_tmp_t;
+
+ ')
+
+ typealias nova_t alias nova_$1_t;
+ typealias nova_exec_t alias nova_$1_exec_t;
+ typealias nova_unit_file_t alias nova_$1_unit_file_t;
+ typealias nova_tmp_t alias nova_$1_tmp_t;
+
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 000000000..7b45d90d5
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,203 @@
+policy_module(nova, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# nova-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute nova_domain;
+attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
+nova_domain_template(cert)
+nova_domain_template(conductor)
+nova_domain_template(compute)
+nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
+nova_domain_template(scheduler)
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
+typeattribute nova_api_t nova_sudo_domain;
+typeattribute nova_cert_t nova_sudo_domain;
+typeattribute nova_console_t nova_sudo_domain;
+typeattribute nova_network_t nova_sudo_domain;
+typeattribute nova_volume_t nova_sudo_domain;
+
+type nova_t;
+type nova_exec_t;
+init_daemon_domain(nova_t, nova_exec_t)
+typeattribute nova_t nova_domain;
+
+type nova_unit_file_t;
+systemd_unit_file(nova_unit_file_t)
+
+type nova_tmp_t;
+files_tmp_file(nova_tmp_t)
+
+manage_dirs_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_lnk_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+files_tmp_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+fs_tmpfs_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+can_exec(nova_t, nova_tmp_t)
+
+type nova_log_t;
+logging_log_file(nova_log_t)
+
+type nova_var_lib_t;
+files_type(nova_var_lib_t)
+
+type nova_var_run_t;
+files_pid_file(nova_var_run_t)
+
+
+######################################
+#
+# nova general domain local policy
+#
+
+allow nova_domain self:capability { dac_read_search net_admin net_bind_service };
+allow nova_domain self:process { getcap setcap signal_perms setfscreate };
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
+allow nova_domain self:udp_socket create_socket_perms;
+allow nova_domain self:key write;
+allow nova_domain self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
+
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+kernel_read_network_state(nova_domain)
+kernel_read_kernel_sysctls(nova_domain)
+
+kernel_read_system_state(nova_t)
+
+logging_send_syslog_msg(nova_t)
+
+miscfiles_read_generic_certs(nova_t)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+
+corenet_tcp_bind_generic_node(nova_domain)
+corenet_udp_bind_generic_node(nova_domain)
+# should be add to booleans
+corenet_tcp_connect_all_ports(nova_domain)
+corenet_tcp_bind_all_unreserved_ports(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_memcache_port(nova_domain)
+corenet_tcp_bind_varnishd_port(nova_domain)
+# should be added to boolean or fixed in the code
+# dnsmasq domtrans does not work since then dnsmasq_t wants
+# to do some stuff with nova_lib, nova_tmp
+# nova-dhcpbridge runs in dnsmasq domain
+corenet_all_recvfrom_netlabel(nova_t)
+corenet_tcp_sendrecv_generic_if(nova_domain)
+corenet_udp_sendrecv_generic_if(nova_domain)
+corenet_raw_sendrecv_generic_if(nova_domain)
+corenet_tcp_sendrecv_generic_node(nova_domain)
+corenet_udp_sendrecv_generic_node(nova_domain)
+corenet_raw_sendrecv_generic_node(nova_domain)
+corenet_tcp_sendrecv_all_ports(nova_domain)
+corenet_udp_sendrecv_all_ports(nova_domain)
+corenet_tcp_bind_dns_port(nova_domain)
+corenet_udp_bind_all_ports(nova_domain)
+corenet_sendrecv_dns_server_packets(nova_domain)
+corenet_sendrecv_dhcpd_server_packets(nova_domain)
+
+auth_use_nsswitch(nova_t)
+auth_read_passwd(nova_domain)
+
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+dev_read_rand(nova_domain)
+
+fs_getattr_all_fs(nova_domain)
+
+init_read_utmp(nova_domain)
+
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
+ apache_search_config(nova_domain)
+')
+
+optional_policy(`
+ mysql_stream_connect(nova_domain)
+ mysql_read_db_lnk_files(nova_domain)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nova_domain)
+')
+
+optional_policy(`
+ sysnet_read_config(nova_domain)
+ sysnet_domtrans_ifconfig(nova_domain)
+')
+
+optional_policy(`
+ iptables_domtrans(nova_domain)
+')
+
+optional_policy(`
+ ssh_exec_keygen(nova_domain)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(nova_domain)
+')
+
+optional_policy(`
+ virt_getattr_exec(nova_domain)
+ virt_stream_connect(nova_domain)
+')
+
+optional_policy(`
+ brctl_domtrans(nova_domain)
+')
+
+optional_policy(`
+ dnsmasq_exec(nova_domain)
+')
+
+optional_policy(`
+ lvm_domtrans(nova_domain)
+')
+
+optional_policy(`
+ lvm_domtrans(nova_domain)
+')
+
+#######################################
+#
+# nova sudo domain local policy
+#
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ sudo_exec(nova_sudo_domain)
+ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
+ allow nova_sudo_domain self:process { setsched setrlimit };
+ logging_send_audit_msgs(nova_sudo_domain)
+ ')
+')
+
diff --git a/nscd.fc b/nscd.fc
index ba6448507..429bd799c 100644
--- a/nscd.fc
+++ b/nscd.fc
@@ -1,13 +1,15 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
index 8f2ab09f5..8ca8a6f26 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
-## <summary>Name service cache daemon.</summary>
+## <summary>Name service cache daemon</summary>
########################################
## <summary>
-## Send generic signals to nscd.
+## Send generic signals to NSCD.
## </summary>
## <param name="domain">
## <summary>
@@ -20,7 +20,7 @@ interface(`nscd_signal',`
########################################
## <summary>
-## Send kill signals to nscd.
+## Send NSCD the kill signal.
## </summary>
## <param name="domain">
## <summary>
@@ -38,7 +38,7 @@ interface(`nscd_kill',`
########################################
## <summary>
-## Send null signals to nscd.
+## Send signulls to NSCD.
## </summary>
## <param name="domain">
## <summary>
@@ -56,7 +56,7 @@ interface(`nscd_signull',`
########################################
## <summary>
-## Execute nscd in the nscd domain.
+## Execute NSCD in the nscd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -75,7 +75,8 @@ interface(`nscd_domtrans',`
########################################
## <summary>
-## Execute nscd in the caller domain.
+## Allow the specified domain to execute nscd
+## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -88,14 +89,13 @@ interface(`nscd_exec',`
type nscd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, nscd_exec_t)
')
########################################
## <summary>
-## Use nscd services by connecting using
-## a unix domain stream socket.
+## Use NSCD services by connecting using
+## a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -112,22 +112,17 @@ interface(`nscd_socket_use',`
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
-
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
-
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
dontaudit $1 nscd_var_run_t:file read_file_perms;
-
ps_process_pattern(nscd_t, $1)
')
########################################
## <summary>
-## Use nscd services by mapping the
-## database from an inherited nscd
-## file descriptor.
+## Use nscd services
## </summary>
## <param name="domain">
## <summary>
@@ -135,28 +130,38 @@ interface(`nscd_socket_use',`
## </summary>
## </param>
#
-interface(`nscd_shm_use',`
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write nscd sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nscd_dontaudit_write_sock_file',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-
- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- allow $1 nscd_t:fd use;
-
- files_search_pids($1)
- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file read_file_perms;
+ dontaudit $1 nscd_t:sock_file write;
+ dontaudit $1 nscd_var_run_t:sock_file write;
- allow $1 nscd_var_run_t:dir list_dir_perms;
- allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
-## Use nscd services.
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
## </summary>
## <param name="domain">
## <summary>
@@ -164,18 +169,34 @@ interface(`nscd_shm_use',`
## </summary>
## </param>
#
-interface(`nscd_use',`
- tunable_policy(`nscd_use_shm',`
- nscd_shm_use($1)
- ',`
- nscd_socket_use($1)
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp };
')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp};
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to search
-## nscd pid directories.
+## Do not audit attempts to search the NSCD pid directory.
## </summary>
## <param name="domain">
## <summary>
@@ -193,7 +214,25 @@ interface(`nscd_dontaudit_search_pid',`
########################################
## <summary>
-## Read nscd pid files.
+## Do not audit attempts to read the NSCD pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nscd_dontaudit_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read NSCD pid file.
## </summary>
## <param name="domain">
## <summary>
@@ -212,7 +251,7 @@ interface(`nscd_read_pid',`
########################################
## <summary>
-## Unconfined access to nscd services.
+## Unconfined access to NSCD services.
## </summary>
## <param name="domain">
## <summary>
@@ -244,20 +283,20 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`nscd_run',`
gen_require(`
- attribute_role nscd_roles;
+ type nscd_t;
')
nscd_domtrans($1)
- roleattribute $2 nscd_roles;
+ role $2 types nscd_t;
')
########################################
## <summary>
-## Execute the nscd server init
-## script in the initrc domain.
+## Execute the nscd server init script.
## </summary>
## <param name="domain">
## <summary>
@@ -275,8 +314,32 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
-## All of the rules required to
-## administrate an nscd environment.
+## Execute nscd server in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_systemctl',`
+ gen_require(`
+ type nscd_unit_file_t;
+ type nscd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nscd environment
## </summary>
## <param name="domain">
## <summary>
@@ -285,7 +348,7 @@ interface(`nscd_initrc_domtrans',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the nscd domain.
## </summary>
## </param>
## <rolecap/>
@@ -294,10 +357,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
+ type nscd_unit_file_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
+ allow $1 nscd_t:process signal_perms;
ps_process_pattern($1, nscd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nscd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -310,5 +377,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
- nscd_run($1, $2)
+ nscd_systemctl($1)
+ admin_pattern($1, nscd_unit_file_t)
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
index bcd7d0a7d..9b397fdd7 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
class nscd all_nscd_perms;
')
-########################################
-#
-# Declarations
-#
-
## <desc>
## <p>
-## Determine whether confined applications
-## can use nscd shared memory.
+## Allow confined applications to use nscd shared memory.
## </p>
## </desc>
gen_tunable(nscd_use_shm, false)
-attribute_role nscd_roles;
+########################################
+#
+# Declarations
+#
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
-init_daemon_run_dir(nscd_var_run_t, "nscd")
+# nscd is both the client program and the daemon.
type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
-role nscd_roles types nscd_t;
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -40,56 +41,59 @@ logging_log_file(nscd_log_t)
#
allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability2 block_suspend;
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-allow nscd_t self:unix_stream_socket { accept listen };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
+corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-kernel_list_proc(nscd_t)
-kernel_read_kernel_sysctls(nscd_t)
kernel_read_network_state(nscd_t)
+kernel_read_kernel_sysctls(nscd_t)
+kernel_search_network_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-corecmd_search_bin(nscd_t)
-
dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)
-domain_search_all_domains_state(nscd_t)
-domain_use_interactive_fds(nscd_t)
-
-files_read_generic_tmp_symlinks(nscd_t)
-files_read_etc_runtime_files(nscd_t)
-
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
fs_list_inotifyfs(nscd_t)
+# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
corenet_tcp_sendrecv_generic_node(nscd_t)
-
-corenet_sendrecv_all_client_packets(nscd_t)
-corenet_tcp_connect_all_ports(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
-
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
@@ -98,16 +102,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
+
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
-miscfiles_read_localization(nscd_t)
seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
seutil_sigchld_newrole(nscd_t)
+sysnet_read_config(nscd_t)
+
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,13 +132,11 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(nscd_t)
- samba_dontaudit_use_fds(nscd_t)
- ')
+ kerberos_use(nscd_t)
+')
- samba_read_config(nscd_t)
- samba_read_var_files(nscd_t)
+optional_policy(`
+ nis_authenticate(nscd_t)
')
optional_policy(`
@@ -138,3 +147,20 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+')
+
+optional_policy(`
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b663..0e24b49a9 100644
--- a/nsd.fc
+++ b/nsd.fc
@@ -1,16 +1,19 @@
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+
+/var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff87..ad4f14ad6 100644
--- a/nsd.if
+++ b/nsd.if
@@ -1,8 +1,8 @@
-## <summary>Authoritative only name server.</summary>
+## <summary>Authoritative only name server</summary>
########################################
## <summary>
-## Send and receive datagrams from NSD. (Deprecated)
+## Read NSD pid file.
## </summary>
## <param name="domain">
## <summary>
@@ -10,13 +10,18 @@
## </summary>
## </param>
#
-interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`nsd_read_pid',`
+ gen_require(`
+ type nsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
')
########################################
## <summary>
-## Connect to NSD over a TCP socket (Deprecated)
+## Send and receive datagrams from NSD. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
## </summary>
## </param>
#
-interface(`nsd_tcp_connect',`
+interface(`nsd_udp_chat',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## All of the rules required to
-## administrate an nsd environment.
+## Connect to NSD over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`nsd_admin',`
- gen_require(`
- type nsd_t, nsd_conf_t, nsd_var_run_t;
- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
- ')
-
- allow $1 nsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, nsd_t)
-
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, { nsd_conf_t nsd_db_t })
-
- files_search_var_lib($1)
- admin_pattern($1, nsd_zone_t)
-
- files_list_pids($1)
- admin_pattern($1, nsd_var_run_t)
+interface(`nsd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
index 47bb1d204..bd2b122ae 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
type nsd_exec_t;
init_daemon_domain(nsd_t, nsd_exec_t)
-type nsd_initrc_exec_t;
-init_script_file(nsd_initrc_exec_t)
-
+# A type for configuration files of nsd
type nsd_conf_t;
files_type(nsd_conf_t)
@@ -20,40 +18,51 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
-type nsd_db_t;
-files_type(nsd_db_t)
+type nsd_log_t;
+logging_log_file(nsd_log_t)
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
-type nsd_zone_t;
+# A type for zone files
+type nsd_zone_t alias nsd_db_t;
files_type(nsd_zone_t)
+type nsd_tmp_t;
+files_tmp_file(nsd_tmp_t)
+
########################################
#
-# Local policy
+# NSD Local policy
#
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
+allow nsd_t self:capability { chown dac_read_search kill setgid setuid net_admin };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
allow nsd_t self:fifo_file rw_fifo_file_perms;
-allow nsd_t self:tcp_socket { accept listen };
-allow nsd_t nsd_conf_t:dir list_dir_perms;
-allow nsd_t nsd_conf_t:file read_file_perms;
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
-
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t)
+logging_log_filetrans(nsd_t, nsd_log_t, file)
+
manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+allow nsd_t nsd_zone_t:file { map } ;
+
+manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
+allow nsd_t nsd_tmp_t:file { map } ;
can_exec(nsd_t, nsd_exec_t)
@@ -62,7 +71,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_all_recvfrom_unlabeled(nsd_t)
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
@@ -72,16 +80,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
-
-corenet_sendrecv_dns_server_packets(nsd_t)
corenet_tcp_bind_dns_port(nsd_t)
corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+corenet_tcp_bind_nsd_control_port(nsd_t)
+corenet_sendrecv_nsd_control_server_packets(nsd_t)
+corenet_tcp_connect_nsd_control_port(nsd_t)
dev_read_sysfs(nsd_t)
+dev_read_urand(nsd_t)
domain_use_interactive_fds(nsd_t)
files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
@@ -90,8 +102,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
-
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
@@ -105,23 +115,24 @@ optional_policy(`
########################################
#
-# Cron local policy
+# Zone update cron job local policy
#
-allow nsd_crond_t self:capability { dac_override kill };
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_read_search kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
-allow nsd_crond_t nsd_t:process signal;
-ps_process_pattern(nsd_crond_t, nsd_t)
-
-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
@@ -133,29 +144,33 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_generic_node(nsd_crond_t)
-
-corenet_sendrecv_all_client_packets(nsd_crond_t)
-corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
auth_use_nsswitch(nsd_crond_t)
logging_send_syslog_msg(nsd_crond_t)
-miscfiles_read_localization(nsd_crond_t)
-
userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
optional_policy(`
+ nsd_read_pid(nsd_crond_t)
+')
+
+optional_policy(`
cron_system_entry(nsd_crond_t, nsd_exec_t)
')
diff --git a/nslcd.fc b/nslcd.fc
index 402100e40..ce913b244 100644
--- a/nslcd.fc
+++ b/nslcd.fc
@@ -1,7 +1,4 @@
-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
-
-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
-
-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
-
-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
index 97df768d9..852d1c6c7 100644
--- a/nslcd.if
+++ b/nslcd.if
@@ -1,4 +1,4 @@
-## <summary>Local LDAP name service daemon.</summary>
+## <summary>nslcd - local LDAP name service daemon.</summary>
########################################
## <summary>
@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
########################################
## <summary>
-## Read nslcd pid files.
+## Read nslcd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
########################################
## <summary>
-## Connect to nslcd over an unix
-## domain stream socket.
+## Dontaudit write to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_dontaudit_write_ock_file',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Connect to nslcd over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
type nslcd_t, nslcd_var_run_t;
')
- files_search_pids($1)
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to write nslcd sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nslcd_dontaudit_write_sock_file',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_t:sock_file write;
+ dontaudit $1 nslcd_var_run_t:sock_file write;
')
########################################
## <summary>
-## All of the rules required to
-## administrate an nslcd environment.
+## All of the rules required to administrate
+## an nslcd environment
## </summary>
## <param name="domain">
## <summary>
@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
type nslcd_conf_t;
')
- allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nslcd_t:process ptrace;
+ ')
+ # Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, nslcd_conf_t)
- files_search_pids($1)
- admin_pattern($1, nslcd_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
index 421bf1a56..7b7c4a983 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
########################################
#
-# Local policy
+# nslcd local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { chown dac_read_search setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
+dev_read_sysfs(nslcd_t)
+
corenet_all_recvfrom_unlabeled(nslcd_t)
corenet_all_recvfrom_netlabel(nslcd_t)
-corenet_tcp_sendrecv_generic_if(nslcd_t)
-corenet_tcp_sendrecv_generic_node(nslcd_t)
-
-corenet_sendrecv_ldap_client_packets(nslcd_t)
corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
dev_read_sysfs(nslcd_t)
+dev_read_urand(nslcd_t)
+
+corecmd_exec_bin(nslcd_t)
files_read_usr_symlinks(nslcd_t)
files_list_tmp(nslcd_t)
@@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
-miscfiles_read_localization(nslcd_t)
-
userdom_read_user_tmp_files(nslcd_t)
optional_policy(`
+ dirsrv_stream_connect(nslcd_t)
+')
+
+optional_policy(`
ldap_stream_connect(nslcd_t)
')
+
diff --git a/nsplugin.fc b/nsplugin.fc
new file mode 100644
index 000000000..22e6c963c
--- /dev/null
+++ b/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
index 000000000..bceb5271e
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,474 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
+ allow $2 nsplugin_t:process { getattr signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ optional_policy(`
+ gnome_stream_connect(nsplugin_t, $2)
+ ')
+
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmp_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Role access for nsplugin
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+## Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Read nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## manage nnsplugin home dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_dirs',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+## Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Execute nsplugin_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a nsplugin_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`nsplugin_exec_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ ')
+
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Send generic signals to user nsplugin processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_signal',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signal;
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
+
+########################################
+## <summary>
+## Send signull signal to nsplugin
+## processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_signull',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signull;
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
index 000000000..69a09ce2a
--- /dev/null
+++ b/nsplugin.te
@@ -0,0 +1,318 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_ms_streaming_port(nsplugin_t)
+corenet_tcp_connect_rtsp_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_getattr_mouse_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
+dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+userdom_read_home_audio_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+ gnome_read_usr_config(nsplugin_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_exec_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+domain_use_interactive_fds(nsplugin_config_t)
+
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(nsplugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
index 8ec78595b..828398142 100644
--- a/ntop.te
+++ b/ntop.te
@@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
# Local Policy
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:netlink_socket create_socket_perms;
allow ntop_t self:tcp_socket { accept listen };
allow ntop_t self:unix_stream_socket { accept listen };
allow ntop_t self:packet_socket create_socket_perms;
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
-corenet_all_recvfrom_unlabeled(ntop_t)
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
-files_read_usr_files(ntop_t)
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
@@ -101,6 +102,10 @@ optional_policy(`
')
optional_policy(`
+ snmp_read_snmp_var_lib_files(ntop_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(ntop_t)
')
diff --git a/ntp.fc b/ntp.fc
index af3c91e70..3e5f9cfa6 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -11,9 +11,13 @@
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
index e96a309a5..42453089c 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
-## <summary>Network time protocol daemon.</summary>
+## <summary>Network time protocol daemon</summary>
########################################
## <summary>
@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
########################################
## <summary>
+## Execute ntp server in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_exec',`
+ gen_require(`
+ type ntpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ntpd_exec_t)
+')
+
+########################################
+## <summary>
## Execute ntp in the ntp domain, and
## allow the specified role the ntp domain.
## </summary>
@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
#
interface(`ntp_run',`
gen_require(`
- attribute_role ntpd_roles;
+ type ntpd_t;
')
ntp_domtrans($1)
- roleattribute $2 ntpd_roles;
+ role $2 types ntpd_t;
')
########################################
@@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
+#####################################
+## <summary>
+## Allow domain to read ntpd systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute ntpd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to ntpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_signal',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ allow $1 ntpd_t:process signal;
+')
+
########################################
## <summary>
## Read ntp drift files.
@@ -141,8 +221,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
-## All of the rules required to
-## administrate an ntp environment.
+## Allow the domain to read ntpd state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_state',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ntp environment
## </summary>
## <param name="domain">
## <summary>
@@ -151,28 +250,32 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the ntp domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ntp_admin',`
gen_require(`
- type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
- type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ type ntpd_unit_file_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms };
+ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ntpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+ admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
@@ -186,5 +289,53 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
- ntp_run($1, $2)
+ ntp_systemctl($1)
+ admin_pattern($1, ntpd_unit_file_t)
+ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ntp_filetrans_named_content($1)
')
+
+########################################
+## <summary>
+## Transition content labels to ntp named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_filetrans_named_content',`
+ gen_require(`
+ type ntp_conf_t;
+ type ntp_drift_t;
+ ')
+
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## ntp log content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_manage_log',`
+ gen_require(`
+ type ntpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t)
+ manage_files_pattern($1, ntpd_log_t, ntpd_log_t)
+ manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t)
+')
+
diff --git a/ntp.te b/ntp.te
index f81b113c7..06a05a689 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
type ntp_conf_t;
files_config_file(ntp_conf_t)
@@ -44,15 +47,18 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:socket create_socket_perms;
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp")
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
allow ntpd_t ntp_conf_t:file read_file_perms;
@@ -60,9 +66,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
@@ -77,27 +81,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
can_exec(ntpd_t, ntpd_exec_t)
+can_exec(ntpd_t, ntpdate_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
-corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
corenet_tcp_sendrecv_generic_node(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
-
-corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
-corenet_udp_sendrecv_ntp_port(ntpd_t)
-
-corenet_sendrecv_ntp_client_packets(ntpd_t)
corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
@@ -110,13 +110,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
-files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
+term_use_unallocated_ttys(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -124,12 +126,14 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
-miscfiles_read_localization(ntpd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
+ clock_domtrans(ntpd_t)
+')
+
+optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
@@ -152,9 +156,18 @@ optional_policy(`
')
optional_policy(`
+ ptp4l_rw_shm(ntpd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
optional_policy(`
+ timemaster_read_pid_files(ntpd_t)
+ timemaster_rw_shm(ntpd_t)
+')
+
+optional_policy(`
udev_read_db(ntpd_t)
')
diff --git a/numad.fc b/numad.fc
index 3488bb0d3..1f9762420 100644
--- a/numad.fc
+++ b/numad.fc
@@ -1,7 +1,7 @@
-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0)
+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0)
+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
index 0d3c270b9..f307835ce 100644
--- a/numad.if
+++ b/numad.if
@@ -1,39 +1,93 @@
-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
+
+## <summary>policy for numad</summary>
+
+########################################
+## <summary>
+## Transition to numad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`numad_domtrans',`
+ gen_require(`
+ type numad_t, numad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, numad_exec_t, numad_t)
+')
+########################################
+## <summary>
+## Execute numad server in the numad domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`numad_systemctl',`
+ gen_require(`
+ type numad_t;
+ type numad_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 numad_unit_file_t:file read_file_perms;
+ allow $1 numad_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, numad_t)
+')
########################################
## <summary>
-## All of the rules required to
-## administrate an numad environment.
+## Send and receive messages from
+## numad over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`numad_dbus_chat',`
+ gen_require(`
+ type numad_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 numad_t:dbus send_msg;
+ allow numad_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an numad environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`numad_admin',`
gen_require(`
- type numad_t, numad_initrc_exec_t, numad_log_t;
- type numad_var_run_t;
+ type numad_t;
+ type numad_unit_file_t;
')
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, numad_log_t)
-
- files_search_pids($1)
- admin_pattern($1, numad_var_run_t)
+ numad_systemctl($1)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/numad.te b/numad.te
index b0a1be482..303a9279f 100644
--- a/numad.te
+++ b/numad.te
@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
-application_executable_file(numad_exec_t)
-type numad_initrc_exec_t;
-init_script_file(numad_initrc_exec_t)
+type numad_unit_file_t;
+systemd_unit_file(numad_unit_file_t)
-type numad_log_t;
-logging_log_file(numad_log_t)
+type numad_var_log_t;
+logging_log_file(numad_var_log_t)
type numad_var_run_t;
files_pid_file(numad_var_run_t)
########################################
#
-# Local policy
+# numad local policy
#
+allow numad_t self:capability sys_ptrace;
allow numad_t self:fifo_file rw_fifo_file_perms;
-allow numad_t self:msg { send receive };
allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
allow numad_t self:unix_stream_socket create_stream_socket_perms;
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
+logging_log_filetrans(numad_t, numad_var_log_t, file)
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file)
kernel_read_system_state(numad_t)
-dev_read_sysfs(numad_t)
+dev_rw_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
-miscfiles_read_localization(numad_t)
+tunable_policy(`deny_ptrace',`',`
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
index 379af962c..fac7d7bc9 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,16 @@
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161ed..c554eb6e1 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,60 @@
-## <summary>Network UPS Tools </summary>
+## <summary>nut - Network UPS Tools </summary>
-########################################
+#######################################
## <summary>
-## All of the rules required to
-## administrate an nut environment.
+## Creates types and rules for a basic
+## Network UPS Tools systemd daemon domain.
## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
## </param>
-## <rolecap/>
#
-interface(`nut_admin',`
+template(`nut_domain_template',`
gen_require(`
attribute nut_domain;
- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
')
- allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
+ type nut_$1_t, nut_domain;
+ type nut_$1_exec_t;
+ init_daemon_domain(nut_$1_t, nut_$1_exec_t)
+
+ type nut_$1_tmp_t;
+ files_tmp_file(nut_$1_tmp_t)
+
+ manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+ fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ auth_use_nsswitch(nut_$1_t)
+
+ logging_send_syslog_msg(nut_$1_t)
+
+')
+
+#######################################
+## <summary>
+## Execute swift server in the swift domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nut_systemctl',`
+ gen_require(`
+ type nut_t;
+ type nut_unit_file_t;
+ ')
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 5b2cb0d59..0b0be0a36 100644
--- a/nut.te
+++ b/nut.te
@@ -7,154 +7,155 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
+nut_domain_template(upsd)
+nut_domain_template(upsmon)
+nut_domain_template(upsdrvctl)
+
type nut_conf_t;
files_config_file(nut_conf_t)
-type nut_upsd_t, nut_domain;
-type nut_upsd_exec_t;
-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
-type nut_upsmon_t, nut_domain;
-type nut_upsmon_exec_t;
-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
-type nut_upsdrvctl_t, nut_domain;
-type nut_upsdrvctl_exec_t;
-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
-
-type nut_initrc_exec_t;
-init_script_file(nut_initrc_exec_t)
-
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
+
+#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { setgid setuid dac_read_search };
+
allow nut_domain self:process signal_perms;
-allow nut_domain self:fifo_file rw_fifo_file_perms;
-allow nut_domain self:unix_dgram_socket sendto;
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
+allow nut_domain self:fifo_file rw_fifo_file_perms;
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
+# pid file
manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-
-kernel_read_kernel_sysctls(nut_domain)
-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
+manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_domain, nut_var_run_t, dir)
########################################
#
-# Upsd local policy
+# Local policy for upsd
#
-allow nut_upsd_t self:tcp_socket { accept listen };
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
-
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
-
-files_read_usr_files(nut_upsd_t)
-
-auth_use_nsswitch(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
########################################
#
-# Upsmon local policy
+# Local policy for upsmon
#
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
+allow nut_upsmon_t self:capability kill;
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
-corenet_all_recvfrom_netlabel(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
-corenet_tcp_bind_generic_node(nut_upsmon_t)
-
-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
corenet_tcp_connect_ups_port(nut_upsmon_t)
-
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
+dev_read_rand(nut_upsmon_t)
+dev_read_urand(nut_upsmon_t)
+
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
files_search_usr(nut_upsmon_t)
+# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
-auth_use_nsswitch(nut_upsmon_t)
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
mta_send_mail(nut_upsmon_t)
+systemd_start_power_services(nut_upsmon_t)
+
optional_policy(`
shutdown_domtrans(nut_upsmon_t)
')
+optional_policy(`
+ dbus_system_bus_client(nut_upsmon_t)
+ systemd_dbus_chat_logind(nut_upsmon_t)
+')
+
########################################
#
-# Upsdrvctl local policy
+# Local policy for upsdrvctl
#
+allow nut_upsdrvctl_t self:capability { kill };
allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-dev_read_urand(nut_upsdrvctl_t)
+dev_read_usbfs(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
-
-auth_use_nsswitch(nut_upsdrvctl_t)
+term_use_usb_ttys(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
+udev_read_db(nut_upsdrvctl_t)
+
#######################################
#
-# Cgi local policy
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
#
optional_policy(`
apache_content_template(nutups_cgi)
+ apache_content_alias_template(nutups_cgi,nutups_cgi)
+
+ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
+ corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+ sysnet_dns_name_resolve(nutups_cgi_script_t)
')
diff --git a/nx.if b/nx.if
index 251d6816a..50ae2a94b 100644
--- a/nx.if
+++ b/nx.if
@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
')
files_search_var_lib($1)
- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
')
+
+########################################
+## <summary>
+## Transition to nx named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_filetrans_named_content',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
index 091f87272..62a0b1229 100644
--- a/nx.te
+++ b/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# Local policy
@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_generic_node(nx_server_t)
@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
dev_read_urand(nx_server_t)
-files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
-files_read_usr_files(nx_server_t)
-
-miscfiles_read_localization(nx_server_t)
-
-seutil_dontaudit_search_config(nx_server_t)
sysnet_read_config(nx_server_t)
diff --git a/oav.te b/oav.te
index b09c4c412..995c3f6a6 100644
--- a/oav.te
+++ b/oav.te
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
files_read_etc_runtime_files(scannerdaemon_t)
files_search_var_lib(scannerdaemon_t)
diff --git a/obex.fc b/obex.fc
index 03fa56040..000c5fe7b 100644
--- a/obex.fc
+++ b/obex.fc
@@ -1 +1 @@
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
index 8635ea205..eec20b413 100644
--- a/obex.if
+++ b/obex.if
@@ -1,15 +1,50 @@
## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
-#######################################
+########################################
## <summary>
-## The role template for obex.
+## Transition to obex.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## obex over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+#
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Role access for obex domains
+## that executes via dbus-session
+## </summary>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
@@ -20,69 +55,34 @@
## The type of the user domain.
## </summary>
## </param>
+## <param name="domain_prefix">
+## <summary>
+## User domain prefix to be used.
+## </summary>
+## </param>
#
-template(`obex_role_template',`
+template(`obex_role',`
gen_require(`
attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
########################################
- #
+ #
# Declarations
#
- roleattribute $2 obex_roles;
+ roleattribute $1 obex_roles;
########################################
- #
+ #
# Policy
- #
-
- allow $3 obex_t:process { ptrace signal_perms };
- ps_process_pattern($3, obex_t)
+ #
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
-
- obex_dbus_chat($3)
-')
+ allow $2 obex_t:process signal_perms;
+ ps_process_pattern($2, obex_t)
-########################################
-## <summary>
-## Execute obex in the obex domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`obex_domtrans',`
- gen_require(`
- type obex_t, obex_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, obex_exec_t, obex_t)
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## obex over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`obex_dbus_chat',`
- gen_require(`
- type obex_t;
- class dbus send_msg;
- ')
+ dbus_session_domain($3, obex_exec_t, obex_t)
- allow $1 obex_t:dbus send_msg;
- allow obex_t $1:dbus send_msg;
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
index cd29ea899..d01d2c8e6 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex,1.0.0)
########################################
#
@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
-# Local policy
+# obex local policy
#
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
-files_read_etc_files(obex_t)
+dev_read_urand(obex_t)
logging_send_syslog_msg(obex_t)
-miscfiles_read_localization(obex_t)
-
userdom_search_user_home_content(obex_t)
optional_policy(`
- bluetooth_stream_connect(obex_t)
-')
-
-optional_policy(`
dbus_system_bus_client(obex_t)
optional_policy(`
+ bluetooth_stream_connect(obex_t)
bluetooth_dbus_chat(obex_t)
')
')
diff --git a/oddjob.fc b/oddjob.fc
index dd1d9ef5a..c48733aa4 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -1,10 +1,12 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjob_request -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
index c87bd2a30..6180fba1f 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
-## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary>
+## <summary>
+## Oddjob provides a mechanism by which unprivileged applications can
+## request that specified privileged operations be performed on their
+## behalf.
+## </summary>
########################################
## <summary>
@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
type oddjob_t, oddjob_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
+#####################################
+## <summary>
+## Do not audit attempts to read and write
+## oddjob fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
## <summary>
-## Make the specified program domain
-## accessable from the oddjob.
+## Make the specified program domain accessable
+## from the oddjob.
## </summary>
## <param name="domain">
## <summary>
@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',`
allow oddjob_t $1:dbus send_msg;
')
-########################################
+######################################
## <summary>
-## Execute a domain transition to
-## run oddjob mkhomedir.
+## Send a SIGCHLD signal to oddjob.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ allow $1 oddjob_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
########################################
## <summary>
-## Execute oddjob mkhomedir in the
-## oddjob mkhomedir domain and allow
-## the specified role the oddjob
-## mkhomedir domain.
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
## </summary>
## <param name="domain">
## <summary>
@@ -105,46 +141,114 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
- attribute_role oddjob_mkhomedir_roles;
+ type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
- roleattribute $2 oddjob_mkhomedir_roles;
+ role $2 types oddjob_mkhomedir_t;
')
-#####################################
+########################################
## <summary>
-## Do not audit attempts to read and write
-## oddjob fifo files.
+## Execute the oddjob program in the oddjob domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed to transition.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`oddjob_dontaudit_rw_fifo_files',`
+interface(`oddjob_run',`
gen_require(`
type oddjob_t;
')
- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
+ oddjob_domtrans($1)
+ role $2 types oddjob_t;
')
-######################################
+#######################################
+## <summary>
+## Execute oddjob in the oddjob domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_systemctl',`
+ gen_require(`
+ type oddjob_unit_file_t;
+ type oddjob_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, oddjob_t)
+')
+
+########################################
## <summary>
-## Send child terminated signals to oddjob.
+## Create a domain which can be started by init,
+## with a range transition.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
## </summary>
## </param>
#
-interface(`oddjob_sigchld',`
+interface(`oddjob_ranged_domain',`
gen_require(`
type oddjob_t;
')
- allow $1 oddjob_t:process sigchld;
+ oddjob_system_entry($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition oddjob_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition oddjob_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_mkhomedir_entrypoint',`
+ gen_require(`
+ type oddjob_mkhomedir_exec_t;
+ ')
+ allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
')
diff --git a/oddjob.te b/oddjob.te
index e403097c6..cba01335f 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
# Declarations
#
-attribute_role oddjob_mkhomedir_roles;
-
type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
+type oddjob_unit_file_t;
+systemd_unit_file(oddjob_unit_file_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# oddjob local policy
#
allow oddjob_t self:capability setgid;
@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
-
kernel_read_system_state(oddjob_t)
corecmd_exec_bin(oddjob_t)
@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
+
auth_use_nsswitch(oddjob_t)
-miscfiles_read_localization(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
@@ -66,27 +66,29 @@ optional_policy(`
')
optional_policy(`
- unconfined_domtrans(oddjob_t)
+ apache_dbus_chat(oddjob_t)
')
########################################
#
-# Mkhomedir local policy
+# oddjob_mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(oddjob_mkhomedir_t)
+fs_manage_auto_mountpoints(oddjob_mkhomedir_t)
+
+mls_file_upgrade(oddjob_mkhomedir_t)
+
auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
-miscfiles_read_localization(oddjob_mkhomedir_t)
-
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
selinux_compute_access_vector(oddjob_mkhomedir_t)
@@ -98,8 +100,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
+# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
index 3b6920e31..577c90b03 100644
--- a/openct.te
+++ b/openct.te
@@ -21,6 +21,7 @@ files_pid_file(openct_var_run_t)
#
dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:capability2 wake_alarm;
allow openct_t self:process signal_perms;
allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29,12 +30,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
-can_exec(openct_t, openct_exec_t)
-
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
kernel_read_proc_symlinks(openct_t)
+can_exec(openct_t, openct_exec_t)
+
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
@@ -42,15 +43,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
-files_read_etc_files(openct_t)
fs_getattr_all_fs(openct_t)
fs_search_auto_mountpoints(openct_t)
logging_send_syslog_msg(openct_t)
-miscfiles_read_localization(openct_t)
-
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/opendnssec.fc b/opendnssec.fc
new file mode 100644
index 000000000..08d0e793d
--- /dev/null
+++ b/opendnssec.fc
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/ods-enforcerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/lib/systemd/system/ods-signerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/sbin/ods-control -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-enforcerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signer -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+
+/etc/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_conf_t,s0)
+
+/var/run/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_run_t,s0)
+
+/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644
index 000000000..7c081576b
--- /dev/null
+++ b/opendnssec.if
@@ -0,0 +1,228 @@
+
+## <summary>policy for opendnssec</summary>
+
+########################################
+## <summary>
+## Execute opendnssec_exec_t in the opendnssec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opendnssec_domtrans',`
+ gen_require(`
+ type opendnssec_t, opendnssec_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opendnssec_exec_t, opendnssec_t)
+')
+
+######################################
+## <summary>
+## Execute opendnssec in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_exec',`
+ gen_require(`
+ type opendnssec_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, opendnssec_exec_t)
+')
+
+########################################
+## <summary>
+## Read the opendnssec configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_read_config',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 opendnssec_conf_t:dir list_dir_perms;
+ allow $1 opendnssec_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read the opendnssec configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_manage_config',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 opendnssec_conf_t:dir manage_dir_perms;
+ allow $1 opendnssec_conf_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## read and write opendnssec /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_manage_var_files',`
+ gen_require(`
+ type opendnssec_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t)
+')
+
+########################################
+## <summary>
+## Read opendnssec PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_read_pid_files',`
+ gen_require(`
+ type opendnssec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute opendnssec server in the opendnssec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opendnssec_systemctl',`
+ gen_require(`
+ type opendnssec_t;
+ type opendnssec_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opendnssec_unit_file_t:file read_file_perms;
+ allow $1 opendnssec_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, opendnssec_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an opendnssec environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_admin',`
+ gen_require(`
+ type opendnssec_t;
+ type opendnssec_var_run_t;
+ type opendnssec_unit_file_t;
+ ')
+
+ allow $1 opendnssec_t:process { signal_perms };
+ ps_process_pattern($1, opendnssec_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 opendnssec_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, opendnssec_var_run_t)
+
+ opendnssec_systemctl($1)
+ admin_pattern($1, opendnssec_unit_file_t)
+ allow $1 opendnssec_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to quota named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_filetrans_etc_content',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_etc_filetrans($1, opendnssec_conf_t, file)
+')
+
+########################################
+## <summary>
+## Connect to opendnssec over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_stream_connect',`
+ gen_require(`
+ type opendnssec_t, opendnssec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t)
+')
diff --git a/opendnssec.te b/opendnssec.te
new file mode 100644
index 000000000..3a760d741
--- /dev/null
+++ b/opendnssec.te
@@ -0,0 +1,69 @@
+policy_module(opendnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opendnssec_t;
+type opendnssec_exec_t;
+init_daemon_domain(opendnssec_t, opendnssec_exec_t)
+
+type opendnssec_conf_t;
+files_config_file(opendnssec_conf_t)
+
+type opendnssec_var_t;
+files_type(opendnssec_var_t)
+
+type opendnssec_var_run_t;
+files_pid_file(opendnssec_var_run_t)
+
+type opendnssec_tmp_t;
+files_tmp_file(opendnssec_tmp_t)
+
+type opendnssec_unit_file_t;
+systemd_unit_file(opendnssec_unit_file_t)
+
+########################################
+#
+# opendnssec local policy
+#
+allow opendnssec_t self:capability { chown setgid setuid sys_chroot };
+allow opendnssec_t self:process { fork signal_perms };
+allow opendnssec_t self:fifo_file rw_fifo_file_perms;
+allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+files_var_filetrans(opendnssec_t, opendnssec_var_t, dir)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
+
+kernel_read_system_state(opendnssec_t)
+
+auth_use_nsswitch(opendnssec_t)
+
+corecmd_exec_bin(opendnssec_t)
+
+logging_send_syslog_msg(opendnssec_t)
+
+optional_policy(`
+ bind_manage_cache(opendnssec_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(opendnssec_t)
+ ipa_stream_connect_ods_exporter(opendnssec_t)
+')
+
diff --git a/openfortivpn.fc b/openfortivpn.fc
new file mode 100644
index 000000000..2e4dd3ffe
--- /dev/null
+++ b/openfortivpn.fc
@@ -0,0 +1,4 @@
+/usr/bin/openfortivpn -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
+/usr/libexec/nm-fortisslvpn-service -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
+
+/var/lib/NetworkManager-fortisslvpn(/.*)? gen_context(system_u:object_r:openfortivpn_var_lib_t,s0)
diff --git a/openfortivpn.if b/openfortivpn.if
new file mode 100644
index 000000000..7581b52a0
--- /dev/null
+++ b/openfortivpn.if
@@ -0,0 +1,113 @@
+## <summary>Fortinet compatible SSL VPN daemons.</summary>
+
+########################################
+## <summary>
+## Transition to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_domtrans',`
+ gen_require(`
+ type openfortivpn_t, openfortivpn_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t)
+')
+
+########################################
+## <summary>
+## Allow send a signal to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_signal',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow send signull to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_signull',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow send sigkill to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_sigkill',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## openfortivpn over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_dbus_chat',`
+ gen_require(`
+ type openfortivpn_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 openfortivpn_t:dbus send_msg;
+ allow openfortivpn_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read from and write to the openfortivpn devpts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_use_ptys',`
+ gen_require(`
+ type openfortivpn_devpts_t;
+ ')
+
+ allow $1 openfortivpn_devpts_t:chr_file rw_term_perms;
+')
diff --git a/openfortivpn.te b/openfortivpn.te
new file mode 100644
index 000000000..8479af48a
--- /dev/null
+++ b/openfortivpn.te
@@ -0,0 +1,67 @@
+policy_module(openfortivpn, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openfortivpn_t;
+role system_r types openfortivpn_t;
+type openfortivpn_exec_t;
+init_daemon_domain(openfortivpn_t, openfortivpn_exec_t)
+
+type openfortivpn_var_lib_t;
+files_type(openfortivpn_var_lib_t)
+
+type openfortivpn_devpts_t;
+term_pty(openfortivpn_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+# User certificates are typically not world-readable and are owned by the user
+allow openfortivpn_t self:capability { dac_read_search };
+
+# Talking to pppd via the PTY
+allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
+manage_dirs_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
+manage_files_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
+
+can_exec(openfortivpn_t, openfortivpn_exec_t)
+
+# No standard port for SSLVPN
+corenet_all_recvfrom_unlabeled(openfortivpn_t)
+corenet_tcp_connect_all_ports(openfortivpn_t)
+corenet_tcp_sendrecv_all_ports(openfortivpn_t)
+corenet_tcp_sendrecv_generic_if(openfortivpn_t)
+corenet_tcp_sendrecv_generic_node(openfortivpn_t)
+
+fs_dontaudit_getattr_xattr_fs(openfortivpn_t)
+
+# PTY to pppd
+term_create_pty(openfortivpn_t, openfortivpn_devpts_t)
+
+auth_dontaudit_read_passwd(openfortivpn_t)
+auth_use_nsswitch(openfortivpn_t)
+
+logging_send_syslog_msg(openfortivpn_t)
+
+userdom_read_home_certs(openfortivpn_t)
+
+optional_policy(`
+ dbus_system_bus_client(openfortivpn_t)
+ dbus_connect_system_bus(openfortivpn_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(openfortivpn_t)
+ ')
+')
+
+optional_policy(`
+ ppp_domtrans(openfortivpn_t)
+ ppp_signal(openfortivpn_t)
+ ppp_kill(openfortivpn_t)
+')
diff --git a/openhpi.te b/openhpi.te
index 8de619112..1a01e99f2 100644
--- a/openhpi.te
+++ b/openhpi.te
@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
+kernel_read_system_state(openhpid_t)
+
corenet_all_recvfrom_unlabeled(openhpid_t)
corenet_all_recvfrom_netlabel(openhpid_t)
corenet_tcp_sendrecv_generic_if(openhpid_t)
@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
-files_read_etc_files(openhpid_t)
-
logging_send_syslog_msg(openhpid_t)
miscfiles_read_localization(openhpid_t)
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(openhpid_t)
+')
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 000000000..df219e6ef
--- /dev/null
+++ b/openhpid.fc
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+
+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
+
+/var/log/dynsim[0-9]*\.log -- gen_context(system_u:object_r:openhpid_log_t,s0)
+
+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
diff --git a/openhpid.if b/openhpid.if
new file mode 100644
index 000000000..598789a3b
--- /dev/null
+++ b/openhpid.if
@@ -0,0 +1,159 @@
+
+## <summary>policy for openhpid</summary>
+
+
+########################################
+## <summary>
+## Transition to openhpid.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openhpid_domtrans',`
+ gen_require(`
+ type openhpid_t, openhpid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
+')
+
+
+########################################
+## <summary>
+## Execute openhpid server in the openhpid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openhpid_initrc_domtrans',`
+ gen_require(`
+ type openhpid_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Search openhpid lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openhpid_search_lib',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read openhpid lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openhpid_read_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage openhpid lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openhpid_manage_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage openhpid lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openhpid_manage_lib_dirs',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openhpid environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openhpid_admin',`
+ gen_require(`
+ type openhpid_t;
+ type openhpid_initrc_exec_t;
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openhpid_t)
+
+ openhpid_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openhpid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, openhpid_var_lib_t)
+
+
+
+')
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
index 000000000..a0e0eafce
--- /dev/null
+++ b/openhpid.te
@@ -0,0 +1,67 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openhpid_t;
+type openhpid_exec_t;
+init_daemon_domain(openhpid_t, openhpid_exec_t)
+
+type openhpid_initrc_exec_t;
+init_script_file(openhpid_initrc_exec_t)
+
+type openhpid_log_t;
+logging_log_file(openhpid_log_t)
+
+type openhpid_var_lib_t;
+files_type(openhpid_var_lib_t)
+
+type openhpid_var_run_t;
+files_pid_file(openhpid_var_run_t)
+
+########################################
+#
+# openhpid local policy
+#
+
+allow openhpid_t self:capability { kill };
+allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
+allow openhpid_t self:udp_socket create_socket_perms;
+
+
+manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t)
+logging_log_filetrans(openhpid_t, openhpid_log_t, file)
+
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
+
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
+
+kernel_read_system_state(openhpid_t)
+
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+corenet_tcp_connect_http_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+dev_rw_watchdog(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
+
+miscfiles_read_generic_certs(openhpid_t)
+
+sysnet_read_config(openhpid_t)
+
+optional_policy(`
+ snmp_manage_var_lib_files(openhpid_t)
+ snmp_manage_var_lib_dirs(openhpid_t)
+')
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 000000000..30ca148ee
--- /dev/null
+++ b/openshift-origin.fc
@@ -0,0 +1 @@
+# Left Blank
diff --git a/openshift-origin.if b/openshift-origin.if
new file mode 100644
index 000000000..3eb6a3057
--- /dev/null
+++ b/openshift-origin.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
index 000000000..a437f80ca
--- /dev/null
+++ b/openshift-origin.te
@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
+')
+
+########################################
+#
+# openshift origin standard local policy
+#
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
index 000000000..5a2f97ef6
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log.* -- gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/oo-lists-ports -- gen_context(system_u:object_r:openshift_net_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
index 000000000..c20cac397
--- /dev/null
+++ b/openshift.if
@@ -0,0 +1,697 @@
+
+## <summary> policy for openshift </summary>
+
+########################################
+## <summary>
+## Execute openshift server in the openshift domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`openshift_initrc_domtrans',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
+#######################################
+## <summary>
+## Execute openshift server in the openshift domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role access to this domain.
+## </summary>
+## </param>
+#
+interface(`openshift_initrc_run',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role $2 types openshift_initrc_t;
+')
+
+########################################
+## <summary>
+## Send a null signal to openshift init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_initrc_signull',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signull;
+')
+
+#######################################
+## <summary>
+## Send a signal to openshift init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_initrc_signal',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signal;
+')
+
+########################################
+## <summary>
+## Search openshift cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_search_cache',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Read openshift cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_read_cache_files',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## openshift cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_cache_files',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## openshift cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_cache_dirs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to read openshift's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_read_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## openshift log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openshift_append_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage openshift log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
+ manage_files_pattern($1, openshift_log_t, openshift_log_t)
+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+## Search openshift lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_search_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Getattr openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_getattr_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_read_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_append_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_lib_dirs',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage openshift lib content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
+ manage_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
+########################################
+## <summary>
+## Relabel openshift library files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_relabelfrom_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Create private objects in the
+## mail lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`openshift_lib_filetrans',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Read openshift PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_read_pid_files',`
+ gen_require(`
+ type openshift_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 openshift_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openshift environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_admin',`
+ gen_require(`
+ attribute openshift_domain;
+ type openshift_initrc_exec_t;
+ type openshift_log_t;
+ type openshift_var_lib_t;
+ type openshift_var_run_t;
+ ')
+
+ allow $1 openshift_domain:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openshift_domain:process ptrace;
+ ')
+ ps_process_pattern($1, openshift_domain)
+
+ openshift_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, openshift_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, openshift_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, openshift_var_run_t)
+
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a openshift domain.
+## </summary>
+## <param name="openshiftdomain_prefix">
+## <summary>
+## The prefix of the domain (e.g., openshift
+## is the prefix for openshift_t).
+## </summary>
+## </param>
+#
+template(`openshift_service_domain_template',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ type $1_t;
+ typeattribute $1_t openshift_domain, openshift_user_domain;
+ domain_type($1_t)
+ role system_r types $1_t;
+ mcs_constrained($1_t)
+ domain_user_exemption_target($1_t)
+ auth_use_nsswitch($1_t)
+ domain_subj_id_change_exemption($1_t)
+ domain_obj_id_change_exemption($1_t)
+ domain_dyntrans_type($1_t)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ type $1_app_t;
+ typeattribute $1_app_t openshift_domain;
+ domain_type($1_app_t)
+ role system_r types $1_app_t;
+ mcs_constrained($1_app_t)
+ domain_user_exemption_target($1_app_t)
+ domain_obj_id_change_exemption($1_app_t)
+ domain_dyntrans_type($1_app_t)
+ auth_use_nsswitch($1_app_t)
+
+ kernel_read_system_state($1_app_t)
+
+ logging_send_syslog_msg($1_app_t)
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a openshift domain.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a openshift domain type.
+## </summary>
+## </param>
+#
+interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
+
+ typeattribute $1 openshift_net_domain;
+')
+
+########################################
+## <summary>
+## Read and write inherited openshift files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_rw_inherited_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ allow $1 openshift_file_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Manage openshift tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_tmp_files',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage openshift tmp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_manage_tmp_sockets',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+## <summary>
+## Mounton openshift tmp directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_mounton_tmp',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ allow $1 openshift_tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Dontaudit Read and write inherited script fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow calling app to transition to an openshift domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_transition',`
+ gen_require(`
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process transition;
+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
+ allow openshift_user_domain $1:fd use;
+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ allow openshift_user_domain $1:process sigchld;
+ dontaudit $1 openshift_user_domain:socket_class_set { read write };
+')
+
+########################################
+## <summary>
+## Allow calling app to transition to an openshift domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_dyntransition',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process dyntransition;
+ dontaudit openshift_user_domain $1:key view;
+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
+ allow $1 openshift_user_domain:process { rlimitinh signal };
+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
+')
+
+########################################
+## <summary>
+## Execute openshift in the openshift domain, and
+## allow the specified role the openshift domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_run',`
+ gen_require(`
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ openshift_transition($1)
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 000000000..3ff5b7610
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,634 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+ role system_r;
+')
+
+## <desc>
+## <p>
+## Allow openshift to access nfs file systems without labels
+## </p>
+## </desc>
+gen_tunable(openshift_use_nfs, false)
+
+
+########################################
+#
+# Declarations
+#
+
+
+# openshift applications that can use the network.
+attribute openshift_net_domain;
+# Attribute representing all openshift user processes (excludes apache processes)
+attribute openshift_user_domain;
+# Attribute representing all openshift processes
+attribute openshift_domain;
+
+# Attribute for all openshift content
+attribute openshift_file_type;
+
+# Type of openshift init script
+type openshift_initrc_t;
+type openshift_initrc_exec_t;
+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+domain_obj_id_change_exemption(openshift_initrc_t)
+optional_policy(`
+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
+type openshift_tmpfs_t;
+files_tmpfs_file(openshift_tmpfs_t)
+
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
+files_poly(openshift_tmp_t)
+files_poly_parent(openshift_tmp_t)
+
+type openshift_var_run_t;
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
+
+type openshift_rw_file_t, openshift_file_type;
+files_poly(openshift_rw_file_t)
+files_poly_parent(openshift_rw_file_t)
+
+type openshift_log_t;
+logging_log_file(openshift_log_t)
+
+type openshift_port_t;
+corenet_port(openshift_port_t)
+corenet_reserved_port(openshift_port_t)
+
+type openshift_cgroup_read_t;
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
+type openshift_net_read_t;
+type openshift_net_read_exec_t;
+application_domain(openshift_net_read_t, openshift_net_read_exec_t)
+
+type openshift_cgroup_read_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cgroup_read_tmp_t)
+
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
+domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
+role system_r types openshift_cron_t;
+
+optional_policy(`
+ cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
+')
+
+type openshift_cron_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cron_tmp_t)
+
+########################################
+#
+# Template to create openshift_t and openshift_app_t
+#
+
+openshift_service_domain_template(openshift)
+
+########################################
+#
+# openshift initrc local policy
+#
+
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
+virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
+
+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow openshift_domain openshift_initrc_t:fd use;
+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_initrc_t:process sigchld;
+dontaudit openshift_domain openshift_initrc_t:key view;
+dontaudit openshift_domain openshift_initrc_t:process signull;
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
+
+init_domtrans_script(openshift_initrc_t)
+init_initrc_domain(openshift_initrc_t)
+
+optional_policy(`
+ firewalld_dbus_chat(openshift_initrc_t)
+')
+
+#######################################################
+#
+# Policy for all openshift domains
+#
+allow openshift_domain self:process ~ptrace;
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_domain self:process ptrace;
+')
+
+allow openshift_domain self:msg all_msg_perms;
+allow openshift_domain self:msgq create_msgq_perms;
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
+
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
+
+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+allow openshift_domain openshift_file_type:file execmod;
+can_exec(openshift_domain, openshift_file_type)
+allow openshift_domain openshift_file_type:file entrypoint;
+# Allow users to execute files in their home dir
+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
+
+# Dontaudit openshift domains trying to search other openshift domains directories,
+# this happens just when users are probing the system
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
+
+#lsof
+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
+
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
+dontaudit openshift_domain openshift_var_run_t:file append;
+dontaudit openshift_domain openshift_file_type:sock_file execute;
+
+kernel_dontaudit_search_network_state(openshift_domain)
+kernel_dontaudit_list_all_proc(openshift_domain)
+kernel_dontaudit_list_all_sysctls(openshift_domain)
+kernel_dontaudit_request_load_module(openshift_domain)
+kernel_get_sysvipc_info(openshift_domain)
+
+corecmd_shell_entry_type(openshift_domain)
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_read_urand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
+dev_dontaudit_all_access_check(openshift_domain)
+
+domain_use_interactive_fds(openshift_domain)
+domain_dontaudit_read_all_domains_state(openshift_domain)
+
+files_read_var_lib_symlinks(openshift_domain)
+
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
+fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
+fs_dontaudit_list_tmpfs(openshift_domain)
+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
+storage_getattr_fixed_disk_dev(openshift_domain)
+fs_get_xattr_fs_quotas(openshift_domain)
+fs_rw_inherited_tmpfs_files(openshift_domain)
+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
+
+dontaudit openshift_domain file_type:dir read;
+files_dontaudit_list_home(openshift_domain)
+files_dontaudit_search_all_pids(openshift_domain)
+files_dontaudit_getattr_all_dirs(openshift_domain)
+files_dontaudit_getattr_all_files(openshift_domain)
+files_dontaudit_list_mnt(openshift_domain)
+files_dontaudit_list_var(openshift_domain)
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
+files_dontaudit_search_all_mountpoints(openshift_domain)
+files_dontaudit_search_spool(openshift_domain)
+files_dontaudit_search_all_dirs(openshift_domain)
+files_exec_etc_files(openshift_domain)
+files_exec_usr_files(openshift_domain)
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
+files_dontaudit_setattr_non_security_files(openshift_domain)
+files_dontaudit_rw_inherited_locks(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
+logging_inherit_append_all_logs(openshift_domain)
+
+init_dontaudit_read_utmp(openshift_domain)
+
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
+mta_dontaudit_read_spool_symlinks(openshift_domain)
+
+term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
+term_dontaudit_getattr_generic_ptys(openshift_domain)
+term_use_ptmx(openshift_domain)
+
+userdom_use_inherited_user_ptys(openshift_domain)
+userdom_dontaudit_search_admin_dir(openshift_domain)
+
+application_exec(openshift_domain)
+
+optional_policy(`
+ apache_exec_modules(openshift_domain)
+ apache_list_modules(openshift_domain)
+ apache_read_config(openshift_domain)
+ apache_search_config(openshift_domain)
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
+ apache_dontaudit_read_log(openshift_domain)
+')
+
+optional_policy(`
+ #############################################
+ #
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+ apache_content_alias_template(openshift, openshift)
+ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+ optional_policy(`
+ dbus_system_bus_client(openshift_script_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ ')
+ ')
+')
+
+optional_policy(`
+ cron_role(system_r, openshift_domain)
+')
+
+optional_policy(`
+ gear_search_lib(openshift_domain)
+')
+
+optional_policy(`
+ gpg_entry_type(openshift_domain)
+')
+
+optional_policy(`
+ mysql_search_db(openshift_domain)
+')
+
+optional_policy(`
+ screen_exec(openshift_domain)
+')
+
+optional_policy(`
+ ssh_use_ptys(openshift_domain)
+ ssh_getattr_user_home_dir(openshift_domain)
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(openshift_domain)
+')
+
+#######################################################
+#
+# Policy for openshift user domain process
+#
+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_user_domain openshift_domain:process transition;
+allow openshift_domain openshift_user_domain:fd use;
+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_user_domain:process sigchld;
+dontaudit openshift_domain openshift_user_domain:key view;
+dontaudit openshift_domain openshift_user_domain:process signull;
+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
+
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_user_domain openshift_domain:process ptrace;
+')
+
+mta_signal_user_agent(openshift_user_domain)
+
+optional_policy(`
+ ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
+# Rules specific to openshift_net_domains
+#
+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
+allow openshift_net_domain openshift_port_t:udp_socket name_bind;
+
+corenet_tcp_connect_mssql_port(openshift_net_domain)
+corenet_tcp_connect_mysqld_port(openshift_net_domain)
+corenet_tcp_connect_postgresql_port(openshift_net_domain)
+corenet_tcp_connect_git_port(openshift_net_domain)
+corenet_tcp_connect_oracle_port(openshift_net_domain)
+corenet_tcp_connect_flash_port(openshift_net_domain)
+corenet_tcp_connect_http_port(openshift_net_domain)
+corenet_tcp_connect_ftp_port(openshift_net_domain)
+#/* These ports are the ephemeral ports needed for ftp */
+corenet_tcp_connect_virt_migration_port(openshift_net_domain)
+corenet_tcp_connect_ssh_port(openshift_net_domain)
+corenet_tcp_connect_jacorb_port(openshift_net_domain)
+corenet_tcp_connect_jboss_management_port(openshift_net_domain)
+corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_connect_memcache_port(openshift_net_domain)
+corenet_tcp_connect_http_cache_port(openshift_net_domain)
+corenet_tcp_connect_amqp_port(openshift_net_domain)
+corenet_tcp_connect_generic_port(openshift_net_domain)
+corenet_tcp_connect_mongod_port(openshift_net_domain)
+corenet_tcp_connect_munin_port(openshift_net_domain)
+corenet_tcp_connect_pop_port(openshift_net_domain)
+corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
+corenet_tcp_connect_smtp_port(openshift_net_domain)
+corenet_tcp_connect_whois_port(openshift_net_domain)
+corenet_udp_bind_generic_port(openshift_net_domain)
+corenet_tcp_bind_http_cache_port(openshift_domain)
+corenet_tcp_bind_jacorb_port(openshift_net_domain)
+corenet_tcp_bind_jboss_management_port(openshift_net_domain)
+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
+corenet_tcp_bind_mongod_port(openshift_net_domain)
+corenet_tcp_bind_mysqld_port(openshift_domain)
+corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
+corenet_tcp_bind_postgresql_port(openshift_net_domain)
+
+############################################################################
+#
+# Rules specific to openshift and openshift_app_t
+#
+kernel_read_vm_sysctls(openshift_t)
+kernel_read_vm_sysctls(openshift_app_t)
+kernel_search_vm_sysctl(openshift_t)
+kernel_search_vm_sysctl(openshift_app_t)
+netutils_domtrans_ping(openshift_t)
+netutils_kill_ping(openshift_t)
+netutils_signal_ping(openshift_t)
+
+openshift_net_type(openshift_app_t)
+openshift_net_type(openshift_t)
+
+optional_policy(`
+ postfix_rw_public_pipes(openshift_t)
+ postfix_manage_spool_maildrop_files(openshift_t)
+')
+
+########################################
+#
+# openshift_cgroup_read local policy
+#
+
+allow openshift_cgroup_read_t self:process { getattr signal_perms };
+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
+
+kernel_read_system_state(openshift_cgroup_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
+
+auth_read_passwd(openshift_cgroup_read_t)
+
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
+ ssh_use_ptys(openshift_cgroup_read_t)
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
+domain_use_interactive_fds(openshift_cgroup_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
+
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
+
+miscfiles_read_generic_certs(openshift_cgroup_read_t)
+
+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
+role system_r types openshift_cgroup_read_t;
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_net_read local policy
+#
+
+allow openshift_net_read_t self:process { getattr signal_perms };
+allow openshift_net_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_net_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_net_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+kernel_read_network_state(openshift_net_read_t)
+kernel_read_system_state(openshift_net_read_t)
+
+corecmd_exec_bin(openshift_net_read_t)
+corecmd_exec_shell(openshift_net_read_t)
+
+dev_read_urand(openshift_net_read_t)
+
+domain_use_interactive_fds(openshift_net_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_net_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_net_read_t)
+
+auth_read_passwd(openshift_net_read_t)
+
+userdom_use_inherited_user_ptys(openshift_net_read_t)
+
+miscfiles_read_generic_certs(openshift_net_read_t)
+miscfiles_read_localization(openshift_net_read_t)
+
+optional_policy(`
+ ssh_use_ptys(openshift_net_read_t)
+')
+
+domtrans_pattern(openshift_domain, openshift_net_read_exec_t, openshift_net_read_t)
+role system_r types openshift_net_read_t;
+
+allow openshift_domain openshift_net_read_t:process { getattr signal signull sigkill };
+
+allow openshift_net_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_net_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_cron local policy
+#
+allow openshift_cron_t self:capability { dac_read_search net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
+
+openshift_manage_lib_dirs(openshift_cron_t)
+openshift_manage_lib_files(openshift_cron_t)
+
+kernel_search_network_sysctl(openshift_cron_t)
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+files_dontaudit_search_all_mountpoints(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
+dev_read_raw_memory(openshift_cron_t)
+dev_read_urand(openshift_cron_t)
+
+corenet_udp_bind_generic_node(openshift_cron_t)
+corenet_udp_bind_generic_port(openshift_cron_t)
+
+dev_getattr_fs(openshift_cron_t)
+dev_list_sysfs(openshift_cron_t)
+dev_read_sysfs(openshift_cron_t)
+
+files_getattr_home_dir(openshift_cron_t)
+files_manage_etc_files(openshift_cron_t)
+
+fs_getattr_tmpfs_dirs(openshift_cron_t)
+fs_getattr_all_fs(openshift_cron_t)
+fs_list_hugetlbfs(openshift_cron_t)
+fs_search_cgroup_dirs(openshift_cron_t)
+
+seutil_domtrans_setfiles(openshift_cron_t)
+
+term_getattr_pty_fs(openshift_cron_t)
+term_search_ptys(openshift_cron_t)
+
+auth_use_nsswitch(openshift_cron_t)
+
+miscfiles_read_generic_certs(openshift_cron_t)
+miscfiles_read_hwdata(openshift_cron_t)
+
+sysnet_exec_ifconfig(openshift_cron_t)
+sysnet_read_config(openshift_cron_t)
+
+optional_policy(`
+ dmidecode_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ hostname_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ quota_read_db(openshift_cron_t)
+')
+
+optional_policy(`
+ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
+tunable_policy(`openshift_use_nfs',`
+ fs_list_auto_mountpoints(openshift_domain)
+ fs_manage_nfs_dirs(openshift_domain)
+ fs_manage_nfs_files(openshift_domain)
+ fs_manage_nfs_symlinks(openshift_domain)
+ fs_exec_nfs_files(openshift_domain)
+')
diff --git a/opensm.fc b/opensm.fc
new file mode 100644
index 000000000..65511ed7a
--- /dev/null
+++ b/opensm.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0)
+
+/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
index 000000000..45de66477
--- /dev/null
+++ b/opensm.if
@@ -0,0 +1,224 @@
+
+## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
+
+########################################
+## <summary>
+## Execute opensm in the opensm domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+ gen_require(`
+ type opensm_t, opensm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+## Search opensm cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_search_cache',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ allow $1 opensm_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read opensm cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_read_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## opensm cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_manage_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+## Manage opensm cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_manage_cache_dirs',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+## Read opensm's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_read_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+## <summary>
+## Append to opensm log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_append_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+## <summary>
+## Manage opensm log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opensm_manage_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
+ manage_files_pattern($1, opensm_log_t, opensm_log_t)
+ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+########################################
+## <summary>
+## Execute opensm server in the opensm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opensm_systemctl',`
+ gen_require(`
+ type opensm_t;
+ type opensm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, opensm_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an opensm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+ gen_require(`
+ type opensm_t;
+ type opensm_cache_t;
+ type opensm_log_t;
+ type opensm_unit_file_t;
+ ')
+
+ allow $1 opensm_t:process { signal_perms };
+ ps_process_pattern($1, opensm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 opensm_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, opensm_log_t)
+
+ opensm_systemctl($1)
+ admin_pattern($1, opensm_unit_file_t)
+ allow $1 opensm_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
index 000000000..87c86edb9
--- /dev/null
+++ b/opensm.te
@@ -0,0 +1,46 @@
+policy_module(opensm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+type opensm_unit_file_t;
+systemd_unit_file(opensm_unit_file_t)
+
+########################################
+#
+# opensm local policy
+#
+allow opensm_t self:process { signal fork };
+allow opensm_t self:fifo_file rw_fifo_file_perms;
+allow opensm_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
+
+manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file )
+
+kernel_read_system_state(opensm_t)
+
+auth_use_nsswitch(opensm_t)
+
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband_dev(opensm_t)
+dev_rw_infiniband_mgmt_dev(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f83..4cdfe097c 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -1,10 +1,13 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
+
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
diff --git a/openvpn.if b/openvpn.if
index 6837e9a2b..8d6e33b00 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
########################################
## <summary>
## Execute openvpn clients in the
+## caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openvpn_exec',`
+ gen_require(`
+ type openvpn_exec_t;
+ ')
+
+ can_exec($1, openvpn_exec_t)
+')
+
+########################################
+## <summary>
+## Execute openvpn clients in the
## openvpn domain, and allow the
## specified role the openvpn domain.
## </summary>
@@ -123,6 +142,44 @@ interface(`openvpn_read_config',`
allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
')
+####################################
+## <summary>
+## Connect to openvpn over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_stream_connect',`
+ gen_require(`
+ type openvpn_t, openvpn_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
+########################################
+## <summary>
+## Read and write to sopenvpn_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_noatsecure',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process noatsecure;
+')
+
########################################
## <summary>
## All of the rules required to
@@ -147,9 +204,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
- allow $1 openvpn_t:process { ptrace signal_perms };
+ allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openvpn_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
index 63957a362..91dead6e7 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
#
## <desc>
+## <p>
+## Allow openvpn to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(openvpn_run_unconfined, false)
+
+## <desc>
## <p>
## Determine whether openvpn can
## read generic user home content files.
@@ -19,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
## connect to the TCP network.
## </p>
## </desc>
-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
attribute_role openvpn_roles;
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
type openvpn_status_t;
logging_log_file(openvpn_status_t)
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
+
type openvpn_tmp_t;
files_tmp_file(openvpn_tmp_t)
@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
@@ -63,6 +73,8 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow openvpn_t self:netlink_route_socket nlmsg_write;
+dontaudit openvpn_t self:capability2 block_suspend ;
+
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
allow openvpn_t openvpn_etc_t:file read_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
allow openvpn_t openvpn_tmp_t:file manage_file_perms;
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir })
can_exec(openvpn_t, openvpn_etc_t)
@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_all_recvfrom_unlabeled(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
+corenet_tcp_connect_squid_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
-
corenet_sendrecv_http_cache_client_packets(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_tcp_sendrecv_http_cache_port(openvpn_t)
+corenet_tcp_connect_tor_port(openvpn_t)
+
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
+fs_list_cgroup_dirs(openvpn_t)
auth_use_pam(openvpn_t)
-miscfiles_read_localization(openvpn_t)
+logging_send_syslog_msg(openvpn_t)
+
miscfiles_read_all_certs(openvpn_t)
+sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
+systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
+userdom_read_inherited_user_tmp_files(openvpn_t)
+userdom_read_inherited_user_home_content_files(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
+ userdom_search_user_home_dirs(openvpn_t)
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
+ brctl_domtrans(openvpn_t)
+')
+
+optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
optional_policy(`
+ networkmanager_stream_connect(openvpn_t)
+ networkmanager_manage_pid_files(openvpn_t)
+ networkmanager_manage_pid_sock_files(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -175,3 +213,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+
+type openvpn_unconfined_script_t;
+type openvpn_unconfined_script_exec_t;
+domain_type(openvpn_unconfined_script_t)
+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
+corecmd_shell_entry_type(openvpn_unconfined_script_t)
+role system_r types openvpn_unconfined_script_t;
+
+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
+ unconfined_domain(openvpn_unconfined_script_t)
+')
+
+tunable_policy(`openvpn_run_unconfined',`
+ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
+',`
+ can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
+')
diff --git a/openvswitch.fc b/openvswitch.fc
index 45d7cc508..c5b9607c1 100644
--- a/openvswitch.fc
+++ b/openvswitch.fc
@@ -1,12 +1,16 @@
-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0)
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
index 9b157305b..cb00f200a 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
-## <summary>Multilayer virtual switch.</summary>
+
+## <summary>policy for openvswitch</summary>
########################################
## <summary>
-## Execute openvswitch in the openvswitch domain.
+## Execute TEMPLATE in the openvswitch domin.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`openvswitch_domtrans',`
@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
')
+########################################
+## <summary>
+## Read openvswitch's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvswitch_read_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+## <summary>
+## Append to openvswitch log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_append_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
########################################
## <summary>
-## Read openvswitch pid files.
+## Manage openvswitch log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_manage_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+## <summary>
+## Search openvswitch lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_search_lib',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read openvswitch lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_read_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage openvswitch lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_manage_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage openvswitch lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvswitch_manage_lib_dirs',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read openvswitch PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an openvswitch environment.
+## Allow stream connect to openvswitch.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+
+interface(`openvswitch_stream_connect',`
+ gen_require(`
+ type openvswitch_t, openvswitch_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
+')
+
+########################################
+## <summary>
+## Execute openvswitch server in the openvswitch domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openvswitch_systemctl',`
+ gen_require(`
+ type openvswitch_t;
+ type openvswitch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openvswitch_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openvswitch environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`openvswitch_admin',`
gen_require(`
- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
')
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_rw_t)
- files_search_etc($1)
- admin_pattern($1, openvswitch_conf_t)
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_log_t)
files_search_var_lib($1)
admin_pattern($1, openvswitch_var_lib_t)
- logging_search_logs($1)
- admin_pattern($1, openvswitch_log_t)
-
files_search_pids($1)
admin_pattern($1, openvswitch_var_run_t)
+
+ openvswitch_systemctl($1)
+ admin_pattern($1, openvswitch_unit_file_t)
+ allow $1 openvswitch_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99ab..6221f5b9a 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
type openvswitch_exec_t;
init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-type openvswitch_initrc_exec_t;
-init_script_file(openvswitch_initrc_exec_t)
-
-type openvswitch_conf_t;
-files_config_file(openvswitch_conf_t)
+type openvswitch_rw_t;
+files_config_file(openvswitch_rw_t)
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
+type openvswitch_unit_file_t;
+systemd_unit_file(openvswitch_unit_file_t)
+
########################################
#
-# Local policy
+# openvswitch local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+allow openvswitch_t self:netlink_generic_socket create_socket_perms;
+
+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
@@ -63,35 +67,71 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-
-can_exec(openvswitch_t, openvswitch_exec_t)
+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+kernel_load_module(openvswitch_t)
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
+kernel_read_net_sysctls(openvswitch_t)
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
+corenet_tcp_connect_xodbc_connect_port(openvswitch_t)
+corenet_tcp_connect_ovsdb_port(openvswitch_t)
+corenet_tcp_connect_openflow_port(openvswitch_t)
+corenet_tcp_connect_openvswitch_port(openvswitch_t)
+corenet_tcp_bind_generic_node(openvswitch_t)
+corenet_tcp_bind_openvswitch_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
+dev_read_sysfs(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
-files_read_etc_files(openvswitch_t)
+files_read_kernel_modules(openvswitch_t)
+files_load_kernel_modules(openvswitch_t)
fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
+fs_manage_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_dirs(openvswitch_t)
+
+auth_use_nsswitch(openvswitch_t)
logging_send_syslog_msg(openvswitch_t)
-miscfiles_read_localization(openvswitch_t)
+init_read_script_state(openvswitch_t)
+
+modutils_exec_insmod(openvswitch_t)
+modutils_list_module_config(openvswitch_t)
+modutils_read_module_config(openvswitch_t)
+modutils_read_module_deps(openvswitch_t)
sysnet_dns_name_resolve(openvswitch_t)
+logging_send_audit_msgs(openvswitch_t)
+
+write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
+
+optional_policy(`
+ hostname_exec(openvswitch_t)
+')
+
optional_policy(`
iptables_domtrans(openvswitch_t)
')
+
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
+
+optional_policy(`
+ networkmanager_read_state(openvswitch_t)
+')
+
+optional_policy(`
+ seutil_domtrans_setfiles(openvswitch_t)
+')
diff --git a/openwsman.fc b/openwsman.fc
new file mode 100644
index 000000000..00d0643d9
--- /dev/null
+++ b/openwsman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
index 000000000..747853a1a
--- /dev/null
+++ b/openwsman.if
@@ -0,0 +1,79 @@
+## <summary>WS-Management Server</summary>
+
+########################################
+## <summary>
+## Execute openwsman in the openwsman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openwsman_domtrans',`
+ gen_require(`
+ type openwsman_t, openwsman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+## <summary>
+## Execute openwsman server in the openwsman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openwsman_systemctl',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openwsman environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openwsman_admin',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ allow $1 openwsman_t:process { signal_perms };
+ ps_process_pattern($1, openwsman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openwsman_t:process ptrace;
+ ')
+
+ openwsman_systemctl($1)
+ admin_pattern($1, openwsman_unit_file_t)
+ allow $1 openwsman_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 000000000..3bcd32cdf
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+ sblim_stream_connect_sfcbd(openwsman_t)
+ sblim_rw_semaphores_sfcbd(openwsman_t)
+ sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+ unconfined_domain(openwsman_t)
+')
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 000000000..5655facf0
--- /dev/null
+++ b/oracleasm.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
+/etc/sysconfig/oracleasm(/.*)? gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
diff --git a/oracleasm.if b/oracleasm.if
new file mode 100644
index 000000000..6ae382cb9
--- /dev/null
+++ b/oracleasm.if
@@ -0,0 +1,75 @@
+
+## <summary>policy for oracleasm</summary>
+
+########################################
+## <summary>
+## Transition to oracleasm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oracleasm_domtrans',`
+ gen_require(`
+ type oracleasm_t, oracleasm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
+')
+
+
+########################################
+## <summary>
+## Execute oracleasm server in the oracleasm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oracleasm_initrc_domtrans',`
+ gen_require(`
+ type oracleasm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an oracleasm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oracleasm_admin',`
+ gen_require(`
+ type oracleasm_t;
+ type oracleasm_initrc_exec_t;
+ ')
+
+ allow $1 oracleasm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, oracleasm_t)
+
+ oracleasm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 oracleasm_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 000000000..16365762c
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,66 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oracleasm_t;
+type oracleasm_exec_t;
+init_daemon_domain(oracleasm_t, oracleasm_exec_t)
+
+type oracleasm_initrc_exec_t;
+init_script_file(oracleasm_initrc_exec_t)
+
+type oracleasm_tmp_t;
+files_tmp_file(oracleasm_tmp_t)
+
+type oracleasm_conf_t;
+files_config_file(oracleasm_conf_t)
+
+########################################
+#
+# oracleasm local policy
+#
+
+allow oracleasm_t self:capability { dac_read_search fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
+allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir })
+
+kernel_read_system_state(oracleasm_t)
+
+auth_read_passwd(oracleasm_t)
+
+dev_rw_sysfs(oracleasm_t)
+
+domain_use_interactive_fds(oracleasm_t)
+
+corecmd_exec_shell(oracleasm_t)
+corecmd_exec_bin(oracleasm_t)
+
+fs_getattr_xattr_fs(oracleasm_t)
+fs_list_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs_fs(oracleasm_t)
+fs_setattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs_dirs(oracleasm_t)
+fs_manage_oracleasm(oracleasm_t)
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
+storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(oracleasm_t)
+')
diff --git a/osad.fc b/osad.fc
new file mode 100644
index 000000000..cf911d54e
--- /dev/null
+++ b/osad.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/osad -- gen_context(system_u:object_r:osad_initrc_exec_t,s0)
+
+/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0)
+
+/var/log/osad.* -- gen_context(system_u:object_r:osad_log_t,s0)
+
+/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0)
diff --git a/osad.if b/osad.if
new file mode 100644
index 000000000..05648bd2a
--- /dev/null
+++ b/osad.if
@@ -0,0 +1,165 @@
+
+## <summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
+
+########################################
+## <summary>
+## Execute osad in the osad domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`osad_domtrans',`
+ gen_require(`
+ type osad_t, osad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, osad_exec_t, osad_t)
+')
+
+########################################
+## <summary>
+## Execute osad server in the osad domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`osad_initrc_domtrans',`
+ gen_require(`
+ type osad_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, osad_initrc_exec_t)
+')
+########################################
+## <summary>
+## Read osad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`osad_read_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+## <summary>
+## Append to osad log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`osad_append_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+## <summary>
+## Manage osad log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`osad_manage_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, osad_log_t, osad_log_t)
+ manage_files_pattern($1, osad_log_t, osad_log_t)
+ manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
+')
+########################################
+## <summary>
+## Read osad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`osad_read_pid_files',`
+ gen_require(`
+ type osad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, osad_var_run_t, osad_var_run_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an osad environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`osad_admin',`
+ gen_require(`
+ type osad_t;
+ type osad_initrc_exec_t;
+ type osad_log_t;
+ type osad_var_run_t;
+ ')
+
+ allow $1 osad_t:process { signal_perms };
+ ps_process_pattern($1, osad_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 osad_t:process ptrace;
+ ')
+
+ osad_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 osad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, osad_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, osad_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/osad.te b/osad.te
new file mode 100644
index 000000000..b372f683a
--- /dev/null
+++ b/osad.te
@@ -0,0 +1,56 @@
+policy_module(osad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type osad_t;
+type osad_exec_t;
+init_daemon_domain(osad_t, osad_exec_t)
+
+type osad_initrc_exec_t;
+init_script_file(osad_initrc_exec_t)
+
+type osad_log_t;
+logging_log_file(osad_log_t)
+
+type osad_var_run_t;
+files_pid_file(osad_var_run_t)
+
+########################################
+#
+# osad local policy
+#
+
+allow osad_t self:process { execmem setpgid };
+
+manage_files_pattern(osad_t, osad_log_t, osad_log_t)
+logging_log_filetrans(osad_t, osad_log_t, file)
+
+manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
+files_pid_filetrans(osad_t, osad_var_run_t, file)
+
+kernel_read_system_state(osad_t)
+
+corecmd_exec_bin(osad_t)
+
+corenet_tcp_connect_http_port(osad_t)
+corenet_tcp_connect_jabber_client_port(osad_t)
+
+dev_read_urand(osad_t)
+
+auth_use_nsswitch(osad_t)
+
+optional_policy(`
+ gnome_dontaudit_search_config(osad_t)
+')
+
+optional_policy(`
+ rhnsd_manage_config(osad_t)
+')
+
+# execute rhn_check
+optional_policy(`
+ rpm_domtrans(osad_t)
+')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56d6..d4da0b8d0 100644
--- a/pacemaker.fc
+++ b/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
index 9682d9af8..f1f421f9e 100644
--- a/pacemaker.if
+++ b/pacemaker.if
@@ -1,9 +1,167 @@
-## <summary>A scalable high-availability cluster resource manager.</summary>
+## <summary>>A scalable high-availability cluster resource manager.</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an pacemaker environment.
+## Transition to pacemaker.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pacemaker_domtrans',`
+ gen_require(`
+ type pacemaker_t, pacemaker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
+')
+
+########################################
+## <summary>
+## Execute pacemaker server in the pacemaker domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_initrc_domtrans',`
+ gen_require(`
+ type pacemaker_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search pacemaker lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_search_lib',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read pacemaker lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_read_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pacemaker lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_manage_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pacemaker lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_manage_lib_dirs',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read pacemaker PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pacemaker_read_pid_files',`
+ gen_require(`
+ type pacemaker_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pacemaker_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute pacemaker server in the pacemaker domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pacemaker_systemctl',`
+ gen_require(`
+ type pacemaker_t;
+ type pacemaker_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pacemaker_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pacemaker environment
## </summary>
## <param name="domain">
## <summary>
@@ -19,14 +177,17 @@
#
interface(`pacemaker_admin',`
gen_require(`
- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+ type pacemaker_t;
+ type pacemaker_initrc_exec_t;
+ type pacemaker_var_lib_t;
type pacemaker_var_run_t;
+ type pacemaker_unit_file_t;
')
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ pacemaker_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +197,13 @@ interface(`pacemaker_admin',`
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
+
+ pacemaker_systemctl($1)
+ admin_pattern($1, pacemaker_unit_file_t)
+ allow $1 pacemaker_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
index 6e6efb642..9ab075fb4 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow pacemaker memcheck-amd64- to use executable memory
+## </p>
+## </desc>
+gen_tunable(pacemaker_use_execmem, false)
+
type pacemaker_t;
type pacemaker_exec_t;
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
type pacemaker_initrc_exec_t;
init_script_file(pacemaker_initrc_exec_t)
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
type pacemaker_tmp_t;
files_tmp_file(pacemaker_tmp_t)
type pacemaker_tmpfs_t;
files_tmpfs_file(pacemaker_tmpfs_t)
-type pacemaker_var_lib_t;
-files_type(pacemaker_var_lib_t)
-
-type pacemaker_var_run_t;
-files_pid_file(pacemaker_var_run_t)
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
########################################
#
# Local policy
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search setuid };
+allow pacemaker_t self:capability2 block_suspend;
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
corecmd_exec_bin(pacemaker_t)
corecmd_exec_shell(pacemaker_t)
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
dev_getattr_mtrr_dev(pacemaker_t)
dev_read_rand(pacemaker_t)
dev_read_urand(pacemaker_t)
-domain_read_all_domains_state(pacemaker_t)
-domain_use_interactive_fds(pacemaker_t)
-
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
-miscfiles_read_localization(pacemaker_t)
+sysnet_domtrans_ifconfig(pacemaker_t)
+
+tunable_policy(`pacemaker_use_execmem',`
+ allow pacemaker_t self:process { execmem };
+')
optional_policy(`
corosync_read_log(pacemaker_t)
+ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
+')
+
+optional_policy(`
+ #executes heartbeat lib files
+ rgmanager_execute_lib(pacemaker_t)
')
diff --git a/pads.if b/pads.if
index 6e097c919..503c97a2d 100644
--- a/pads.if
+++ b/pads.if
@@ -17,15 +17,19 @@
## </param>
## <rolecap/>
#
-interface(`pads_admin', `
+interface(`pads_admin',`
gen_require(`
type pads_t, pads_config_t, pads_var_run_t;
type pads_initrc_exec_t;
')
- allow $1 pads_t:process { ptrace signal_perms };
+ allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pads_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
index 078adc478..c1f2a1072 100644
--- a/pads.te
+++ b/pads.te
@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t)
# Declarations
#
-allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:capability { dac_read_search net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
allow pads_t self:packet_socket create_socket_perms;
allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
corecmd_search_bin(pads_t)
-corenet_all_recvfrom_unlabeled(pads_t)
corenet_all_recvfrom_netlabel(pads_t)
corenet_tcp_sendrecv_generic_if(pads_t)
corenet_tcp_sendrecv_generic_node(pads_t)
@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
dev_read_urand(pads_t)
dev_read_sysfs(pads_t)
-files_read_etc_files(pads_t)
files_search_spool(pads_t)
-miscfiles_read_localization(pads_t)
-
logging_send_syslog_msg(pads_t)
sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
index 2c389ea7c..9155bd0dd 100644
--- a/passenger.fc
+++ b/passenger.fc
@@ -1,10 +1,12 @@
-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
index bf59ef731..0e333279c 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,17 @@ interface(`passenger_domtrans',`
type passenger_t, passenger_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, passenger_exec_t, passenger_t)
+ allow passenger_t $1:unix_stream_socket { accept getattr read write };
')
######################################
## <summary>
-## Execute passenger in the caller domain.
+## Execute passenger in the current domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
@@ -34,13 +34,30 @@ interface(`passenger_exec',`
type passenger_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, passenger_exec_t)
')
+#######################################
+## <summary>
+## Getattr passenger log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_getattr_log_files',`
+ gen_require(`
+ type passenger_log_t;
+ ')
+
+ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
+')
+
########################################
## <summary>
-## Read passenger lib files.
+## Read passenger lib files
## </summary>
## <param name="domain">
## <summary>
@@ -53,6 +70,112 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage passenger lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
')
+
+#####################################
+## <summary>
+## Manage passenger var_run content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_pid_content',`
+ gen_require(`
+ type passenger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to passenger unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_stream_connect',`
+ gen_require(`
+ type passenger_t;
+ type passenger_tmp_t;
+ type passenger_var_run_t;
+ ')
+
+
+
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
+')
+
+#######################################
+## <summary>
+## Allow to manage passenger tmp files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_tmp_files',`
+ gen_require(`
+ type passenger_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
+')
+
+########################################
+## <summary>
+## Send kill signals to passenger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_kill',`
+ gen_require(`
+ type passenger_t;
+ ')
+
+ allow $1 passenger_t:process sigkill;
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33bf2..c1af8d7ae 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.2)
########################################
#
@@ -14,6 +14,9 @@ role system_r types passenger_t;
type passenger_log_t;
logging_log_file(passenger_log_t)
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t)
########################################
#
-# Local policy
+# passanger local policy
#
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:capability { chown dac_read_search fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket { accept listen };
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-logging_log_filetrans(passenger_t, passenger_log_t, file)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
-can_exec(passenger_t, passenger_exec_t)
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t)
kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
corenet_tcp_sendrecv_generic_if(passenger_t)
corenet_tcp_sendrecv_generic_node(passenger_t)
-
-corenet_sendrecv_http_client_packets(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
-corenet_tcp_sendrecv_http_port(passenger_t)
+corenet_tcp_connect_postgresql_port(passenger_t)
+corenet_tcp_connect_mysqld_port(passenger_t)
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
@@ -68,10 +76,10 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
-files_read_etc_files(passenger_t)
-
auth_use_nsswitch(passenger_t)
+fs_getattr_xattr_fs(passenger_t)
+
logging_send_syslog_msg(passenger_t)
miscfiles_read_localization(passenger_t)
@@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
+ apache_rw_stream_sockets(passenger_t)
')
optional_policy(`
@@ -94,14 +103,21 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
+ mysql_stream_connect(passenger_t)
+ mysql_list_db(passenger_t)
+')
+
+optional_policy(`
+ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
- puppet_create_log_files(passenger_t)
- puppet_read_log_files(passenger_t)
+ puppet_append_log(passenger_t)
+ puppet_create_log(passenger_t)
+ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
')
optional_policy(`
- rpm_exec(passenger_t)
- rpm_read_db(passenger_t)
+ rpm_exec(passenger_t)
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
index 8176e4aa4..311e311b3 100644
--- a/pcmcia.te
+++ b/pcmcia.te
@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t;
# Local policy
#
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_read_search setuid net_admin sys_admin sys_nice sys_tty_config mknod };
dontaudit cardmgr_t self:capability sys_tty_config;
allow cardmgr_t self:process signal_perms;
allow cardmgr_t self:fifo_file rw_fifo_file_perms;
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
-miscfiles_read_localization(cardmgr_t)
-
modutils_domtrans_insmod(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
optional_policy(`
- seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
index 000000000..de7c78ca0
--- /dev/null
+++ b/pcp.fc
@@ -0,0 +1,33 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
+
+/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+
+/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+
+/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+
+/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0)
+
+/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
+
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 000000000..abb250dba
--- /dev/null
+++ b/pcp.if
@@ -0,0 +1,160 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## pcp daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`pcp_domain_template',`
+ gen_require(`
+ attribute pcp_domain;
+ ')
+
+ type pcp_$1_t, pcp_domain;
+ type pcp_$1_exec_t;
+ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
+
+ type pcp_$1_initrc_exec_t;
+ init_script_file(pcp_$1_initrc_exec_t)
+
+ auth_use_nsswitch(pcp_$1_t)
+
+ optional_policy(`
+ cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
+ ')
+')
+
+######################################
+## <summary>
+## Allow domain to read pcp lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+interface(`pcp_read_lib_files',`
+ gen_require(`
+ type pcp_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pcp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pcp_admin',`
+ gen_require(`
+ type pcp_pmcd_t;
+ type pcp_pmlogger_t;
+ type pcp_pmproxy_t;
+ type pcp_pmwebd_t;
+ type pcp_pmie_t;
+ type pcp_pmmgr_t;
+ type pcp_var_run_t;
+ ')
+
+ allow $1 pcp_pmcd_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmcd_t)
+
+ allow $1 pcp_pmlogger_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmlogger_t)
+
+ allow $1 pcp_pmproxy_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmproxy_t)
+
+ allow $1 pcp_pmwebd_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmwebd_t)
+
+ allow $1 pcp_pmie_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmie_t)
+
+ allow $1 pcp_pmmgr_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmmgr_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pcp_pmcd_t:process ptrace;
+ allow $1 pcp_pmlogger_t:process ptrace;
+ allow $1 pcp_pmproxy_t:process ptrace;
+ allow $1 pcp_pmwebd_t:process ptrace;
+ allow $1 pcp_pmie_t:process ptrace;
+ allow $1 pcp_pmmgr_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, pcp_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute pcp_pmie
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmie_exec',`
+ gen_require(`
+ type pcp_pmie_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute pcp_pmlogger
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmlogger_exec',`
+ gen_require(`
+ type pcp_pmlogger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
+#######################################
+## <summary>
+## Transition to pcp named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcp_filetrans_named_content',`
+ gen_require(`
+ type pcp_var_run_t;
+ ')
+ files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
+')
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 000000000..89e89b240
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,315 @@
+policy_module(pcp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+
+## <desc>
+## <p>
+## Allow pcp to bind to all unreserved_ports
+## </p>
+## </desc>
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow pcp to read generic logs
+## </p>
+## </desc>
+gen_tunable(pcp_read_generic_logs, false)
+
+attribute pcp_domain;
+
+pcp_domain_template(pmcd)
+pcp_domain_template(pmlogger)
+pcp_domain_template(pmproxy)
+pcp_domain_template(pmwebd)
+pcp_domain_template(pmie)
+pcp_domain_template(pmmgr)
+
+type pcp_log_t;
+logging_log_file(pcp_log_t)
+
+type pcp_var_lib_t;
+files_type(pcp_var_lib_t)
+
+type pcp_var_run_t;
+files_pid_file(pcp_var_run_t)
+
+type pcp_tmp_t;
+files_tmp_file(pcp_tmp_t)
+
+type pcp_tmpfs_t;
+files_tmpfs_file(pcp_tmpfs_t)
+
+########################################
+#
+# pcp domain local policy
+#
+
+allow pcp_domain self:capability { setuid setgid dac_read_search };
+allow pcp_domain self:process signal_perms;
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
+allow pcp_domain self:netlink_route_socket create_socket_perms;
+allow pcp_domain self:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+
+manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
+
+manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
+
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
+
+dev_read_urand(pcp_domain)
+
+files_read_etc_files(pcp_domain)
+
+fs_getattr_all_fs(pcp_domain)
+
+miscfiles_read_generic_certs(pcp_domain)
+
+sysnet_read_config(pcp_domain)
+
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+
+')
+
+
+########################################
+#
+# pcp_pmcd local policy
+#
+
+allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace };
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
+kernel_read_fs_sysctls(pcp_pmcd_t)
+kernel_read_rpc_sysctls(pcp_pmcd_t)
+kernel_search_network_sysctl(pcp_pmcd_t)
+kernel_read_net_sysctls(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
+corenet_tcp_bind_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_http_port(pcp_pmcd_t)
+
+dev_read_sysfs(pcp_pmcd_t)
+dev_rw_lvm_control(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
+
+dev_getattr_all_blk_files(pcp_pmcd_t)
+dev_getattr_all_chr_files(pcp_pmcd_t)
+dev_read_sysfs(pcp_pmcd_t)
+dev_read_urand(pcp_pmcd_t)
+
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
+init_read_utmp(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
+lvm_domtrans(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
+ cron_read_pid_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+ container_manage_lib_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(pcp_pmcd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmcd_t)
+ ')
+')
+
+optional_policy(`
+ postfix_read_config(pcp_pmcd_t)
+ postfix_search_spool(pcp_pmcd_t)
+')
+
+tunable_policy(`pcp_read_generic_logs',`
+ logging_read_generic_logs(pcp_pmcd_t)
+
+')
+
+########################################
+#
+# pcp_pmproxy local policy
+#
+
+allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
+kernel_search_network_sysctl(pcp_pmproxy_t)
+
+logging_send_syslog_msg(pcp_pmproxy_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmproxy_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmproxy_t)
+ ')
+')
+
+########################################
+#
+# pcp_pmwebd local policy
+#
+
+kernel_read_system_state(pcp_pmwebd_t)
+
+corecmd_exec_shell(pcp_pmwebd_t)
+
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmwebd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmwebd_t)
+ ')
+')
+
+########################################
+#
+# pcp_pmmgr local policy
+#
+
+allow pcp_pmmgr_t self:process { setpgid };
+allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corecmd_exec_bin(pcp_pmmgr_t)
+
+logging_send_syslog_msg(pcp_pmmgr_t)
+
+optional_policy(`
+ pcp_pmie_exec(pcp_pmmgr_t)
+ pcp_pmlogger_exec(pcp_pmmgr_t)
+')
+
+########################################
+#
+# pcp_pmie local policy
+#
+allow pcp_pmie_t self:capability chown;
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+allow pcp_pmie_t pcp_pmcd_t:process signal;
+
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
+corecmd_getattr_all_executables(pcp_pmie_t)
+
+domain_read_all_domains_state(pcp_pmie_t)
+
+fs_search_cgroup_dirs(pcp_pmie_t)
+
+init_status(pcp_pmie_t)
+
+logging_send_syslog_msg(pcp_pmie_t)
+
+systemd_exec_systemctl(pcp_pmie_t)
+systemd_read_unit_files(pcp_pmie_t)
+systemd_search_unit_dirs(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local policy
+#
+
+allow pcp_pmlogger_t self:capability chown;
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(pcp_pmlogger_t)
+kernel_read_network_state(pcp_pmlogger_t)
+
+corecmd_exec_bin(pcp_pmlogger_t)
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
+domain_read_all_domains_state(pcp_pmlogger_t)
+
+init_read_utmp(pcp_pmlogger_t)
+init_status(pcp_pmlogger_t)
+
+logging_send_syslog_msg(pcp_pmlogger_t)
+
+systemd_exec_systemctl(pcp_pmlogger_t)
+systemd_getattr_unit_files(pcp_pmlogger_t)
+
+optional_policy(`
+ hostname_exec(pcp_pmlogger_t)
+')
+
diff --git a/pcscd.if b/pcscd.if
index 43d50f95b..6b1544f62 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+ ps_process_pattern(pcscd_t, $1)
')
########################################
@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')
########################################
diff --git a/pcscd.te b/pcscd.te
index 1fb196410..f502f33d6 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -21,11 +21,13 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
# Local policy
#
-allow pcscd_t self:capability { dac_override dac_read_search fsetid };
-allow pcscd_t self:process signal;
+allow pcscd_t self:capability { dac_read_search fsetid };
+allow pcscd_t self:capability2 { wake_alarm };
+allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
kernel_read_system_state(pcscd_t)
-corenet_all_recvfrom_unlabeled(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
corenet_tcp_sendrecv_http_port(pcscd_t)
+domain_read_all_domains_state(pcscd_t)
+
dev_rw_generic_usb_dev(pcscd_t)
dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
dev_read_sysfs(pcscd_t)
-files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
-miscfiles_read_localization(pcscd_t)
-
sysnet_dns_name_resolve(pcscd_t)
+userdom_read_all_users_state(pcscd_t)
+
optional_policy(`
dbus_system_bus_client(pcscd_t)
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ policykit_dbus_chat_auth(pcscd_t)
+ ')
+
+')
+
+optional_policy(`
+ policykit_dbus_chat(pcscd_t)
')
optional_policy(`
@@ -85,3 +97,8 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
+
+optional_policy(`
+ virt_rw_svirt_dev(pcscd_t)
+')
+
diff --git a/pdns.fc b/pdns.fc
new file mode 100644
index 000000000..22bc51be6
--- /dev/null
+++ b/pdns.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/pdns.* -- gen_context(system_u:object_r:pdns_unit_file_t,s0)
+/usr/bin/pdns_control -- gen_context(system_u:object_r:pdns_control_exec_t,s0)
+/usr/sbin/pdns_server -- gen_context(system_u:object_r:pdns_exec_t,s0)
+/var/run/pdns\.pid -- gen_context(system_u:object_r:pdns_var_run_t,s0)
+/var/run/pdns\.controlsocket -s gen_context(system_u:object_r:pdns_var_run_t,s0)
+/etc/pdns(/.*)? gen_context(system_u:object_r:pdns_conf_t,s0)
diff --git a/pdns.if b/pdns.if
new file mode 100644
index 000000000..02df03ad6
--- /dev/null
+++ b/pdns.if
@@ -0,0 +1,81 @@
+## <summary>PowerDNS DNS server.</summary>
+
+########################################
+## <summary>
+## Execute pdns in the pdns domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pdns_domtrans',`
+ gen_require(`
+ type pdns_t, pdns_exec_t;
+ ')
+
+ domtrans_pattern($1, pdns_exec_t, pdns_t)
+')
+
+########################################
+## <summary>
+## Execute pdns_control in the pdns_control domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pdns_domtrans_pdns_control',`
+ gen_require(`
+ type pdns_control_t, pdns_control_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pdns_control_exec_t, pdns_control_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## pdns configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pdns_read_config',`
+ gen_require(`
+ type pdns_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 pdns_conf_t:dir list_dir_perms;
+ read_files_pattern($1, pdns_conf_t, pdns_conf_t)
+ read_lnk_files_pattern($1, pdns_conf_t, pdns_conf_t)
+')
+
+########################################
+## <summary>
+## Connect to pdns over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pdns_stream_connect',`
+ gen_require(`
+ type pdns_t, pdns_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pdns_var_run_t, pdns_var_run_t, pdns_t)
+')
diff --git a/pdns.te b/pdns.te
new file mode 100644
index 000000000..4df7ada2a
--- /dev/null
+++ b/pdns.te
@@ -0,0 +1,85 @@
+policy_module(pdns, 1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow PowerDNS to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(pdns_can_network_connect_db, false)
+
+type pdns_t;
+type pdns_exec_t;
+init_daemon_domain(pdns_t, pdns_exec_t)
+init_nnp_daemon_domain(pdns_t)
+
+type pdns_unit_file_t;
+systemd_unit_file(pdns_unit_file_t)
+
+type pdns_conf_t;
+files_config_file(pdns_conf_t)
+
+type pdns_var_run_t;
+files_pid_file(pdns_var_run_t)
+
+type pdns_control_t;
+type pdns_control_exec_t;
+init_system_domain(pdns_control_t, pdns_control_exec_t)
+
+########################################
+#
+# pdns_t local policy
+#
+
+allow pdns_t self:capability { setuid setgid chown };
+allow pdns_t self:tcp_socket create_stream_socket_perms;
+allow pdns_t self:udp_socket create_socket_perms;
+allow pdns_t self:unix_dgram_socket create_socket_perms;
+pdns_read_config(pdns_t)
+
+kernel_read_network_state(pdns_t)
+
+corenet_tcp_bind_dns_port(pdns_t)
+corenet_udp_bind_dns_port(pdns_t)
+
+files_pid_filetrans(pdns_t, pdns_var_run_t, { file sock_file })
+manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
+manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
+
+auth_use_nsswitch(pdns_t)
+
+logging_send_syslog_msg(pdns_t)
+
+
+########################################
+#
+# pdns_control_t local policy
+#
+
+pdns_read_config(pdns_control_t)
+stream_connect_pattern(pdns_control_t, pdns_var_run_t, pdns_var_run_t, pdns_t)
+
+
+########################################
+#
+# optional policy
+#
+
+optional_policy(`
+ mysql_read_config(pdns_t)
+ mysql_stream_connect(pdns_t)
+ tunable_policy(`pdns_can_network_connect_db',`
+ mysql_tcp_connect(pdns_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(pdns_t)
+ tunable_policy(`pdns_can_network_connect_db',`
+ postgresql_tcp_connect(pdns_t)
+ ')
+')
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e412..feaa8e174 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,33 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+/etc/Pegasus/cimserver_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677c1..86dce34a2 100644
--- a/pegasus.if
+++ b/pegasus.if
@@ -1,52 +1,60 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+######################################
+## <summary>
+## Creates types and rules for a basic
+## openlmi init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`pegasus_openlmi_domain_template',`
+ gen_require(`
+ attribute pegasus_openlmi_domain;
+ type pegasus_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
+ type pegasus_openlmi_$1_exec_t;
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
+ allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(pegasus_openlmi_$1_t)
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an pegasus environment.
+## Connect to pegasus over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`pegasus_admin',`
+interface(`pegasus_stream_connect',`
gen_require(`
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
- type pegasus_mof_t, pegasus_var_run_t;
+ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
')
- allow $1 pegasus_t:process { ptrace signal_perms };
- ps_process_pattern($1, pegasus_t)
-
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pegasus_conf_t)
-
- files_search_usr($1)
- admin_pattern($1, pegasus_mof_t)
-
- files_search_tmp($1)
- admin_pattern($1, pegasus_tmp_t)
-
- files_search_var($1)
- admin_pattern($1, pegasus_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, pegasus_data_t)
-
files_search_pids($1)
- admin_pattern($1, pegasus_var_run_t)
+ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
+ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454d8..64782ff03 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
# Declarations
#
+attribute pegasus_openlmi_domain;
+
type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
-type pegasus_initrc_exec_t;
-init_script_file(pegasus_initrc_exec_t)
-
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
+typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
+domain_system_change_exemption(pegasus_openlmi_account_t)
+
+pegasus_openlmi_domain_template(logicalfile)
+pegasus_openlmi_domain_template(services)
+
+pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
+type pegasus_openlmi_storage_var_run_t;
+files_pid_file(pegasus_openlmi_storage_var_run_t)
+
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
+allow pegasus_openlmi_domain self:capability { setuid setgid };
+
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
+
+dev_read_sysfs(pegasus_openlmi_domain)
+
+auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
+optional_policy(`
+ pegasus_stream_connect(pegasus_openlmi_domain)
+')
+
+######################################
+#
+# pegasus openlmi account local policy
+#
+
+allow pegasus_openlmi_account_t self:capability { chown dac_read_search fowner fsetid };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
+auth_manage_shadow(pegasus_openlmi_account_t)
+auth_relabel_shadow(pegasus_openlmi_account_t)
+auth_read_login_records(pegasus_openlmi_account_t)
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
+
+logging_send_audit_msgs(pegasus_openlmi_account_t)
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+init_rw_utmp(pegasus_openlmi_account_t)
+
+seutil_semanage_policy(pegasus_openlmi_account_t)
+
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+seutil_read_config(pegasus_openlmi_account_t)
+seutil_read_file_contexts(pegasus_openlmi_account_t)
+seutil_read_default_contexts(pegasus_openlmi_account_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
+
+optional_policy(`
+ # run userdel
+ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
+')
+
+######################################
+#
+# pegasus openlmi logicalfile local policy
+#
+
+allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
+
+files_list_all(pegasus_openlmi_logicalfile_t)
+files_read_all_files(pegasus_openlmi_logicalfile_t)
+files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
+files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
+files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
+
+optional_policy(`
+ # it can delete/create empty dirs
+ # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
+
+######################################
+#
+# pegasus openlmi services local policy
+#
+
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+miscfiles_read_certs(pegasus_openlmi_services_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ realmd_dbus_chat(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ sssd_read_public_files(pegasus_openlmi_services_t)
+ sssd_stream_connect(pegasus_openlmi_services_t)
+')
+
+######################################
+#
+# pegasus openlmi system (networking) local policy
+#
+
+allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
+allow pegasus_openlmi_system_t self:process signal_perms;
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_system_t)
+
+auth_use_nsswitch(pegasus_openlmi_system_t)
+
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
+fs_getattr_all_fs(pegasus_openlmi_system_t)
+
+init_read_utmp(pegasus_openlmi_system_t)
+
+systemd_config_power_services(pegasus_openlmi_system_t)
+systemd_dbus_chat_logind(pegasus_openlmi_system_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
+')
+
+######################################
+#
+# pegasus openlmi service local policy
+#
+
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
+init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
+init_status(pegasus_openlmi_admin_t)
+init_reboot(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
+
+ optional_policy(`
+ init_dbus_chat(pegasus_openlmi_admin_t)
+ ')
+')
+
+optional_policy(`
+ sssd_stream_connect(pegasus_openlmi_admin_t)
+')
+
+######################################
+#
+# pegasus openlmi storage local policy
+#
+
+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
+allow pegasus_openlmi_storage_t self:process setrlimit;
+
+allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
+auth_use_nsswitch(pegasus_openlmi_storage_t)
+
+dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
+dev_rw_lvm_control(pegasus_openlmi_storage_t)
+dev_rw_sysfs(pegasus_openlmi_storage_t)
+
+selinux_validate_context(pegasus_openlmi_storage_t)
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
+storage_raw_read_removable_device(pegasus_openlmi_storage_t)
+storage_raw_write_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+files_read_kernel_modules(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
+
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
+init_read_state(pegasus_openlmi_storage_t)
+
+miscfiles_read_hwdata(pegasus_openlmi_storage_t)
+
+optional_policy(`
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ fstools_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ iscsi_manage_lock(pegasus_openlmi_storage_t)
+ iscsi_read_lib_files(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+ lvm_read_metadata(pegasus_openlmi_storage_t)
+ lvm_write_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ mount_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
+ raid_filetrans_named_content(pegasus_openlmi_storage_t)
+ raid_manage_conf_files(pegasus_openlmi_storage_t)
+')
+
+######################################
+#
+# pegasus openlmi unconfined local policy
+#
+
+optional_policy(`
+ unconfined_domain(pegasus_openlmi_unconfined_t)
+')
+
########################################
#
-# Local policy
+# pegasus local policy
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search net_admin net_bind_service sys_ptrace };
dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
-allow pegasus_t self:tcp_socket { accept listen };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
allow pegasus_t pegasus_mof_t:dir list_dir_perms;
-allow pegasus_t pegasus_mof_t:file read_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
-
-can_exec(pegasus_t, pegasus_exec_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_sysctl(pegasus_t)
kernel_read_fs_sysctls(pegasus_t)
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
-corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
corenet_tcp_bind_generic_node(pegasus_t)
-
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_generic_client_packets(pegasus_t)
corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
+domain_named_filetrans(pegasus_t)
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
+mount_domtrans(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
+ dmidecode_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
@@ -151,16 +475,24 @@ optional_policy(`
')
optional_policy(`
- rpm_exec(pegasus_t)
+ ricci_stream_connect_modclusterd(pegasus_t)
')
optional_policy(`
- samba_manage_config(pegasus_t)
+ realmd_dbus_chat(pegasus_t)
')
optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
+ rpc_read_exports(pegasus_t)
+ rpc_read_nfs_state_data(pegasus_t)
+')
+
+optional_policy(`
+ rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ samba_manage_config(pegasus_t)
')
optional_policy(`
@@ -168,7 +500,7 @@ optional_policy(`
')
optional_policy(`
- sysnet_domtrans_ifconfig(pegasus_t)
+ seutil_sigchld_newrole(pegasus_t)
')
optional_policy(`
@@ -180,12 +512,17 @@ optional_policy(`
')
optional_policy(`
+ virt_getattr_images(pegasus_t)
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
')
optional_policy(`
+ qemu_getattr_exec(pegasus_t)
+')
+
+optional_policy(`
xen_stream_connect(pegasus_t)
xen_stream_connect_xenstore(pegasus_t)
')
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 000000000..7b54c3926
--- /dev/null
+++ b/pesign.fc
@@ -0,0 +1,6 @@
+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
index 000000000..4d531cb9d
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,99 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the pesign domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_domtrans',`
+ gen_require(`
+ type pesign_t, pesign_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+## <summary>
+## Read pesign PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pesign_read_pid_files',`
+ gen_require(`
+ type pesign_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute pesign server in the pesign domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_systemctl',`
+ gen_require(`
+ type pesign_t;
+ type pesign_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pesign environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pesign_admin',`
+ gen_require(`
+ type pesign_t;
+ type pesign_var_run_t;
+ type pesign_unit_file_t;
+ ')
+
+ allow $1 pesign_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pesign_t)
+
+ files_search_pids($1)
+ admin_pattern($1, pesign_var_run_t)
+
+ pesign_systemctl($1)
+ admin_pattern($1, pesign_unit_file_t)
+ allow $1 pesign_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/pesign.te b/pesign.te
new file mode 100644
index 000000000..513887d18
--- /dev/null
+++ b/pesign.te
@@ -0,0 +1,43 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+dev_read_urand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
diff --git a/pingd.if b/pingd.if
index 21a6ecbe7..b99e4cb0b 100644
--- a/pingd.if
+++ b/pingd.if
@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
')
files_search_etc($1)
- allow $1 pingd_etc_t:file manage_file_perms;
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
')
#######################################
@@ -81,9 +82,13 @@ interface(`pingd_admin',`
type pingd_initrc_exec_t;
')
- allow $1 pingd_t:process { ptrace signal_perms };
+ allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pingd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
index ab0106027..778c8eb12 100644
--- a/pingd.te
+++ b/pingd.te
@@ -10,7 +10,7 @@ type pingd_exec_t;
init_daemon_domain(pingd_t, pingd_exec_t)
type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t)
corenet_sendrecv_pingd_server_packets(pingd_t)
corenet_tcp_bind_pingd_port(pingd_t)
+dev_read_urand(pingd_t)
+
auth_use_nsswitch(pingd_t)
files_search_usr(pingd_t)
logging_send_syslog_msg(pingd_t)
-
-miscfiles_read_localization(pingd_t)
diff --git a/piranha.fc b/piranha.fc
new file mode 100644
index 000000000..20ea9f54b
--- /dev/null
+++ b/piranha.fc
@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
index 000000000..cf54103b6
--- /dev/null
+++ b/piranha.if
@@ -0,0 +1,187 @@
+## <summary>policy for piranha</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`piranha_domain_template',`
+ gen_require(`
+ attribute piranha_domain;
+ ')
+
+ ##############################
+ #
+ # piranha_$1_t declarations
+ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # tmpfs files
+ type piranha_$1_tmpfs_t, piranha_tmpfs;
+ files_tmpfs_file(piranha_$1_tmpfs_t)
+
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
+ #
+ # piranha_$1_t local policy
+ #
+
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+
+ kernel_read_system_state(piranha_$1_t)
+
+ auth_use_nsswitch(piranha_$1_t)
+
+ logging_send_syslog_msg(piranha_$1_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run fos.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_fos',`
+ gen_require(`
+ type piranha_fos_t, piranha_fos_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run lvsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_lvs',`
+ gen_require(`
+ type piranha_lvs_t, piranha_lvs_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run pulse.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_pulse',`
+ gen_require(`
+ type piranha_pulse_t, piranha_pulse_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+## <summary>
+## Execute pulse server in the pulse domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_pulse_initrc_domtrans',`
+ gen_require(`
+ type piranha_pulse_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read piranha's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`piranha_read_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## piranha log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_append_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage piranha log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_manage_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
index 000000000..a989aea2e
--- /dev/null
+++ b/piranha.te
@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow piranha-lvs domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+optional_policy(`
+ consoletype_exec(piranha_fos_t)
+')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull };
+
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_servistaitsm_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_rand(piranha_web_t)
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+
+optional_policy(`
+ consoletype_exec(piranha_web_t)
+')
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+ iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:capability net_admin;
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+kernel_read_kernel_sysctls(piranha_pulse_t)
+kernel_read_rpc_sysctls(piranha_pulse_t)
+kernel_rw_rpc_sysctls(piranha_pulse_t)
+kernel_search_debugfs(piranha_pulse_t)
+kernel_search_network_state(piranha_pulse_t)
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
+optional_policy(`
+ consoletype_exec(piranha_pulse_t)
+')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
+init_initrc_domain(piranha_pulse_t)
+
+logging_send_syslog_msg(piranha_pulse_t)
+
+# various services to failover
+
+optional_policy(`
+ apache_domtrans(piranha_pulse_t)
+ apache_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
+ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
+ hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
+ iptables_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(piranha_pulse_t)
+ mysql_stream_connect(piranha_pulse_t)
+')
+
+optional_policy(`
+ netutils_domtrans(piranha_pulse_t)
+ netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(piranha_pulse_t)
+ postgresql_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
+ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
+ samba_rw_config(piranha_pulse_t)
+ samba_signal_smbd(piranha_pulse_t)
+ samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+optional_policy(`
+ udev_read_db(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:process signal_perms;
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
+
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
index 9a72226e3..b2968942f 100644
--- a/pkcs.fc
+++ b/pkcs.fc
@@ -4,4 +4,8 @@
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
+/var/log/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_log_t,s0)
+
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
+
/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
index 69be2aaf2..2d7b3f656 100644
--- a/pkcs.if
+++ b/pkcs.if
@@ -19,7 +19,7 @@
#
interface(`pkcs_admin_slotd',`
gen_require(`
- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
+ type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
')
@@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',`
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
+ files_search_locks($1)
+ admin_pattern($1, pkcs_slotd_lock_t)
+
files_search_pids($1)
admin_pattern($1, pkcs_slotd_var_run_t)
diff --git a/pkcs.te b/pkcs.te
index 8eb3f7bc1..81ee57df4 100644
--- a/pkcs.te
+++ b/pkcs.te
@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
+typealias pkcs_slotd_t alias pkcsslotd_t;
+typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
type pkcs_slotd_initrc_exec_t;
init_script_file(pkcs_slotd_initrc_exec_t)
type pkcs_slotd_var_lib_t;
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
files_type(pkcs_slotd_var_lib_t)
+type pkcs_slotd_lock_t;
+typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
+files_lock_file(pkcs_slotd_lock_t)
+
+type pkcs_slotd_log_t;
+logging_log_file(pkcs_slotd_log_t)
+
type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
files_pid_file(pkcs_slotd_var_run_t)
type pkcs_slotd_tmp_t;
+typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
files_tmp_file(pkcs_slotd_tmp_t)
type pkcs_slotd_tmpfs_t;
+typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir)
+
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir)
+
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
@@ -51,10 +72,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir })
+
+auth_use_nsswitch(pkcs_slotd_t)
-files_read_etc_files(pkcs_slotd_t)
+files_search_locks(pkcs_slotd_t)
logging_send_syslog_msg(pkcs_slotd_t)
-miscfiles_read_localization(pkcs_slotd_t)
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc
new file mode 100644
index 000000000..ca1160af2
--- /dev/null
+++ b/pkcs11proxyd.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/pkcs11proxyd-softhsm.* -- gen_context(system_u:object_r:pkcs11proxyd_unit_file_t,s0)
+
+/usr/sbin/pkcs11proxyd -- gen_context(system_u:object_r:pkcs11proxyd_exec_t,s0)
+
+/var/lib/pkcs11proxyd(/.*)? gen_context(system_u:object_r:pkcs11proxyd_var_lib_t,s0)
+
+/var/run/pkcs11proxyd\.socket -s gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0)
diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if
new file mode 100644
index 000000000..1fa6db2ea
--- /dev/null
+++ b/pkcs11proxyd.if
@@ -0,0 +1,175 @@
+
+## <summary>pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm</summary>
+
+########################################
+## <summary>
+## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_domtrans',`
+ gen_require(`
+ type pkcs11proxyd_t, pkcs11proxyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t)
+')
+
+######################################
+## <summary>
+## Execute pkcs11proxyd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_exec',`
+ gen_require(`
+ type pkcs11proxyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pkcs11proxyd_exec_t)
+')
+
+########################################
+## <summary>
+## Search pkcs11proxyd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_search_lib',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read pkcs11proxyd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_read_lib_files',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pkcs11proxyd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_manage_lib_files',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pkcs11proxyd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_manage_lib_dirs',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pkcs11proxyd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pkcs11proxyd_admin',`
+ gen_require(`
+ type pkcs11proxyd_t;
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ allow $1 pkcs11proxyd_t:process { signal_perms };
+ ps_process_pattern($1, pkcs11proxyd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pkcs11proxyd_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, pkcs11proxyd_var_lib_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to pkcs11proxyd over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_stream_connect',`
+ gen_require(`
+ type pkcs11proxyd_t, pkcs11proxyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t)
+')
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
new file mode 100644
index 000000000..a2cb118ba
--- /dev/null
+++ b/pkcs11proxyd.te
@@ -0,0 +1,42 @@
+policy_module(pkcs11proxyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pkcs11proxyd_t;
+type pkcs11proxyd_exec_t;
+init_daemon_domain(pkcs11proxyd_t, pkcs11proxyd_exec_t)
+
+type pkcs11proxyd_unit_file_t;
+systemd_unit_file(pkcs11proxyd_unit_file_t)
+
+type pkcs11proxyd_var_lib_t;
+files_type(pkcs11proxyd_var_lib_t)
+
+type pkcs11proxyd_var_run_t;
+files_pid_file(pkcs11proxyd_var_run_t)
+
+########################################
+#
+# pkcs11proxyd local policy
+#
+
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
+allow pkcs11proxyd_t self:process { getpgid setpgid };
+
+manage_dirs_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+manage_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+manage_lnk_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+files_var_lib_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, { dir })
+
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
+
+dev_read_urand(pkcs11proxyd_t)
+
+auth_use_nsswitch(pkcs11proxyd_t)
+
+logging_send_syslog_msg(pkcs11proxyd_t)
+
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 000000000..47cd0f8ba
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,57 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat/ca(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
+
+# default labeling for nCipher
+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# old paths (for migration)
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
+
+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 000000000..f69ae0298
--- /dev/null
+++ b/pki.if
@@ -0,0 +1,503 @@
+
+## <summary>policy for pki</summary>
+
+########################################
+## <summary>
+## Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_rw_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+## Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
+ manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+## Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_etc_rw',`
+ gen_require(`
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+ manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read pki cert files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_read_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`pki_apache_template',`
+ gen_require(`
+ attribute pki_apache_domain;
+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, pki_apache_domain;
+ type $1_exec_t, pki_apache_executable;
+ domain_type($1_t)
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_script_exec_t, pki_apache_script;
+ init_script_file($1_script_exec_t)
+
+ type $1_etc_rw_t, pki_apache_config;
+ files_type($1_etc_rw_t)
+
+ type $1_var_run_t, pki_apache_var_run;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_lib_t, pki_apache_var_lib;
+ files_type($1_var_lib_t)
+
+ type $1_log_t, pki_apache_var_log;
+ logging_log_file($1_log_t)
+
+ type $1_lock_t;
+ files_lock_file($1_lock_t)
+
+ type $1_tmp_t;
+ files_tmpfs_file($1_tmp_t)
+
+ ########################################
+ #
+ # $1 local policy
+ #
+
+ files_read_etc_files($1_t)
+ allow $1_t $1_etc_rw_t:lnk_file read;
+
+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
+ logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ #talk to lunasa hsm
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+
+ # need to resolve addresses?
+ auth_use_nsswitch($1_t)
+')
+
+#######################################
+## <summary>
+## Send a null signal to pki apache domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_apache_domain_signal',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signal;
+')
+
+#######################################
+## <summary>
+## Send a null signal to pki apache domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_apache_domain_signull',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signull;
+')
+
+###################################
+## <summary>
+## Allow domain to read pki apache subsystem pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_apache_run',`
+ gen_require(`
+ attribute pki_apache_var_run;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
+')
+
+####################################
+## <summary>
+## Allow domain to manage pki apache subsystem lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_apache_lib',`
+ gen_require(`
+ attribute pki_apache_var_lib;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+')
+
+##################################
+## <summary>
+## Dontaudit domain to write pki log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_search_log_dirs',`
+ gen_require(`
+ type pki_log_t;
+ ')
+
+ search_dirs_pattern($1, pki_log_t, pki_log_t)
+
+')
+
+##################################
+## <summary>
+## Dontaudit domain to write pki log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_dontaudit_write_log',`
+ gen_require(`
+ type pki_log_t;
+ ')
+
+ dontaudit $1 pki_log_t:file write;
+')
+
+###################################
+## <summary>
+## Allow domain to manage pki apache subsystem log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_apache_log_files',`
+ gen_require(`
+ attribute pki_apache_var_log;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
+')
+
+##################################
+## <summary>
+## Allow domain to manage pki apache subsystem config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_apache_config_files',`
+ gen_require(`
+ attribute pki_apache_config;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
+#################################
+## <summary>
+## Allow domain to read pki tomcat lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_read_tomcat_lib_files',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+
+#################################
+## <summary>
+## Allow domain to manage pki tomcat lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_lib',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+#################################
+## <summary>
+## Allow domain to manage pki tomcat lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_log',`
+ gen_require(`
+ type pki_tomcat_log_t;
+ ')
+
+ manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+ manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+')
+
+#################################
+## <summary>
+## Allow domain to read pki tomcat lib dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_read_tomcat_lib_dirs',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow read pki_common_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_read_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ read_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+## Allow execute pki_common_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_exec_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ exec_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+## Allow read pki_common_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_manage_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ manage_files_pattern($1, pki_common_t, pki_common_t)
+ manage_dirs_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+## Connect to pki over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_stream_connect',`
+ gen_require(`
+ type pki_tomcat_t, pki_common_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+')
+
+########################################
+## <summary>
+## Execute pki in the pkit_tomcat_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pki_tomcat_systemctl',`
+ gen_require(`
+ type pki_tomcat_t;
+ type pki_tomcat_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pki_tomcat_t)
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 000000000..701ebda54
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,285 @@
+policy_module(pki,10.0.11)
+
+########################################
+#
+# Declarations
+#
+
+attribute pki_apache_domain;
+attribute pki_apache_config;
+attribute pki_apache_executable;
+attribute pki_apache_var_lib;
+attribute pki_apache_var_log;
+attribute pki_apache_var_run;
+attribute pki_apache_pidfiles;
+attribute pki_apache_script;
+
+type pki_log_t;
+files_type(pki_log_t)
+
+type pki_common_t;
+files_type(pki_common_t)
+
+type pki_common_dev_t;
+files_type(pki_common_dev_t)
+
+type pki_tomcat_etc_rw_t;
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+domain_obj_id_change_exemption(pki_tomcat_t)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
+
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
+# old type aliases for migration
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+
+
+# pki policy types
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_apache_template(pki_tps)
+
+# ra policy types
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_apache_template(pki_ra)
+
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+role system_r types pki_tomcat_script_t;
+
+optional_policy(`
+ unconfined_domain(pki_tomcat_script_t)
+')
+
+########################################
+#
+# pki-tomcat local policy
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid };
+dontaudit pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
+
+# allow writing to the kernel keyring
+allow pki_tomcat_t self:key { write read };
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
+
+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
+systemd_search_unit_dirs(pki_tomcat_t)
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
+auth_use_nsswitch(pki_tomcat_t)
+
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
+libs_exec_ldconfig(pki_tomcat_t)
+
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
+
+# is this really needed?
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
+
+# for crl publishing
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
+# for ECC
+auth_getattr_shadow(pki_tomcat_t)
+
+optional_policy(`
+ consoletype_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ dirsrv_manage_var_lib(pki_tomcat_t)
+')
+
+optional_policy(`
+ hostname_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ ipa_read_lib(pki_tomcat_t)
+')
+
+#######################################
+#
+# tps local policy
+#
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+files_exec_usr_files(pki_tps_t)
+
+######################################
+#
+# ra local policy
+#
+
+# RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
+corenet_tcp_connect_http_port(pki_ra_t)
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
+fs_getattr_xattr_fs(pki_ra_t)
+
+files_search_spool(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+
+optional_policy(`
+ mta_send_mail(pki_ra_t)
+ mta_manage_spool(pki_ra_t)
+ mta_manage_queue(pki_ra_t)
+ mta_read_config(pki_ra_t)
+')
+
+#####################################
+#
+# pki_apache_domain local policy
+#
+
+
+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown};
+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
+
+allow pki_apache_domain self:sem all_sem_perms;
+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+# allow writing to the kernel keyring
+allow pki_apache_domain self:key { write read };
+
+## internal communication is often done using fifo and unix sockets.
+allow pki_apache_domain self:fifo_file rw_file_perms;
+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
+
+# talk to the hsm
+allow pki_apache_domain pki_common_dev_t:sock_file write;
+allow pki_apache_domain pki_common_dev_t:dir search;
+allow pki_apache_domain pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
+can_exec(pki_apache_domain, pki_common_t)
+init_stream_connect_script(pki_apache_domain)
+
+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
+corenet_tcp_bind_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_if(pki_apache_domain)
+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
+corenet_tcp_connect_generic_port(pki_apache_domain)
+
+# Init script handling
+domain_use_interactive_fds(pki_apache_domain)
+
+seutil_exec_setfiles(pki_apache_domain)
+
+init_dontaudit_write_utmp(pki_apache_domain)
+
+libs_use_ld_so(pki_apache_domain)
+libs_use_shared_libs(pki_apache_domain)
+libs_exec_ld_so(pki_apache_domain)
+libs_exec_lib_files(pki_apache_domain)
+
+fs_search_cgroup_dirs(pki_apache_domain)
+
+corecmd_exec_bin(pki_apache_domain)
+corecmd_exec_shell(pki_apache_domain)
+
+dev_read_urand(pki_apache_domain)
+dev_read_rand(pki_apache_domain)
+
+# shutdown script uses ps
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
+
+sysnet_read_config(pki_apache_domain)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
+ term_dontaudit_use_generic_ptys(pki_apache_domain)
+')
+
+optional_policy(`
+ # apache permissions
+ apache_exec_modules(pki_apache_domain)
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
+ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+')
+
+# allow rpm -q in init scripts
+optional_policy(`
+ rpm_exec(pki_apache_domain)
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
index 735500fd1..7f694728c 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
index 30e751f18..61feb3a81 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
-## <summary>Plymouth graphical boot.</summary>
+## <summary>Plymouth graphical boot</summary>
########################################
## <summary>
@@ -10,18 +10,17 @@
## </summary>
## </param>
#
-interface(`plymouthd_domtrans',`
+interface(`plymouthd_domtrans', `
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
## <summary>
-## Execute plymouthd in the caller domain.
+## Execute the plymoth daemon in the current domain
## </summary>
## <param name="domain">
## <summary>
@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
## </summary>
## </param>
#
-interface(`plymouthd_exec',`
+interface(`plymouthd_exec', `
gen_require(`
type plymouthd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouthd_exec_t)
')
########################################
## <summary>
-## Connect to plymouthd using a unix
-## domain stream socket.
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
## </summary>
## </param>
#
-interface(`plymouthd_stream_connect',`
+interface(`plymouthd_stream_connect', `
gen_require(`
- type plymouthd_t, plymouthd_spool_t;
+ type plymouthd_t;
')
- files_search_spool($1)
- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+ allow $1 plymouthd_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Execute plymouth in the caller domain.
+## Execute the plymoth command in the current domain
## </summary>
## <param name="domain">
## <summary>
@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
## </summary>
## </param>
#
-interface(`plymouthd_exec_plymouth',`
+interface(`plymouthd_exec_plymouth', `
gen_require(`
type plymouth_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouth_exec_t)
')
########################################
## <summary>
-## Execute a domain transition to run plymouth.
+## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
## <summary>
@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
## </summary>
## </param>
#
-interface(`plymouthd_domtrans_plymouth',`
+interface(`plymouthd_domtrans_plymouth', `
gen_require(`
type plymouth_t, plymouth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
## </summary>
## </param>
#
-interface(`plymouthd_search_spool',`
+interface(`plymouthd_search_spool', `
gen_require(`
type plymouthd_spool_t;
')
- files_search_spool($1)
allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
')
########################################
@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
## </summary>
## </param>
#
-interface(`plymouthd_manage_spool_files',`
+interface(`plymouthd_manage_spool_files', `
gen_require(`
type plymouthd_spool_t;
')
@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
## </summary>
## </param>
#
-interface(`plymouthd_search_lib',`
+interface(`plymouthd_search_lib', `
gen_require(`
type plymouthd_var_lib_t;
')
- files_search_var_lib($1)
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
## </summary>
## </param>
#
-interface(`plymouthd_read_lib_files',`
+interface(`plymouthd_read_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
## </summary>
## </param>
#
-interface(`plymouthd_manage_lib_files',`
+interface(`plymouthd_manage_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
########################################
## <summary>
-## Read plymouthd pid files.
+## Read plymouthd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
## </summary>
## </param>
#
-interface(`plymouthd_read_pid_files',`
+interface(`plymouthd_read_pid_files', `
gen_require(`
type plymouthd_var_run_t;
')
@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to create plymouthd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_create_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#######################################
+## <summary>
+## Allow domain to create boot.log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_filetrans_named_content',`
+
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
- allow $1 plymouthd_t:process { ptrace signal_perms };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
+ allow $1 plymouthd_t:process signal_perms;
+ ps_process_pattern($1, plymouthd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 plymouthd_t:process ptrace;
+ ')
- files_search_spool($1)
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
- files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
index 3078ce905..a1f9e1aa1 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
########################################
#
-# Daemon local policy
+# Plymouthd private policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
-dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability{ dac_read_search };
allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
+term_use_usb_ttys(plymouthd_t)
+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
+userdom_read_admin_home_files(plymouthd_t)
+
+term_use_unallocated_ttys(plymouthd_t)
+
optional_policy(`
- gnome_read_generic_home_content(plymouthd_t)
+ gnome_read_config(plymouthd_t)
')
optional_policy(`
@@ -90,35 +97,37 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
- xserver_read_xdm_state(plymouthd_t)
+ udev_read_pid_files(plymouthd_t)
+')
+
+optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
')
########################################
#
-# Client local policy
+# Plymouth private policy
#
allow plymouth_t self:process signal;
-allow plymouth_t self:fifo_file rw_fifo_file_perms;
+allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
-
kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
domain_use_interactive_fds(plymouth_t)
-files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
-miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
-ifdef(`hide_broken_symptoms',`
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
index 9123f7152..77e5b9b59 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
# Local policy
#
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:capability { kill dac_read_search sys_admin sys_rawio };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
dev_read_urand(podsleuth_t)
-files_read_etc_files(podsleuth_t)
fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
@@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
fs_rw_removable_blk_files(podsleuth_t)
-miscfiles_read_localization(podsleuth_t)
-
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
userdom_signull_unpriv_users(podsleuth_t)
-userdom_read_user_tmpfs_files(podsleuth_t)
+userdom_read_user_tmp_files(podsleuth_t)
optional_policy(`
dbus_system_bus_client(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c7288..93d09d92f 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policykit.if b/policykit.if
index 032a84d1c..be00a65f1 100644
--- a/policykit.if
+++ b/policykit.if
@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_t, $1)
+
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
########################################
## <summary>
## Send and receive messages from
-## policykit auth over dbus.
+## policykit over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_auth_t, $1)
+
allow $1 policykit_auth_t:dbus send_msg;
allow policykit_auth_t $1:dbus send_msg;
')
@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
## Execute a domain transition to run polkit_auth.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_auth',`
@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
type policykit_auth_t, policykit_auth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
')
########################################
## <summary>
-## Execute a policy_auth in the policy
-## auth domain, and allow the specified
-## role the policy auth domain.
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
## </summary>
## <param name="domain">
## <summary>
@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`policykit_run_auth',`
gen_require(`
- attribute_role policykit_auth_roles;
+ type policykit_auth_t;
')
policykit_domtrans_auth($1)
- roleattribute $2 policykit_auth_roles;
+ role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
## <summary>
-## Execute a domain transition to run polkit grant.
+## Execute a domain transition to run polkit_grant.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_grant',`
@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
type policykit_grant_t, policykit_grant_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
')
########################################
## <summary>
-## Execute a policy_grant in the policy
-## grant domain, and allow the specified
-## role the policy grant domain.
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
## </summary>
## <param name="domain">
## <summary>
@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
#
interface(`policykit_run_grant',`
gen_require(`
- attribute_role policykit_grant_roles;
+ type policykit_grant_t;
')
policykit_domtrans_grant($1)
- roleattribute $2 policykit_grant_roles;
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
')
########################################
## <summary>
-## Read policykit reload files.
+## read policykit reload files
## </summary>
## <param name="domain">
## <summary>
@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
########################################
## <summary>
-## Read and write policykit reload files.
+## rw policykit reload files
## </summary>
## <param name="domain">
## <summary>
@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
########################################
## <summary>
-## Execute a domain transition to run polkit resolve.
+## Execute a domain transition to run polkit_resolve.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_resolve',`
@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
type policykit_resolve_t, policykit_resolve_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
')
########################################
@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
type policykit_var_lib_t;
')
- files_search_var_lib($1)
allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Read policykit lib files.
+## read policykit lib files
## </summary>
## <param name="domain">
## <summary>
@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ optional_policy(`
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+
+########################################
+## <summary>
+## Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
index ee91778f7..24c0eefd6 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
attribute policykit_domain;
-attribute_role policykit_auth_roles;
-attribute_role policykit_grant_roles;
-
type policykit_t, policykit_domain;
type policykit_exec_t;
init_daemon_domain(policykit_t, policykit_exec_t)
@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
type policykit_auth_t, policykit_domain;
type policykit_auth_exec_t;
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
-role policykit_auth_roles types policykit_auth_t;
type policykit_grant_t, policykit_domain;
type policykit_grant_exec_t;
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
-role policykit_grant_roles types policykit_grant_t;
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
@@ -42,96 +37,121 @@ files_pid_file(policykit_var_run_t)
#######################################
#
-# Common policykit domain local policy
+# policykit_domain local policy
#
allow policykit_domain self:process { execmem getattr };
allow policykit_domain self:fifo_file rw_fifo_file_perms;
-kernel_search_proc(policykit_domain)
-
-corecmd_exec_bin(policykit_domain)
-
dev_read_sysfs(policykit_domain)
-files_read_usr_files(policykit_domain)
-
-logging_send_syslog_msg(policykit_domain)
-
-miscfiles_read_localization(policykit_domain)
-
########################################
#
-# Local policy
+# policykit local policy
#
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
+allow policykit_t self:capability { dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
-allow policykit_t self:unix_stream_socket { accept connectto listen };
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
+allow policykit_t policykit_auth_t:process signal;
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+dev_read_sysfs(policykit_t)
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+policykit_domtrans_resolve(policykit_t)
+
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
-can_exec(policykit_t, policykit_exec_t)
-
-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
-
-kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+kernel_read_kernel_sysctls(policykit_t)
domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+fs_getattr_all_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_list_cgroup_dirs(policykit_t)
auth_use_nsswitch(policykit_t)
+init_list_pid_dirs(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+systemd_machined_read_pid_files(policykit_t)
+
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
optional_policy(`
+ devicekit_dbus_chat(policykit_t)
+ ')
+
+ optional_policy(`
rpm_dbus_chat(policykit_t)
')
')
optional_policy(`
+ consolekit_list_pid_files(policykit_t)
consolekit_read_pid_files(policykit_t)
')
optional_policy(`
- gnome_read_generic_home_content(policykit_t)
+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+ kerberos_manage_host_rcache(policykit_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_t)
- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
+ gnome_read_config(policykit_t)
+')
+
+optional_policy(`
+ systemd_read_logind_sessions_files(policykit_t)
+ systemd_login_list_pid_dirs(policykit_t)
+ systemd_login_read_pid_files(policykit_t)
')
########################################
#
-# Auth local policy
+# polkit_auth local policy
#
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
dontaudit policykit_auth_t self:capability sys_tty_config;
-allow policykit_auth_t self:process { getsched setsched signal };
-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
-ps_process_pattern(policykit_auth_t, policykit_domain)
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-can_exec(policykit_auth_t, policykit_auth_exec_t)
-
-kernel_read_system_state(policykit_auth_t)
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
files_read_etc_runtime_files(policykit_auth_t)
files_search_home(policykit_auth_t)
+files_dontaudit_access_check_home_dir(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
+fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
+logging_send_syslog_msg(policykit_auth_t)
+
miscfiles_read_fonts(policykit_auth_t)
miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_dontaudit_access_check_user_content(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
- dbus_all_session_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+ dbus_session_bus_client(policykit_auth_t)
optional_policy(`
consolekit_dbus_chat(policykit_auth_t)
')
+')
- optional_policy(`
- policykit_dbus_chat(policykit_auth_t)
- ')
+optional_policy(`
+ gnome_read_config(policykit_auth_t)
+ gnome_access_check_usr_config(policykit_auth_t)
')
optional_policy(`
+ kernel_search_proc(policykit_auth_t)
hal_read_state(policykit_auth_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_auth_t)
- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+ kerberos_manage_host_rcache(policykit_auth_t)
')
optional_policy(`
xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
')
########################################
#
-# Grant local policy
+# polkit_grant local policy
#
allow policykit_grant_t self:capability setuid;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-ps_process_pattern(policykit_grant_t, policykit_domain)
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
-can_exec(policykit_grant_t, policykit_grant_exec_t)
-
-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
auth_domtrans_chk_passwd(policykit_grant_t)
auth_use_nsswitch(policykit_grant_t)
+logging_send_syslog_msg(policykit_grant_t)
+
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
cron_manage_system_job_lib_files(policykit_grant_t)
')
-optional_policy(`
+ optional_policy(`
dbus_system_bus_client(policykit_grant_t)
-
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
@@ -235,26 +267,28 @@ optional_policy(`
########################################
#
-# Resolve local policy
+# polkit_resolve local policy
#
allow policykit_resolve_t self:capability { setuid sys_nice };
-allow policykit_resolve_t self:unix_stream_socket { accept listen };
-ps_process_pattern(policykit_resolve_t, policykit_domain)
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-
-mcs_ptrace_all(policykit_resolve_t)
auth_use_nsswitch(policykit_resolve_t)
+logging_send_syslog_msg(policykit_resolve_t)
+
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
@@ -266,6 +300,6 @@ optional_policy(`
')
optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
diff --git a/polipo.fc b/polipo.fc
index d35614b78..11f77ee32 100644
--- a/polipo.fc
+++ b/polipo.fc
@@ -1,15 +1,16 @@
-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
index ae27bb7fe..10a778780 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
-## <summary>Lightweight forwarding and caching proxy server.</summary>
+## <summary>Caching web proxy.</summary>
########################################
## <summary>
-## Role access for Polipo session.
+## Role access for polipo session.
## </summary>
## <param name="role">
## <summary>
@@ -11,14 +11,13 @@
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## Domain allowed access.
## </summary>
## </param>
#
template(`polipo_role',`
gen_require(`
- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
- type polipo_cache_home_t;
+ type polipo_session_t, polipo_exec_t;
')
########################################
@@ -33,15 +32,11 @@ template(`polipo_role',`
# Policy
#
- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
- allow $2 polipo_session_t:process { ptrace signal_perms };
+ allow $2 polipo_session_t:process signal_perms;
ps_process_pattern($2, polipo_session_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 polipo_session_t:process ptrace;
+ ')
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
@@ -52,57 +47,130 @@ template(`polipo_role',`
########################################
## <summary>
-## Execute Polipo in the Polipo
-## system domain.
+## Create configuration files in user
+## home directories with a named file
+## type transition.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`polipo_initrc_domtrans',`
+interface(`polipo_named_filetrans_config_home_files',`
gen_require(`
- type polipo_initrc_exec_t;
+ type polipo_config_home_t;
')
- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+## Create cache directories in user
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
')
########################################
## <summary>
-## Create specified objects in generic
-## log directories with the polipo
-## log file type.
+## Create configuration files in admin
+## home directories with a named file
+## type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+ gen_require(`
+ type polipo_config_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+## Create cache directories in admin
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+## <summary>
+## Create log files with a named file
+## type transition.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`polipo_log_filetrans_log',`
+interface(`polipo_named_filetrans_log_files',`
gen_require(`
type polipo_log_t;
')
- logging_log_filetrans($1, polipo_log_t, $2, $3)
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
+########################################
+## <summary>
+## Execute polipo server in the polipo domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polipo_systemctl',`
+ gen_require(`
+ type polipo_t;
+ type polipo_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, polipo_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an polipo environment.
+## Administrate an polipo environment.
## </summary>
## <param name="domain">
## <summary>
@@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',`
#
interface(`polipo_admin',`
gen_require(`
- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
- type polipo_conf_t, polipo_log_t, polipo_var_run_t;
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ type polipo_unit_file_t;
')
- allow $1 polipo_system_t:process { ptrace signal_perms };
- ps_process_pattern($1, polipo_system_t)
+ allow $1 polipo_t:process signal_perms;
+ ps_process_pattern($1, polipo_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 polipo_t:process ptrace;
+ ')
- polipo_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 polipo_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var($1)
- admin_pattern($1, polipo_cache_t)
-
- files_search_etc($1)
- admin_pattern($1, polipo_conf_t)
+ files_list_etc($1)
+ admin_pattern($1, polipo_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, polipo_log_t)
- files_search_pids($1)
- admin_pattern($1, polipo_var_run_t)
+ files_list_var($1)
+ admin_pattern($1, polipo_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
+
+ polipo_systemctl($1)
+ admin_pattern($1, polipo_unit_file_t)
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
index 9764bfef8..8870de713 100644
--- a/polipo.te
+++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
## <desc>
## <p>
-## Determine whether Polipo system
-## daemon can access CIFS file systems.
+## Determine whether polipo can
+## access cifs file systems.
## </p>
## </desc>
-gen_tunable(polipo_system_use_cifs, false)
+gen_tunable(polipo_use_cifs, false)
## <desc>
## <p>
-## Determine whether Polipo system
-## daemon can access NFS file systems.
+## Determine whether Polipo can
+## access nfs file systems.
## </p>
## </desc>
-gen_tunable(polipo_system_use_nfs, false)
+gen_tunable(polipo_use_nfs, false)
+
+## <desc>
+## <p>
+## Determine whether Polipo session daemon
+## can bind tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
## <desc>
## <p>
@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
gen_tunable(polipo_session_users, false)
## <desc>
-## <p>
-## Determine whether Polipo session daemon
-## can send syslog messages.
-## </p>
+## <p>
+## Allow polipo to connect to all ports > 1023
+## </p>
## </desc>
-gen_tunable(polipo_session_send_syslog_msg, false)
+gen_tunable(polipo_connect_all_unreserved, false)
attribute polipo_daemon;
-type polipo_system_t, polipo_daemon;
+type polipo_t, polipo_daemon;
type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
+init_daemon_domain(polipo_t, polipo_exec_t)
type polipo_initrc_exec_t;
init_script_file(polipo_initrc_exec_t)
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
type polipo_cache_t;
files_type(polipo_cache_t)
@@ -56,116 +63,104 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
-type polipo_var_run_t;
-files_pid_file(polipo_var_run_t)
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
type polipo_cache_home_t;
userdom_user_home_content(polipo_cache_home_t)
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
+type polipo_unit_file_t;
+systemd_unit_file(polipo_unit_file_t)
########################################
#
-# Session local policy
+# Global local policy
#
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
-tunable_policy(`polipo_session_send_syslog_msg',`
- logging_send_syslog_msg(polipo_session_t)
-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
+corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_session_t)
-')
+fs_search_auto_mountpoints(polipo_daemon)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(polipo_session_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_session_t)
-')
########################################
#
-# System local policy
+# Polipo local policy
#
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+files_var_filetrans(polipo_t, polipo_cache_t, dir)
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+logging_log_filetrans(polipo_t, polipo_log_t, file)
-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
+files_pid_filetrans(polipo_t, polipo_pid_t, file)
-auth_use_nsswitch(polipo_system_t)
+auth_use_nsswitch(polipo_t)
-logging_send_syslog_msg(polipo_system_t)
+logging_send_syslog_msg(polipo_t)
optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
+ cron_system_entry(polipo_t, polipo_exec_t)
+')
+
+tunable_policy(`polipo_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
')
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
')
########################################
#
-# Polipo global local policy
+# Polipo session local policy
#
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_unlabeled(polipo_daemon)
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
+auth_use_nsswitch(polipo_session_t)
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
corenet_sendrecv_tor_client_packets(polipo_daemon)
corenet_tcp_sendrecv_tor_port(polipo_daemon)
corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_all_ephemeral_ports(polipo_daemon)
-files_read_usr_files(polipo_daemon)
+logging_send_syslog_msg(polipo_session_t)
-fs_search_auto_mountpoints(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
+')
-miscfiles_read_localization(polipo_daemon)
diff --git a/portage.if b/portage.if
index 67e8c12c4..e76feca9b 100644
--- a/portage.if
+++ b/portage.if
@@ -67,9 +67,10 @@ interface(`portage_compile_domain',`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
+ type portage_sandbox_t;
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/portage.te b/portage.te
index b410c67c1..27d6cc52a 100644
--- a/portage.te
+++ b/portage.te
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
-files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
@@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { dac_read_search fowner fsetid chown };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
-files_read_usr_files(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
fs_search_auto_mountpoints(portage_fetch_t)
diff --git a/portmap.fc b/portmap.fc
index cd45831ca..69406ee17 100644
--- a/portmap.fc
+++ b/portmap.fc
@@ -4,9 +4,14 @@
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+')
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
index 18b255e7a..e75c4ec24 100644
--- a/portmap.te
+++ b/portmap.te
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
-corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
+auth_use_nsswitch(portmap_t)
+
logging_send_syslog_msg(portmap_t)
-miscfiles_read_localization(portmap_t)
+sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
-corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
logging_send_syslog_msg(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
diff --git a/portreserve.fc b/portreserve.fc
index 1b2b4f908..575b7d69b 100644
--- a/portreserve.fc
+++ b/portreserve.fc
@@ -1,6 +1,6 @@
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/portreserve.if b/portreserve.if
index 5ad529154..7f1ae2a78 100644
--- a/portreserve.if
+++ b/portreserve.if
@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
- allow $1 portreserve_t:process { ptrace signal_perms };
+ allow $1 portreserve_t:process signal_perms;
ps_process_pattern($1, portreserve_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 portreserve_t:process ptrace;
+ ')
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
index 00b01e2ea..1ef4b9938 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t)
# Local policy
#
-allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:capability { dac_read_search };
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
-corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
@@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
userdom_dontaudit_search_user_home_content(portreserve_t)
+
+auth_use_nsswitch(portreserve_t)
+
diff --git a/portslave.te b/portslave.te
index cbe36c1d0..8ebeb87d2 100644
--- a/portslave.te
+++ b/portslave.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_all_recvfrom_unlabeled(portslave_t)
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
index c0e878537..3070aa066 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,38 +1,38 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-
+# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
@@ -44,14 +44,14 @@
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
index ded95ec3a..30d57cf13 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
-## <summary>Postfix email server.</summary>
+## <summary>Postfix email server</summary>
########################################
## <summary>
@@ -16,13 +16,14 @@ interface(`postfix_stub',`
')
')
-#######################################
+########################################
## <summary>
-## The template to define a postfix domain.
+## Creates types and rules for a basic
+## postfix process domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
attribute postfix_domain;
')
- ########################################
- #
- # Declarations
- #
-
type postfix_$1_t, postfix_domain;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
- ########################################
- #
- # Policy
- #
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
+ kernel_read_system_state(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
')
-#######################################
+########################################
## <summary>
-## The template to define a postfix server domain.
+## Creates a postfix server process domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix of the domain.
## </summary>
## </param>
#
template(`postfix_server_domain_template',`
- gen_require(`
- attribute postfix_server_domain, postfix_server_tmp_content;
- ')
-
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
- typeattribute postfix_$1_t postfix_server_domain;
-
- type postfix_$1_tmp_t, postfix_server_tmp_content;
+ type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
- ########################################
- #
- # Declarations
- #
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_generic_node(postfix_$1_t)
+ corenet_udp_bind_generic_node(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
')
-#######################################
+########################################
## <summary>
-## The template to define a postfix user domain.
+## Creates a process domain for programs
+## that are ran by users.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix of the domain.
## </summary>
## </param>
#
@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
attribute postfix_user_domains, postfix_user_domtrans;
')
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
typeattribute postfix_$1_t postfix_user_domains;
- ########################################
- #
- # Policy
- #
-
- allow postfix_$1_t self:capability dac_override;
+ allow postfix_$1_t self:capability { dac_read_search };
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
+
+ application_domain(postfix_$1_t, postfix_$1_exec_t)
')
########################################
## <summary>
-## Read postfix configuration content.
+## Read postfix configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -143,16 +132,16 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ list_dirs_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Create specified object in postfix
-## etc directories with a type transition.
+## Create files with the specified type in
+## the postfix configuration directories.
## </summary>
## <param name="domain">
## <summary>
@@ -180,6 +169,7 @@ interface(`postfix_config_filetrans',`
type postfix_etc_t;
')
+ files_search_etc($1)
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
')
@@ -205,7 +195,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
########################################
## <summary>
-## Read and write postfix local pipes.
+## Allow read/write postfix local pipes
+## TCP sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -221,30 +212,28 @@ interface(`postfix_rw_local_pipes',`
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')
-########################################
+#######################################
## <summary>
-## Read postfix local process state files.
+## Allow read/write postfix public pipes
+## TCP sockets.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`postfix_read_local_state',`
- gen_require(`
- type postfix_local_t;
- ')
+interface(`postfix_rw_public_pipes',`
+ gen_require(`
+ type postfix_public_t;
+ ')
- kernel_search_proc($1)
- allow $1 postfix_local_t:dir list_dir_perms;
- allow $1 postfix_local_t:file read_file_perms;
- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
-## Read and write inherited postfix master pipes.
+## Allow domain to read postfix local process state
## </summary>
## <param name="domain">
## <summary>
@@ -252,18 +241,18 @@ interface(`postfix_read_local_state',`
## </summary>
## </param>
#
-interface(`postfix_rw_inherited_master_pipes',`
+interface(`postfix_read_local_state',`
gen_require(`
- type postfix_master_t;
+ type postfix_local_t;
')
- allow $1 postfix_master_t:fd use;
- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
')
########################################
## <summary>
-## Read postfix master process state files.
+## Allow domain to read postfix master process state
## </summary>
## <param name="domain">
## <summary>
@@ -277,14 +266,13 @@ interface(`postfix_read_master_state',`
')
kernel_search_proc($1)
- allow $1 postfix_master_t:dir list_dir_perms;
- allow $1 postfix_master_t:file read_file_perms;
- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, postfix_master_t)
')
########################################
## <summary>
-## Use postfix master file descriptors.
+## Use postfix master process file
+## file descriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -335,15 +323,13 @@ interface(`postfix_domtrans_map',`
type postfix_map_t, postfix_map_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
')
########################################
## <summary>
-## Execute postfix map in the postfix
-## map domain, and allow the specified
-## role the postfix_map domain.
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
## </summary>
## <param name="domain">
## <summary>
@@ -359,17 +345,17 @@ interface(`postfix_domtrans_map',`
#
interface(`postfix_run_map',`
gen_require(`
- attribute_role postfix_map_roles;
+ type postfix_map_t;
')
postfix_domtrans_map($1)
- roleattribute $2 postfix_map_roles;
+ role $2 types postfix_map_t;
')
########################################
## <summary>
-## Execute the master postfix program
-## in the postfix_master domain.
+## Execute the master postfix program in the
+## postfix_master domain.
## </summary>
## <param name="domain">
## <summary>
@@ -380,16 +366,35 @@ interface(`postfix_run_map',`
interface(`postfix_domtrans_master',`
gen_require(`
type postfix_master_t, postfix_master_exec_t;
+ attribute postfix_domain;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
+
########################################
## <summary>
-## Execute the master postfix program
-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -402,21 +407,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_master_exec_t)
')
#######################################
## <summary>
-## Connect to postfix master process
-## using a unix domain stream socket.
+## Connect to postfix master process using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`postfix_stream_connect_master',`
gen_require(`
@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
-## Read and write postfix master
-## unnamed pipes. (Deprecated)
+## Allow read/write postfix master pipes
## </summary>
## <param name="domain">
## <summary>
@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',`
## </summary>
## </param>
#
-interface(`postfix_rw_master_pipes',`
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
- postfix_rw_inherited_master_pipes($1)
+interface(`postfix_rw_inherited_master_pipes',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Execute the master postdrop in the
-## postfix postdrop domain.
+## postfix_postdrop domain.
## </summary>
## <param name="domain">
## <summary>
@@ -458,14 +462,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
')
########################################
## <summary>
## Execute the master postqueue in the
-## postfix postqueue domain.
+## postfix_postqueue domain.
## </summary>
## <param name="domain">
## <summary>
@@ -478,30 +481,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')
-#######################################
+########################################
## <summary>
-## Execute the master postqueue in
-## the caller domain. (Deprecated)
+## Execute the master postqueue in the
+## postfix_postdrop domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t;
+ ')
+
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
+')
+
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ type postfix_postgqueue_exec_t;
+ ')
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+')
+
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
+## allow the specified role the postfix_postgqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`posftix_exec_postqueue',`
- refpolicywarn(`$0($*) has been deprecated.')
- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ ')
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
')
+
#######################################
## <summary>
-## Execute postfix postqueue in
-## the caller domain.
+## Execute the master postqueue in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -514,13 +572,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_postqueue_exec_t)
')
########################################
## <summary>
-## Create postfix private sock files.
+## Create a named socket in a postfix private directory.
## </summary>
## <param name="domain">
## <summary>
@@ -533,13 +590,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## postfix private sock files.
+## manage named socket in a postfix private directory.
## </summary>
## <param name="domain">
## <summary>
@@ -552,13 +609,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
## <summary>
-## Execute the smtp postfix program
-## in the postfix smtp domain.
+## Execute the master postfix program in the
+## postfix_master domain.
## </summary>
## <param name="domain">
## <summary>
@@ -571,14 +629,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
')
########################################
## <summary>
-## Get attributes of all postfix mail
-## spool files.
+## Getattr postfix mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -586,7 +642,7 @@ interface(`postfix_domtrans_smtp',`
## </summary>
## </param>
#
-interface(`postfix_getattr_all_spool_files',`
+interface(`postfix_getattr_spool_files',`
gen_require(`
attribute postfix_spool_type;
')
@@ -607,11 +663,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir search_dir_perms;
')
########################################
@@ -626,11 +682,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir list_dir_perms;
')
########################################
@@ -645,17 +701,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
## <summary>
-## Create, read, write, and delete
-## postfix mail spool files.
+## Create, read, write, and delete postfix mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -665,11 +720,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+#######################################
+## <summary>
+## Read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_rw_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')
########################################
@@ -693,8 +787,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
-## All of the rules required to
-## administrate an postfix environment.
+## All of the rules required to administrate
+## an postfix environment.
## </summary>
## <param name="domain">
## <summary>
@@ -710,38 +804,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
- type postfix_keytab_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
')
- allow $1 postfix_domain:process { ptrace signal_perms };
- ps_process_pattern($1, postfix_domain)
+ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_cleanup_t:process ptrace;
+ allow $1 postfix_local_t:process ptrace;
+ allow $1 postfix_master_t:process ptrace;
+ allow $1 postfix_pickup_t:process ptrace;
+ allow $1 postfix_qmgr_t:process ptrace;
+ allow $1 postfix_smtpd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ allow $1 postfix_local_t:process signal_perms;
+ ps_process_pattern($1, postfix_local_t)
+
+ allow $1 postfix_master_t:process signal_perms;
+ ps_process_pattern($1, postfix_master_t)
+
+ allow $1 postfix_pickup_t:process signal_perms;
+ ps_process_pattern($1, postfix_pickup_t)
+
+ allow $1 postfix_qmgr_t:process signal_perms;
+ ps_process_pattern($1, postfix_qmgr_t)
+
+ allow $1 postfix_smtpd_t:process signal_perms;
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
+ postfix_run_postqueue($1, $2)
+
+ postfix_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 postfix_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ admin_pattern($1, postfix_data_t)
- files_search_spool($1)
- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
- files_search_var_lib($1)
- admin_pattern($1, postfix_data_t)
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
- files_search_pids($1)
admin_pattern($1, postfix_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
- postfix_exec_master($1)
- postfix_exec_postqueue($1)
- postfix_stream_connect_master($1)
- postfix_run_map($1, $2)
+ admin_pattern($1, postfix_public_t)
+
+ postfix_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
+
+########################################
+## <summary>
+## Execute postfix exec in the users domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_exec',`
+ gen_require(`
+ type postfix_exec_t;
+ ')
+
+ can_exec($1, postfix_exec_t)
+')
+
+########################################
+## <summary>
+## Transition to postfix named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_filetrans_named_content',`
+ gen_require(`
+ type postfix_exec_t;
+ type postfix_prng_t;
+ ')
+
+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
index 5cfb83eca..5de033f81 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
#
## <desc>
-## <p>
-## Determine whether postfix local
-## can manage mail spool content.
-## </p>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## </p>
## </desc>
gen_tunable(postfix_local_write_mail_spool, true)
attribute postfix_domain;
-attribute postfix_server_domain;
-attribute postfix_server_tmp_content;
attribute postfix_spool_type;
attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
attribute postfix_user_domtrans;
-attribute_role postfix_map_roles;
-roleattribute system_r postfix_map_roles;
-
postfix_server_domain_template(bounce)
type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
+files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
-role postfix_map_roles types postfix_map_t;
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
+mta_agent_executable(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
mta_mailserver_user_agent(postfix_postqueue_t)
@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
+typealias postfix_spool_t alias postfix_spool_maildrop_t;
+files_spool_file(postfix_spool_maildrop_t)
-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
+typealias postfix_spool_t alias postfix_spool_flush_t;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
files_type(postfix_public_t)
@@ -97,6 +97,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
+# the data_directory config parameter
type postfix_data_t;
files_type(postfix_data_t)
@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
-# Common postfix domain local policy
-#
-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
-
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
-
-allow postfix_domain postfix_master_t:file read_file_perms;
-
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-
-allow postfix_domain postfix_master_t:process sigchld;
-
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
-
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-
-kernel_read_system_state(postfix_domain)
-kernel_read_network_state(postfix_domain)
-kernel_read_all_sysctls(postfix_domain)
-
-dev_read_sysfs(postfix_domain)
-dev_read_rand(postfix_domain)
-dev_read_urand(postfix_domain)
-
-fs_search_auto_mountpoints(postfix_domain)
-fs_getattr_all_fs(postfix_domain)
-fs_rw_anon_inodefs_files(postfix_domain)
-
-term_dontaudit_use_console(postfix_domain)
-
-corecmd_exec_shell(postfix_domain)
-
-files_read_etc_runtime_files(postfix_domain)
-files_read_usr_files(postfix_domain)
-files_search_spool(postfix_domain)
-files_getattr_tmp_dirs(postfix_domain)
-files_search_all_mountpoints(postfix_domain)
-
-init_dontaudit_use_fds(postfix_domain)
-init_sigchld(postfix_domain)
-
-logging_send_syslog_msg(postfix_domain)
-
-miscfiles_read_localization(postfix_domain)
-miscfiles_read_generic_certs(postfix_domain)
-
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-
-optional_policy(`
- udev_read_db(postfix_domain)
-')
-
-########################################
-#
-# Common postfix server domain local policy
-#
-
-allow postfix_server_domain self:capability { setuid setgid dac_override };
-
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
-corenet_all_recvfrom_netlabel(postfix_server_domain)
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
-
-corenet_sendrecv_all_client_packets(postfix_server_domain)
-corenet_tcp_connect_all_ports(postfix_server_domain)
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
-
-########################################
-#
-# Common postfix user domain local policy
-#
-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
-
-########################################
-#
-# Master local policy
+# Postfix master process local policy
#
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_read_search kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
+
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
-allow postfix_master_t postfix_domain:process signal;
-
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+can_exec(postfix_master_t, postfix_exec_t)
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
@@ -216,34 +131,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -253,16 +166,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
@@ -270,50 +175,45 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
-
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
-
-corenet_sendrecv_all_client_packets(postfix_master_t)
corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+# for spampd
+corenet_tcp_bind_spamd_port(postfix_master_t)
-# Can this be conditional?
-corenet_sendrecv_all_server_packets(postfix_master_t)
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
-
+# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
+corecmd_exec_shell(postfix_master_t)
corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
+files_search_var_lib(postfix_master_t)
files_search_tmp(postfix_master_t)
-mcs_file_read_all(postfix_master_t)
-
term_dontaudit_search_ptys(postfix_master_t)
-miscfiles_read_man_pages(postfix_master_t)
-
seutil_sigchld_newrole(postfix_master_t)
-seutil_dontaudit_search_config(postfix_master_t)
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
+')
+
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -324,14 +224,6 @@ optional_policy(`
')
optional_policy(`
- mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
- mysql_stream_connect(postfix_master_t)
-')
-
-optional_policy(`
postgrey_search_spool(postfix_master_t)
')
@@ -341,12 +233,14 @@ optional_policy(`
########################################
#
-# Bounce local policy
+# Postfix bounce local policy
#
allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -363,74 +257,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
-# Cleanup local policy
+# Postfix cleanup local policy
#
allow postfix_cleanup_t self:process setrlimit;
-
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+# connect to master process
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-
-mta_read_aliases(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
+optional_policy(`
+ milter_stream_connect_all(postfix_cleanup_t)
+')
+
########################################
#
-# Local local policy
+# Postfix local local policy
#
-allow postfix_local_t self:capability chown;
-allow postfix_local_t self:process setrlimit;
+allow postfix_local_t self:process { setsched setrlimit };
+# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
logging_dontaudit_search_logs(postfix_local_t)
mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
+# Handle vacation script
mta_send_mail(postfix_local_t)
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files(postfix_local_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files(postfix_local_t)
+')
+
tunable_policy(`postfix_local_write_mail_spool',`
mta_manage_spool(postfix_local_t)
')
optional_policy(`
- clamav_search_lib(postfix_local_t)
- clamav_exec_clamscan(postfix_local_t)
+ antivirus_search_db(postfix_local_t)
+ antivirus_exec(postfix_local_t)
+ antivirus_stream_connect(postfix_domain)
')
optional_policy(`
@@ -442,16 +351,25 @@ optional_policy(`
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
')
optional_policy(`
+ munin_search_lib(postfix_local_t)
+')
+
+optional_policy(`
nagios_search_spool(postfix_local_t)
')
optional_policy(`
+ openshift_search_lib(postfix_local_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -466,15 +384,17 @@ optional_policy(`
########################################
#
-# Map local policy
+# Postfix map local policy
#
+allow postfix_map_t self:capability { dac_read_search setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
-allow postfix_map_t self:capability { dac_override setgid setuid };
-allow postfix_map_t self:tcp_socket { accept listen };
-
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -484,14 +404,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_all_recvfrom_unlabeled(postfix_map_t)
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
corenet_tcp_sendrecv_generic_node(postfix_map_t)
-
-corenet_sendrecv_all_client_packets(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
@@ -500,7 +421,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
@@ -508,21 +428,24 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
-miscfiles_read_localization(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_map_t)
')
########################################
#
-# Pickup local policy
+# Postfix pickup local policy
#
+dontaudit postfix_pickup_t self:capability net_admin;
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -532,21 +455,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+postfix_list_spool(postfix_pickup_t)
+
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
########################################
#
-# Pipe local policy
+# Postfix pipe local policy
#
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
@@ -557,6 +480,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
optional_policy(`
+ cyrus_stream_connect(postfix_pipe_t)
+')
+
+optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
@@ -584,19 +511,28 @@ optional_policy(`
########################################
#
-# Postdrop local policy
+# Postfix postdrop local policy
#
+# usually it does not need a UDP socket
allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t)
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -611,10 +547,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-optional_policy(`
- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
-')
-
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
@@ -629,17 +562,24 @@ optional_policy(`
#######################################
#
-# Postqueue local policy
+# Postfix postqueue local policy
#
+allow postfix_postqueue_t self:capability2 block_suspend;
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# write to /var/spool/postfix/public/qmgr
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+# to write the mailq output, it really should not need read access!
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +595,84 @@ optional_policy(`
########################################
#
-# Qmgr local policy
+# Postfix qmgr local policy
#
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+dontaudit postfix_qmgr_t self:capability { net_admin };
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
+# for /var/spool/postfix/active
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
corecmd_exec_bin(postfix_qmgr_t)
########################################
#
-# Showq local policy
+# Postfix showq local policy
#
allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-mcs_file_read_all(postfix_showq_t)
-
+# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
+optional_policy(`
+ logwatch_dontaudit_leaks(postfix_showq_t)
+')
+
########################################
#
-# Smtp delivery local policy
+# Postfix smtp delivery local policy
#
+# connect to master process
allow postfix_smtp_t self:capability sys_chroot;
-
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
optional_policy(`
- dovecot_stream_connect(postfix_smtp_t)
+ dovecot_stream_connect(postfix_smtp_t)
')
optional_policy(`
@@ -730,28 +685,32 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# Postfix smtpd local policy
#
-
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+# connect to master process
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
-
corecmd_exec_bin(postfix_smtpd_t)
+# for OpenSSL certificates
+
+# postfix checks the size of all mounted file systems
fs_getattr_all_dirs(postfix_smtpd_t)
-fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
+optional_policy(`
+ antivirus_stream_connect(postfix_smtpd_t)
+')
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -764,6 +723,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
+ spamassassin_read_pid_files(postfix_smtpd_t)
')
optional_policy(`
@@ -774,31 +734,102 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
-optional_policy(`
- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
- spamassassin_stream_connect_spamd(postfix_smtpd_t)
-')
-
########################################
#
-# Virtual local policy
+# Postfix virtual local policy
#
-allow postfix_virtual_t self:process setrlimit;
+allow postfix_virtual_t self:process { setsched setrlimit };
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
+# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
-mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_filetrans_home_content(postfix_virtual_t)
+
+########################################
+#
+# postfix_domain common policy
+#
+allow postfix_domain self:capability { sys_nice sys_chroot };
+dontaudit postfix_domain self:capability sys_tty_config;
+allow postfix_domain self:process { signal_perms setpgid setsched };
+allow postfix_domain self:unix_dgram_socket create_socket_perms;
+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
+allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
+allow postfix_domain postfix_etc_t:dir list_dir_perms;
+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+
+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+
+allow postfix_domain postfix_master_t:process sigchld;
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
+kernel_read_all_sysctls(postfix_domain)
+kernel_dontaudit_request_load_module(postfix_domain)
+
+dev_read_sysfs(postfix_domain)
+dev_read_rand(postfix_domain)
+dev_read_urand(postfix_domain)
+
+fs_search_auto_mountpoints(postfix_domain)
+fs_getattr_all_fs(postfix_domain)
+fs_rw_anon_inodefs_files(postfix_domain)
+
+term_dontaudit_use_console(postfix_domain)
+
+corecmd_exec_shell(postfix_domain)
+corecmd_getattr_all_executables(postfix_domain)
+
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
+files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
+init_sigchld(postfix_domain)
+init_dontaudit_rw_stream_socket(postfix_domain)
+
+# For reading spamassasin
+mta_read_config(postfix_domain)
+mta_read_aliases(postfix_domain)
+
+miscfiles_read_generic_certs(postfix_domain)
+
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+
+optional_policy(`
+ mysql_stream_connect(postfix_domain)
+ mysql_rw_db_sockets(postfix_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(postfix_domain)
+ spamassassin_domtrans_client(postfix_domain)
+')
+
+optional_policy(`
+ udev_read_db(postfix_domain)
+')
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
index 5de817368..985b877ab 100644
--- a/postfixpolicyd.if
+++ b/postfixpolicyd.if
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ allow $1 postfix_policyd_t:process signal_perms;
ps_process_pattern($1, postfix_policyd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_policyd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
index ea1582a3a..0c1a05983 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
corenet_tcp_bind_generic_node(postfix_policyd_t)
@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
-files_read_etc_files(postfix_policyd_t)
-files_read_usr_files(postfix_policyd_t)
logging_send_syslog_msg(postfix_policyd_t)
-miscfiles_read_localization(postfix_policyd_t)
-
sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.if b/postgrey.if
index b9e71b537..a7502cd0e 100644
--- a/postgrey.if
+++ b/postgrey.if
@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
files_search_spool($1)
- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
')
########################################
@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
- type postgrey_t, postgrey_etc_t, postgrey_spool_t;
- type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
')
- allow $1 postgrey_t:process { ptrace signal_perms };
+ allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgrey_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
index fd58805e5..593a05367 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t)
# Local policy
#
-allow postgrey_t self:capability { chown dac_override setgid setuid };
+allow postgrey_t self:capability { chown dac_read_search setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+auth_use_nsswitch(postgrey_t)
+
+corecmd_exec_bin(postgrey_t)
-corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t)
@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t)
-files_read_etc_files(postgrey_t)
files_read_etc_runtime_files(postgrey_t)
-files_read_usr_files(postgrey_t)
files_getattr_tmp_dirs(postgrey_t)
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
-logging_send_syslog_msg(postgrey_t)
+auth_read_passwd(postgrey_t)
-miscfiles_read_localization(postgrey_t)
+logging_send_syslog_msg(postgrey_t)
sysnet_read_config(postgrey_t)
diff --git a/ppp.fc b/ppp.fc
index efcb6532d..ff2c96adb 100644
--- a/ppp.fc
+++ b/ppp.fc
@@ -1,30 +1,45 @@
-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /sbin
+#
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
-
-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0)
+#
+# /usr
+#
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /var
+#
/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
index cd8b8b9cb..2cfa88a2d 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
-## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
-########################################
+#######################################
## <summary>
-## Role access for ppp.
+## Create, read, write, and delete
+## ppp home files.
## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`ppp_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## ppp home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`ppp_manage_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file manage_file_perms;
')
-########################################
+#######################################
## <summary>
-## Read ppp user home content files.
+## Read ppp user home content files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`ppp_read_home_files',`
- gen_require(`
- type ppp_home_t;
+ gen_require(`
+ type ppp_home_t;
- ')
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file read_file_perms;
')
-########################################
+#######################################
## <summary>
-## Relabel ppp home files.
+## Relabel ppp home files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`ppp_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file relabel_file_perms;
')
-########################################
+#######################################
## <summary>
-## Create objects in user home
-## directories with the ppp home type.
+## Create objects in user home
+## directories with the ppp home type.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
+## <summary>
+## Class of the object being created.
+## </summary>
## </param>
## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
+## <summary>
+## The name of the object being created.
+## </summary>
## </param>
#
interface(`ppp_home_filetrans_ppp_home',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
')
########################################
@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
########################################
## <summary>
## Do not audit attempts to inherit
-## and use ppp file discriptors.
+## and use PPP file discriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
########################################
## <summary>
-## Send child terminated signals to ppp.
+## Send a SIGCHLD signal to PPP.
## </summary>
## <param name="domain">
## <summary>
@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
########################################
## <summary>
-## Send kill signals to ppp.
+## Send ppp a kill signal
## </summary>
## <param name="domain">
## <summary>
@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
## </summary>
## </param>
#
-#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@@ -184,7 +164,7 @@ interface(`ppp_kill',`
########################################
## <summary>
-## Send generic signals to ppp.
+## Send a generic signal to PPP.
## </summary>
## <param name="domain">
## <summary>
@@ -202,7 +182,7 @@ interface(`ppp_signal',`
########################################
## <summary>
-## Send null signals to ppp.
+## Send a generic signull to PPP.
## </summary>
## <param name="domain">
## <summary>
@@ -220,7 +200,7 @@ interface(`ppp_signull',`
########################################
## <summary>
-## Execute pppd in the pppd domain.
+## Execute domain in the ppp domain.
## </summary>
## <param name="domain">
## <summary>
@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
########################################
## <summary>
-## Conditionally execute pppd on
-## behalf of a user or staff type.
+## Conditionally execute ppp daemon on behalf of a user or staff type.
## </summary>
## <param name="domain">
## <summary>
@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the ppp domain.
## </summary>
## </param>
## <rolecap/>
@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
########################################
## <summary>
-## Unconditionally execute ppp daemon
-## on behalf of a user or staff type.
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
## </summary>
## <param name="domain">
## <summary>
@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the ppp domain.
## </summary>
## </param>
## <rolecap/>
@@ -294,7 +272,7 @@ interface(`ppp_run',`
########################################
## <summary>
-## Execute domain in the caller domain.
+## Execute domain in the ppp caller.
## </summary>
## <param name="domain">
## <summary>
@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
type pppd_etc_t;
')
- files_search_etc($1)
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
')
########################################
## <summary>
-## Read ppp writable configuration content.
+## Read PPP-writable configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
type pppd_etc_t, pppd_etc_rw_t;
')
- files_search_etc($1)
- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
+ allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file read_file_perms;
- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
## <summary>
-## Read ppp secret files.
+## Read PPP secrets.
## </summary>
## <param name="domain">
## <summary>
@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
type pppd_etc_t, pppd_secret_t;
')
- files_search_etc($1)
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file read_file_perms;
- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
## <summary>
-## Read ppp pid files.
+## Read PPP pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## ppp pid files.
+## Create, read, write, and delete PPP pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file manage_file_perms;
+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
## <summary>
-## Create specified pppd pid objects
-## with a type transition.
+## Create, read, write, and delete PPP pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`ppp_pid_filetrans',`
gen_require(`
type pppd_var_run_t;
')
- files_pid_filetrans($1, pppd_var_run_t, $2, $3)
+ files_pid_filetrans($1, pppd_var_run_t, file)
')
########################################
## <summary>
-## Execute pppd init script in
-## the initrc domain.
+## Execute ppp server in the ntpd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -461,31 +424,63 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
-## All of the rules required to
-## administrate an ppp environment.
+## Execute pppd server in the pppd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`ppp_systemctl',`
+ gen_require(`
+ type pppd_unit_file_t;
+ type pppd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ppp environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
- type pppd_var_run_t, pppd_initrc_exec_t;
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
+ type pppd_unit_file_t;
+ ')
+
+ allow $1 pppd_t:process signal_perms;
+ ps_process_pattern($1, pppd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pppd_t:process ptrace;
+ allow $1 pptp_t:process ptrace;
')
- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { pptp_t pppd_t })
+ allow $1 pptp_t:process signal_perms;
+ ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -496,14 +491,26 @@ interface(`ppp_admin',`
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
- admin_pattern($1, { pptp_log_t pppd_log_t })
+ admin_pattern($1, pppd_log_t)
files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
+ admin_pattern($1, pppd_etc_t)
+
+ admin_pattern($1, pppd_etc_rw_t)
+
+ admin_pattern($1, pppd_secret_t)
files_list_pids($1)
- admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
+ admin_pattern($1, pppd_var_run_t)
+
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
+ admin_pattern($1, pppd_unit_file_t)
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
index d616ca3e3..25b69407a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
#
## <desc>
-## <p>
-## Determine whether pppd can
-## load kernel modules.
-## </p>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
## </desc>
gen_tunable(pppd_can_insmod, false)
## <desc>
-## <p>
-## Determine whether common users can
-## run pppd with a domain transition.
-## </p>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
## </desc>
gen_tunable(pppd_for_user, false)
attribute_role pppd_roles;
-attribute_role pptp_roles;
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
+# Define a separate type for /etc/ppp
type pppd_etc_t;
files_config_file(pppd_etc_t)
+# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
+# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)
@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
-role pptp_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -67,54 +74,60 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
-type ppp_home_t;
-userdom_user_home_content(ppp_home_t)
-
########################################
#
-# PPPD local policy
+# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
+allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket { connectto create_socket_perms };
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
logging_log_filetrans(pppd_t, pppd_log_t, file)
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
-files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-
-can_exec(pppd_t, pppd_exec_t)
-
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file })
+allow pppd_t pppd_var_run_t:file map;
allow pppd_t pptp_t:process signal;
+# for SSP
+# Access secret files
allow pppd_t pppd_secret_t:file read_file_perms;
+ppp_initrc_domtrans(pppd_t)
+
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
@@ -122,10 +135,10 @@ kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
dev_rw_modem(pppd_t)
-corenet_all_recvfrom_unlabeled(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
@@ -135,9 +148,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
-
+corenet_tcp_connect_http_port(pppd_t)
+# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_use_usb_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+term_use_generic_ptys(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
@@ -147,36 +173,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
-
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
+# for scripts
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
-auth_run_chk_passwd(pppd_t, pppd_roles)
auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-miscfiles_read_localization(pppd_t)
-
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
+userdom_search_admin_dir(pppd_t)
+
+ppp_exec(pppd_t)
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +207,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
+ l2tpd_read_pid_files(pppd_t)
+ l2tpd_dbus_chat(pppd_t)
')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
- modutils_domtrans_insmod(pppd_t)
+ modutils_domtrans_insmod_uncond(pppd_t)
')
')
@@ -216,18 +239,26 @@ optional_policy(`
udev_read_db(pppd_t)
')
+optional_policy(`
+ openfortivpn_dbus_chat(pppd_t)
+ openfortivpn_use_ptys(pppd_t)
+')
+
########################################
#
-# PPTP local policy
+# PPTP Local policy
#
-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+allow pptp_t self:capability { dac_read_search net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
-allow pptp_t self:unix_stream_socket { accept connectto listen };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:netlink_route_socket nlmsg_write;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +267,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append_file_perms;
-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
-
-can_exec(pptp_t, pppd_etc_rw_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
+kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_network_state(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
kernel_signal(pptp_t)
+dev_read_sysfs(pptp_t)
+dev_read_rand(pptp_t)
+dev_read_urand(pptp_t)
+dev_read_rand(pptp_t)
+
corecmd_exec_shell(pptp_t)
corecmd_read_bin_symlinks(pptp_t)
-corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
-
-corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
-
-corenet_sendrecv_pptp_client_packets(pptp_t)
corenet_tcp_connect_pptp_port(pptp_t)
-dev_read_sysfs(pptp_t)
-
-domain_use_interactive_fds(pptp_t)
-
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +314,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
+domain_use_interactive_fds(pptp_t)
+
auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
-miscfiles_read_localization(pptp_t)
-
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +331,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(pppd_t)
+')
+
+optional_policy(`
dbus_system_domain(pppd_t, pppd_exec_t)
optional_policy(`
diff --git a/prelink.fc b/prelink.fc
index a90d6231f..62af9a4a0 100644
--- a/prelink.fc
+++ b/prelink.fc
@@ -1,11 +1,11 @@
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
index 20d469793..e6605c100 100644
--- a/prelink.if
+++ b/prelink.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Execute prelink in the prelink domain.
+## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
- ifdef(`hide_broken_symptoms',`
+ ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
+ dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################
## <summary>
-## Execute prelink in the caller domain.
+## Execute the prelink program in the current domain.
## </summary>
## <param name="domain">
## <summary>
@@ -45,9 +45,7 @@ interface(`prelink_exec',`
########################################
## <summary>
-## Execute prelink in the prelink
-## domain, and allow the specified role
-## the prelink domain.
+## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
@@ -56,18 +54,18 @@ interface(`prelink_exec',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the prelink domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`prelink_run',`
gen_require(`
- attribute_role prelink_roles;
+ type prelink_t;
')
prelink_domtrans($1)
- roleattribute $2 prelink_roles;
+ role $2 types prelink_t;
')
########################################
@@ -80,6 +78,7 @@ interface(`prelink_run',`
## </summary>
## </param>
#
+# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
########################################
## <summary>
-## Read prelink cache files.
+## Read the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
########################################
## <summary>
-## Delete prelink cache files.
+## Delete the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
type prelink_cache_t;
')
+ allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
- allow $1 prelink_cache_t:file delete_file_perms;
')
########################################
@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
########################################
## <summary>
-## Relabel from prelink lib files.
+## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
########################################
## <summary>
-## Relabel prelink lib files.
+## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
+
+########################################
+## <summary>
+## Transition to prelink named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_filetrans_named_content',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
index 8e262163b..c23cec013 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
attribute prelink_object;
-attribute_role prelink_roles;
-
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
-role prelink_roles types prelink_t;
type prelink_cache_t;
files_type(prelink_cache_t)
@@ -40,31 +37,34 @@ files_type(prelink_var_lib_t)
# Local policy
#
-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+allow prelink_t self:capability { chown dac_read_search fowner fsetid setfcap sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
-allow prelink_t prelink_log_t:dir setattr_dir_perms;
+allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
-files_getattr_all_files(prelink_t)
files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
-files_search_var_lib(prelink_t)
-files_write_non_security_dirs(prelink_t)
-files_dontaudit_read_all_symlinks(prelink_t)
-fs_getattr_all_fs(prelink_t)
-fs_search_auto_mountpoints(prelink_t)
-
-selinux_get_enforce_mode(prelink_t)
+fs_getattr_xattr_fs(prelink_t)
storage_getattr_fixed_disk_dev(prelink_t)
+selinux_get_enforce_mode(prelink_t)
+
libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
-miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
-userdom_manage_user_home_content_files(prelink_t)
-# pending
-# userdom_relabel_user_home_content_files(prelink_t)
-# userdom_execmod_user_home_content_files(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
userdom_exec_user_home_content_files(prelink_t)
-ifdef(`hide_broken_symptoms',`
- miscfiles_read_man_pages(prelink_t)
+systemd_read_unit_files(prelink_t)
- optional_policy(`
- dbus_read_config(prelink_t)
- ')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files(prelink_t)
- fs_manage_nfs_files(prelink_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files(prelink_t)
- fs_manage_cifs_files(prelink_t)
-')
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@@ -138,11 +120,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(prelink_t)
gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
')
optional_policy(`
- mozilla_manage_plugin_rw_files(prelink_t)
+ mozilla_plugin_manage_rw_files(prelink_t)
')
optional_policy(`
@@ -155,17 +138,18 @@ optional_policy(`
########################################
#
-# Cron system local policy
+# Prelink Cron system Policy
#
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
- allow prelink_cron_system_t self:process { setsched setfscreate signal };
+ allow prelink_cron_system_t self:process { setsched setfscreate signal setrlimit };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -174,7 +158,7 @@ optional_policy(`
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
kernel_read_system_state(prelink_cron_system_t)
@@ -184,23 +168,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
- files_rw_etc_dirs(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+ files_dontaudit_list_non_security(prelink_cron_system_t)
+
+ fs_search_cgroup_dirs(prelink_cron_system_t)
auth_use_nsswitch(prelink_cron_system_t)
init_telinit(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
+ init_reload_services(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
- miscfiles_read_localization(prelink_cron_system_t)
+ init_stream_connect(prelink_cron_system_t)
+
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')
+
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
+')
diff --git a/prelude.fc b/prelude.fc
index 8dbc76372..b580f852b 100644
--- a/prelude.fc
+++ b/prelude.fc
@@ -12,7 +12,7 @@
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
diff --git a/prelude.if b/prelude.if
index c83a838d7..f41a4f7dd 100644
--- a/prelude.if
+++ b/prelude.if
@@ -1,13 +1,13 @@
-## <summary>Prelude hybrid intrusion detection system.</summary>
+## <summary>Prelude hybrid intrusion detection system</summary>
########################################
## <summary>
## Execute a domain transition to run prelude.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans',`
@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
type prelude_t, prelude_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_exec_t, prelude_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run prelude audisp.
+## Execute a domain transition to run prelude_audisp.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans_audisp',`
@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
type prelude_audisp_t, prelude_audisp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
')
########################################
## <summary>
-## Send generic signals to prelude audisp.
+## Signal the prelude_audisp domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed acccess.
+## </summary>
## </param>
#
interface(`prelude_signal_audisp',`
@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
########################################
## <summary>
-## Read prelude spool files.
+## Read the prelude spool files
## </summary>
## <param name="domain">
## <summary>
@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
########################################
## <summary>
-## Create, read, write, and delete
-## prelude manager spool files.
+## Manage to prelude-manager spool files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_manage_spool',`
@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
########################################
## <summary>
-## All of the rules required to
-## administrate an prelude environment.
+## All of the rules required to administrate
+## an prelude environment
## </summary>
## <param name="domain">
## <summary>
@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
- type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
+ allow $1 prelude_t:process signal_perms;
+ ps_process_pattern($1, prelude_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 prelude_t:process ptrace;
+ allow $1 prelude_audisp_t:process ptrace;
+ allow $1 prelude_lml_t:process ptrace;
+ ')
+
+ allow $1 prelude_audisp_t:process signal_perms;
+ ps_process_pattern($1, prelude_audisp_t)
+
+ allow $1 prelude_lml_t:process signal_perms;
+ ps_process_pattern($1, prelude_lml_t)
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
- logging_search_logs($1)
- admin_pattern($1, prelude_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
- files_search_pids($1)
- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
index 8f4460928..d3b9f0dd3 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
type prelude_log_t;
logging_log_file(prelude_log_t)
@@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t)
# Prelude local policy
#
-allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:capability { dac_read_search sys_tty_config };
allow prelude_t self:fifo_file rw_fifo_file_perms;
allow prelude_t self:unix_stream_socket { accept listen };
allow prelude_t self:tcp_socket { accept listen };
@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
corecmd_search_bin(prelude_t)
-corenet_all_recvfrom_unlabeled(prelude_t)
corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
files_read_etc_runtime_files(prelude_t)
-files_read_usr_files(prelude_t)
files_search_spool(prelude_t)
files_search_tmp(prelude_t)
@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
logging_send_audit_msgs(prelude_t)
logging_send_syslog_msg(prelude_t)
-miscfiles_read_localization(prelude_t)
-
optional_policy(`
mysql_stream_connect(prelude_t)
mysql_tcp_connect(prelude_t)
@@ -125,7 +121,7 @@ optional_policy(`
# Audisp local policy
#
-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:capability { dac_read_search ipc_lock setpcap };
allow prelude_audisp_t self:process { getcap setcap };
allow prelude_audisp_t self:fifo_file rw_fifo_file_perms;
allow prelude_audisp_t self:unix_stream_socket { accept listen };
@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
corecmd_search_bin(prelude_audisp_t)
-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
domain_use_interactive_fds(prelude_audisp_t)
-files_read_etc_files(prelude_audisp_t)
files_read_etc_runtime_files(prelude_audisp_t)
files_search_spool(prelude_audisp_t)
files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
-miscfiles_read_localization(prelude_audisp_t)
-
sysnet_dns_name_resolve(prelude_audisp_t)
########################################
@@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t)
# Correlator local policy
#
-allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:capability { dac_read_search };
allow prelude_correlator_t self:tcp_socket { accept listen };
manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t)
@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
corecmd_search_bin(prelude_correlator_t)
-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
corenet_all_recvfrom_netlabel(prelude_correlator_t)
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
dev_read_rand(prelude_correlator_t)
dev_read_urand(prelude_correlator_t)
-files_read_etc_files(prelude_correlator_t)
-files_read_usr_files(prelude_correlator_t)
files_search_spool(prelude_correlator_t)
logging_send_syslog_msg(prelude_correlator_t)
-miscfiles_read_localization(prelude_correlator_t)
-
sysnet_dns_name_resolve(prelude_correlator_t)
########################################
@@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t)
# Lml local declarations
#
-allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:capability { dac_read_search };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
logging_send_syslog_msg(prelude_lml_t)
logging_read_generic_logs(prelude_lml_t)
-miscfiles_read_localization(prelude_lml_t)
-
userdom_read_all_users_state(prelude_lml_t)
optional_policy(`
@@ -278,27 +265,28 @@ optional_policy(`
optional_policy(`
apache_content_template(prewikka)
+ apache_content_alias_template(prewikka, prewikka)
- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+ can_exec(prewikka_script_t, prewikka_script_exec_t)
- files_search_tmp(httpd_prewikka_script_t)
+ files_search_tmp(prewikka_script_t)
- kernel_read_sysctl(httpd_prewikka_script_t)
- kernel_search_network_sysctl(httpd_prewikka_script_t)
+ kernel_read_sysctl(prewikka_script_t)
+ kernel_search_network_sysctl(prewikka_script_t)
- auth_use_nsswitch(httpd_prewikka_script_t)
+ auth_use_nsswitch(prewikka_script_t)
- logging_send_syslog_msg(httpd_prewikka_script_t)
+ logging_send_syslog_msg(prewikka_script_t)
- apache_search_sys_content(httpd_prewikka_script_t)
+ apache_search_sys_content(prewikka_script_t)
optional_policy(`
- mysql_stream_connect(httpd_prewikka_script_t)
- mysql_tcp_connect(httpd_prewikka_script_t)
+ mysql_stream_connect(prewikka_script_t)
+ mysql_tcp_connect(prewikka_script_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_prewikka_script_t)
- postgresql_tcp_connect(httpd_prewikka_script_t)
+ postgresql_stream_connect(prewikka_script_t)
+ postgresql_tcp_connect(prewikka_script_t)
')
')
diff --git a/privoxy.if b/privoxy.if
index bdcee30f5..34f314344 100644
--- a/privoxy.if
+++ b/privoxy.if
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
type privoxy_etc_rw_t, privoxy_var_run_t;
')
- allow $1 privoxy_t:process { ptrace signal_perms };
+ allow $1 privoxy_t:process signal_perms;
ps_process_pattern($1, privoxy_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 privoxy_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
index ec21f80d7..a9f650a1f 100644
--- a/privoxy.te
+++ b/privoxy.te
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_tcp_sendrecv_tor_port(privoxy_t)
+
dev_read_sysfs(privoxy_t)
domain_use_interactive_fds(privoxy_t)
@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
logging_send_syslog_msg(privoxy_t)
-miscfiles_read_localization(privoxy_t)
-
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
diff --git a/procmail.fc b/procmail.fc
index bdff6c931..4b36a13de 100644
--- a/procmail.fc
+++ b/procmail.fc
@@ -1,6 +1,7 @@
-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/procmail.if b/procmail.if
index 00edeab17..166e9c333 100644
--- a/procmail.if
+++ b/procmail.if
@@ -1,4 +1,4 @@
-## <summary>Procmail mail delivery agent.</summary>
+## <summary>Procmail mail delivery agent</summary>
########################################
## <summary>
@@ -15,6 +15,7 @@ interface(`procmail_domtrans',`
type procmail_exec_t, procmail_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, procmail_exec_t, procmail_t)
')
@@ -34,101 +35,33 @@ interface(`procmail_exec',`
type procmail_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, procmail_exec_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## procmail home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`procmail_manage_home_files',`
- gen_require(`
- type procmail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read procmail user home content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`procmail_read_home_files',`
- gen_require(`
- type procmail_home_t;
-
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel procmail home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`procmail_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file relabel_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in user home
-## directories with the procmail home type.
+## Read procmail tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`procmail_home_filetrans_procmail_home',`
+interface(`procmail_read_tmp_files',`
gen_require(`
- type procmail_home_t;
+ type procmail_tmp_t;
')
- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
')
########################################
## <summary>
-## Read procmail tmp files.
+## Read/write procmail tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',`
## </summary>
## </param>
#
-interface(`procmail_read_tmp_files',`
+interface(`procmail_rw_tmp_files',`
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
- allow $1 procmail_tmp_t:file read_file_perms;
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
########################################
## <summary>
-## Read and write procmail tmp files.
+## Read procmail home directory content
## </summary>
## <param name="domain">
## <summary>
@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',`
## </summary>
## </param>
#
-interface(`procmail_rw_tmp_files',`
+interface(`procmail_read_home_files',`
gen_require(`
- type procmail_tmp_t;
+ type procmail_home_t;
')
- files_search_tmp($1)
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
index cc426e62a..ee83a78ce 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
userdom_user_home_content(procmail_home_t)
type procmail_log_t;
-logging_log_file(procmail_log_t)
+logging_log_file(procmail_log_t)
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t)
# Local policy
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
-allow procmail_t self:tcp_socket { accept listen };
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
-allow procmail_t procmail_home_t:file read_file_perms;
+can_exec(procmail_t, procmail_exec_t)
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
-can_exec(procmail_t, procmail_exec_t)
-
+kernel_read_network_state(procmail_t)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_all_recvfrom_unlabeled(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
corenet_tcp_sendrecv_generic_node(procmail_t)
-
-corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
-corenet_tcp_sendrecv_spamd_port(procmail_t)
-
+corenet_sendrecv_spamd_client_packets(procmail_t)
corenet_sendrecv_comsat_client_packets(procmail_t)
-corenet_tcp_connect_comsat_port(procmail_t)
-corenet_tcp_sendrecv_comsat_port(procmail_t)
-
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
+dev_read_rand(procmail_t)
dev_read_urand(procmail_t)
-fs_getattr_all_fs(procmail_t)
+fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+
files_read_etc_runtime_files(procmail_t)
-files_read_usr_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
+
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
-')
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_filetrans_home_content(procmail_t)
+
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
')
+userdom_home_manager(procmail_t)
+
optional_policy(`
- clamav_domtrans_clamscan(procmail_t)
- clamav_search_lib(procmail_t)
+ antivirus_domtrans(procmail_t)
+ antivirus_search_db(procmail_t)
')
optional_policy(`
- cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
+ dovecot_read_config(procmail_t)
')
optional_policy(`
- mta_manage_spool(procmail_t)
- mta_read_config(procmail_t)
- mta_read_queue(procmail_t)
- mta_manage_mail_home_rw_content(procmail_t)
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+ cyrus_stream_connect(procmail_t)
')
optional_policy(`
- munin_dontaudit_search_lib(procmail_t)
+ gnome_manage_data(procmail_t)
')
optional_policy(`
- nagios_search_spool(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
+ # for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
@@ -126,11 +145,18 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
+optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
optional_policy(`
+ mta_read_config(procmail_t)
+ mta_mailserver_delivery(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
@@ -145,3 +171,8 @@ optional_policy(`
spamassassin_domtrans_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
+
+optional_policy(`
+ zarafa_stream_connect_server(procmail_t)
+ zarafa_domtrans_deliver(procmail_t)
+')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 000000000..c056a2fb3
--- /dev/null
+++ b/prosody.fc
@@ -0,0 +1,10 @@
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
+
+/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0)
+
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
+
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
+
+/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
index 000000000..8231f4ff5
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,255 @@
+
+## <summary>policy for prosody</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the prosody domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prosody_domtrans',`
+ gen_require(`
+ type prosody_t, prosody_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prosody_exec_t, prosody_t)
+')
+
+########################################
+## <summary>
+## Search prosody lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_search_lib',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ allow $1 prosody_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read prosody lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_read_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage prosody lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_manage_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage prosody lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_manage_lib_dirs',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read prosody PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_read_pid_files',`
+ gen_require(`
+ type prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute prosody server in the prosody domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prosody_systemctl',`
+ gen_require(`
+ type prosody_t;
+ type prosody_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, prosody_t)
+')
+
+
+########################################
+## <summary>
+## Execute prosody in the prosody domain, and
+## allow the specified role the prosody domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the prosody domain.
+## </summary>
+## </param>
+#
+interface(`prosody_run',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ prosody_domtrans($1)
+ roleattribute $2 prosody_roles;
+')
+
+######################################
+## <summary>
+## Connect to prosody with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_stream_connect',`
+ gen_require(`
+ type prosody_t, prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
+')
+
+########################################
+## <summary>
+## Role access for prosody
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`prosody_role',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ roleattribute $1 prosody_roles;
+
+ prosody_domtrans($2)
+
+ ps_process_pattern($2, prosody_t)
+ allow $2 prosody_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an prosody environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prosody_admin',`
+ gen_require(`
+ type prosody_t;
+ type prosody_var_lib_t;
+ type prosody_var_run_t;
+ type prosody_unit_file_t;
+ ')
+
+ allow $1 prosody_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prosody_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, prosody_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, prosody_var_run_t)
+
+ prosody_systemctl($1)
+ admin_pattern($1, prosody_unit_file_t)
+ allow $1 prosody_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
index 000000000..06eb94871
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,99 @@
+policy_module(prosody, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Permit to prosody to bind apache port.
+## Need to be activated to use BOSH.
+## </p>
+## </desc>
+gen_tunable(prosody_bind_http_port, false)
+
+type prosody_t;
+type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t)
+
+type prosody_log_t;
+logging_log_file(prosody_log_t)
+
+type prosody_var_lib_t;
+files_type(prosody_var_lib_t)
+
+type prosody_var_run_t;
+files_pid_file(prosody_var_run_t)
+
+type prosody_tmp_t;
+files_tmp_file(prosody_tmp_t)
+
+type prosody_unit_file_t;
+systemd_unit_file(prosody_unit_file_t)
+
+########################################
+#
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid dac_read_search };
+allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_log_t, prosody_log_t)
+manage_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
+
+manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file })
+
+can_exec(prosody_t, prosody_exec_t)
+
+kernel_read_system_state(prosody_t)
+
+corecmd_exec_bin(prosody_t)
+corecmd_exec_shell(prosody_t)
+
+corenet_udp_bind_generic_node(prosody_t)
+corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_prosody_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
+corenet_tcp_bind_commplex_main_port(prosody_t)
+corenet_tcp_bind_fac_restore_port(prosody_t)
+
+tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t)
+')
+
+dev_read_urand(prosody_t)
+
+domain_use_interactive_fds(prosody_t)
+
+files_read_etc_files(prosody_t)
+
+auth_use_nsswitch(prosody_t)
+sysnet_read_config(prosody_t)
+
+logging_send_syslog_msg(prosody_t)
+
+miscfiles_read_localization(prosody_t)
+
+optional_policy(`
+ sasl_connect(prosody_t)
+')
diff --git a/psad.if b/psad.if
index d4dcf782c..3cce82e50 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
')
files_search_etc($1)
- allow $1 psad_etc_t:dir manage_dir_perms;
- allow $1 psad_etc_t:file manage_file_perms;
- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
')
########################################
@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
########################################
## <summary>
-## Read and write psad pid files.
+## Read and write psad PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -179,6 +178,45 @@ interface(`psad_append_log',`
########################################
## <summary>
+## Allow the specified domain to write to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_write_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to setattr to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_setattr_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
## Read and write psad fifo files.
## </summary>
## <param name="domain">
@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
#######################################
## <summary>
+## Allow setattr to psad fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_setattr_fifo_file',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 psad_var_lib_t:fifo_file setattr;
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Allow search to psad lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_search_lib_files',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
## Read and write psad temporary files.
## </summary>
## <param name="domain">
@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
- allow $1 psad_t:process { ptrace signal_perms };
+ allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 psad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, psad_etc_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, psad_var_run_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, psad_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, psad_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
index b5d717b09..99f6fddac 100644
--- a/psad.te
+++ b/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
# Local policy
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
corecmd_exec_shell(psad_t)
-corenet_all_recvfrom_unlabeled(psad_t)
corenet_all_recvfrom_netlabel(psad_t)
corenet_tcp_sendrecv_generic_if(psad_t)
corenet_tcp_sendrecv_generic_node(psad_t)
@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t)
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
-files_read_usr_files(psad_t)
fs_getattr_all_fs(psad_t)
@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t)
logging_read_syslog_config(psad_t)
logging_send_syslog_msg(psad_t)
-miscfiles_read_localization(psad_t)
-
sysnet_exec_ifconfig(psad_t)
optional_policy(`
diff --git a/ptchown.te b/ptchown.te
index 28d2abc03..c2cfb5eaa 100644
--- a/ptchown.te
+++ b/ptchown.te
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
allow ptchown_t self:capability { chown fowner fsetid setuid };
allow ptchown_t self:process { getcap setcap };
-files_read_etc_files(ptchown_t)
fs_rw_anon_inodefs_files(ptchown_t)
@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
term_use_ptmx(ptchown_t)
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/publicfile.te b/publicfile.te
index 3246befff..edce6258a 100644
--- a/publicfile.te
+++ b/publicfile.te
@@ -17,7 +17,7 @@ files_type(publicfile_content_t)
# Local policy
#
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t self:capability { dac_read_search setgid setuid sys_chroot };
allow publicfile_t publicfile_content_t:dir list_dir_perms;
allow publicfile_t publicfile_content_t:file read_file_perms;
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479a7..0e7d87513 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,9 +1,14 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index 45843b55c..4d1adace5 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,43 +2,47 @@
########################################
## <summary>
-## Role access for pulseaudio.
+## Role access for pulseaudio
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
#
interface(`pulseaudio_role',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
- type pulseaudio_tmp_t;
+ attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
+ class dbus { acquire_svc send_msg };
')
- pulseaudio_run($2, $1)
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
- allow $2 pulseaudio_t:process { ptrace signal_perms };
ps_process_pattern($2, pulseaudio_t)
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, pulseaudio_t)
- allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@@ -65,9 +69,8 @@ interface(`pulseaudio_domtrans',`
########################################
## <summary>
-## Execute pulseaudio in the pulseaudio
-## domain, and allow the specified role
-## the pulseaudio domain.
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
## </summary>
## <param name="domain">
## <summary>
@@ -82,16 +85,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
- attribute_role pulseaudio_roles;
+ type pulseaudio_t;
')
pulseaudio_domtrans($1)
- roleattribute $2 pulseaudio_roles;
+ role $2 types pulseaudio_t;
')
########################################
## <summary>
-## Execute pulseaudio in the caller domain.
+## Execute a pulseaudio in the current domain.
## </summary>
## <param name="domain">
## <summary>
@@ -104,13 +107,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, pulseaudio_exec_t)
')
########################################
## <summary>
-## Do not audit attempts to execute pulseaudio.
+## Do not audit to execute a pulseaudio.
## </summary>
## <param name="domain">
## <summary>
@@ -128,7 +130,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
## <summary>
-## Send null signals to pulseaudio.
+## Send signull signal to pulseaudio
## processes.
## </summary>
## <param name="domain">
@@ -147,8 +149,8 @@ interface(`pulseaudio_signull',`
#####################################
## <summary>
-## Connect to pulseaudio with a unix
-## domain stream socket.
+## Connect to pulseaudio over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -158,11 +160,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
+ type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_home_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
')
########################################
@@ -188,9 +194,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
-## Set attributes of pulseaudio home directories.
+## Set the attributes of the pulseaudio homedir.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -201,148 +207,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
- allow $1 pulseaudio_home_t:dir setattr_dir_perms;
+ allow $1 pulseaudio_home_t:dir setattr;
')
########################################
## <summary>
-## Read pulseaudio home content.
+## Read pulseaudio homedir files.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_read_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
- pulseaudio_read_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
## <summary>
-## Read pulseaudio home content.
+## Read and write Pulse Audio files.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`pulseaudio_read_home',`
+interface(`pulseaudio_rw_home_files',`
gen_require(`
type pulseaudio_home_t;
')
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir list_dir_perms;
- allow $1 pulseaudio_home_t:file read_file_perms;
- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Read and write Pulse Audio files.
+## Create, read, write, and delete pulseaudio
+## home directories.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`pulseaudio_rw_home_files',`
+interface(`pulseaudio_manage_home_dirs',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory files.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_manage_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
- pulseaudio_manage_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ pulseaudio_filetrans_home_content($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory symlinks.
## </summary>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`pulseaudio_manage_home',`
+interface(`pulseaudio_manage_home_symlinks',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
- allow $1 pulseaudio_home_t:file manage_file_perms;
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
## <summary>
-## Create objects in user home
-## directories with the pulseaudio
-## home type.
+## Create pulseaudio content in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`pulseaudio_filetrans_home_content',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+ optional_policy(`
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
+ ')
+')
+
+########################################
+## <summary>
+## Create pulseaudio content in the admin home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
gen_require(`
type pulseaudio_home_t;
')
- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
-########################################
+#######################################
## <summary>
-## Make the specified tmpfs file type
-## pulseaudio tmpfs content.
+## Make the specified tmpfs file type
+## pulseaudio tmpfs content.
## </summary>
## <param name="file_type">
+## <summary>
+## File type to make pulseaudio tmpfs content.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_tmpfs_content',`
+ gen_require(`
+ attribute pulseaudio_tmpfsfile;
+ ')
+
+ typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+########################################
+## <summary>
+## Allow the domain to read pulseaudio state files in /proc.
+## </summary>
+## <param name="domain">
## <summary>
-## File type to make pulseaudio tmpfs content.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`pulseaudio_tmpfs_content',`
+interface(`pulseaudio_read_state',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t;
')
- typeattribute $1 pulseaudio_tmpfsfile;
+ kernel_search_proc($1)
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
index 6643b49c2..22214f676 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
-attribute_role pulseaudio_roles;
-
type pulseaudio_t;
type pulseaudio_exec_t;
# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
+role system_r types pulseaudio_t;
type pulseaudio_home_t;
userdom_user_home_content(pulseaudio_home_t)
-type pulseaudio_tmp_t;
-userdom_user_tmp_file(pulseaudio_tmp_t)
-
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
type pulseaudio_var_lib_t;
files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
########################################
#
-# Local policy
+# pulseaudio local policy
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
-allow pulseaudio_t self:unix_dgram_socket sendto;
-allow pulseaudio_t self:tcp_socket { accept listen };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
-
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
+userdom_map_tmp_files(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-
-allow pulseaudio_t pulseaudio_client:process signull;
-ps_process_pattern(pulseaudio_t, pulseaudio_client)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
-
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
-
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
-
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
-corenet_udp_sendrecv_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
-files_read_usr_files(pulseaudio_t)
+fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
-fs_getattr_all_fs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-fs_rw_anon_inodefs_files(pulseaudio_t)
-fs_search_auto_mountpoints(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
-
-userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_read_user_tmp_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_execute_user_tmp_files(pulseaudio_t)
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs(pulseaudio_t)
+ fs_mounton_nfs(pulseaudio_t)
fs_manage_nfs_dirs(pulseaudio_t)
fs_manage_nfs_files(pulseaudio_t)
fs_manage_nfs_symlinks(pulseaudio_t)
+ fs_manage_nfs_named_sockets(pulseaudio_t)
+ fs_manage_nfs_named_pipes(pulseaudio_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs(pulseaudio_t)
+ fs_mounton_cifs(pulseaudio_t)
fs_manage_cifs_dirs(pulseaudio_t)
fs_manage_cifs_files(pulseaudio_t)
fs_manage_cifs_symlinks(pulseaudio_t)
+ fs_manage_cifs_named_sockets(pulseaudio_t)
+ fs_manage_cifs_named_pipes(pulseaudio_t)
')
optional_policy(`
@@ -153,8 +135,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
- dbus_all_session_bus_client(pulseaudio_t)
- dbus_connect_all_session_bus(pulseaudio_t)
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
@@ -174,29 +157,49 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_gkeyringd_state(pulseaudio_t)
+ gnome_signull_gkeyringd(pulseaudio_t)
+ gnome_manage_gstreamer_home_files(pulseaudio_t)
+ gnome_exec_gstreamer_home_files(pulseaudio_t)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
optional_policy(`
+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
')
optional_policy(`
+ systemd_read_logind_sessions_files(pulseaudio_t)
+ systemd_login_read_pid_files(pulseaudio_t)
+')
+
+optional_policy(`
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
optional_policy(`
xserver_stream_connect(pulseaudio_t)
- xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-########################################
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
+
+#######################################
#
# Client local policy
#
@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
-corenet_all_recvfrom_unlabeled(pulseaudio_client)
-corenet_all_recvfrom_netlabel(pulseaudio_client)
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
-pulseaudio_manage_home(pulseaudio_client)
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+pulseaudio_manage_home_files(pulseaudio_client)
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
userdom_manage_user_home_content_files(pulseaudio_client)
-userdom_read_user_tmpfs_files(pulseaudio_client)
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
+userdom_read_user_tmp_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(pulseaudio_client)
- fs_manage_nfs_dirs(pulseaudio_client)
- fs_manage_nfs_files(pulseaudio_client)
- fs_read_nfs_symlinks(pulseaudio_client)
+ fs_getattr_nfs(pulseaudio_client)
+ fs_manage_nfs_dirs(pulseaudio_client)
+ fs_manage_nfs_files(pulseaudio_client)
+ fs_read_nfs_symlinks(pulseaudio_client)
')
tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(pulseaudio_client)
- fs_manage_cifs_dirs(pulseaudio_client)
- fs_manage_cifs_files(pulseaudio_client)
- fs_read_cifs_symlinks(pulseaudio_client)
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
+ fs_read_cifs_symlinks(pulseaudio_client)
')
optional_policy(`
- pulseaudio_dbus_chat(pulseaudio_client)
+ pulseaudio_dbus_chat(pulseaudio_client)
')
optional_policy(`
- rtkit_scheduled(pulseaudio_client)
+ rtkit_scheduled(pulseaudio_client)
')
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
index d68e26d1f..3b08cfd9d 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,18 +1,23 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/start-puppet-ca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
-
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
index 7cb8b1f9c..bef72173b 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
-## <summary>Configuration management system.</summary>
+## <summary>Puppet client daemon</summary>
+## <desc>
+## <p>
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute puppet_master in the puppet_master
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`puppet_domtrans_master',`
+ gen_require(`
+ type puppetmaster_t, puppetmaster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
########################################
## <summary>
@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
#
interface(`puppet_run_puppetca',`
gen_require(`
- attribute_role puppetca_roles;
+ type puppetca_t, puppetca_exec_t;
')
puppet_domtrans_puppetca($1)
- roleattribute $2 puppetca_roles;
+ role $2 types puppetca_t;
')
-####################################
+################################################
## <summary>
-## Read puppet configuration content.
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
## </summary>
## <param name="domain">
## <summary>
@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
## </summary>
## </param>
#
-interface(`puppet_read_config',`
+interface(`puppet_rw_tmp', `
gen_require(`
- type puppet_etc_t;
+ type puppet_tmp_t;
')
- files_search_etc($1)
- allow $1 puppet_etc_t:dir list_dir_perms;
- allow $1 puppet_etc_t:file read_file_perms;
- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
################################################
@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
## </summary>
## </param>
#
-interface(`puppet_read_lib_files',`
+interface(`puppet_read_lib',`
gen_require(`
type puppet_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
')
###############################################
## <summary>
-## Create, read, write, and delete
-## puppet lib files.
+## Manage Puppet lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`puppet_manage_lib_files',`
- gen_require(`
- type puppet_var_lib_t;
- ')
+interface(`puppet_manage_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
- files_search_var_lib($1)
- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
')
-#####################################
+######################################
## <summary>
-## Append puppet log files.
+## Allow the specified domain to search puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`puppet_append_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- append_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ allow $1 puppet_log_t:dir search_dir_perms;
')
#####################################
## <summary>
-## Create puppet log files.
+## Allow the specified domain to read puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`puppet_create_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_read_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- create_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
')
#####################################
## <summary>
-## Read puppet log files.
+## Allow the specified domain to create puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`puppet_read_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_create_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- read_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ create_files_pattern($1, puppet_log_t, puppet_log_t)
')
-################################################
+####################################
## <summary>
-## Read and write to puppet tempoprary files.
+## Allow the specified domain to append puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`puppet_rw_tmp', `
- gen_require(`
- type puppet_tmp_t;
- ')
+interface(`puppet_append_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- files_search_tmp($1)
- allow $1 puppet_tmp_t:file rw_file_perms;
+ logging_search_logs($1)
+ append_files_pattern($1, puppet_log_t, puppet_log_t)
')
-########################################
+####################################
## <summary>
-## All of the rules required to
-## administrate an puppet environment.
+## Allow the specified domain to manage puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`puppet_admin',`
- gen_require(`
- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
- type puppet_var_run_t, puppetmaster_tmp_t;
- type puppet_t, puppetca_t, puppetmaster_t;
- ')
-
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
+')
- logging_search_logs($1)
- admin_pattern($1, puppet_log_t)
+####################################
+## <summary>
+## Allow the specified domain to read puppet's config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_read_config',`
+ gen_require(`
+ type puppet_etc_t;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
+#####################################
+## <summary>
+## Allow the specified domain to search puppet's pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_search_pid',`
+ gen_require(`
+ type puppet_var_run_t;
+ ')
+
files_search_pids($1)
- admin_pattern($1, puppet_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
-
- puppet_run_puppetca($1, $2)
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
index 618dcfeed..56b9252c6 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
#
## <desc>
-## <p>
-## Determine whether puppet can
-## manage all non-security files.
-## </p>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
## </desc>
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetagent_manage_all_files, false)
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
+## <desc>
+## <p>
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+## </p>
+## </desc>
+gen_tunable(puppetmaster_use_db, false)
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
+type puppetagent_t;
+type puppetagent_exec_t;
+typealias puppetagent_exec_t alias puppet_exec_t;
+typealias puppetagent_t alias puppet_t;
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
+type puppetagent_initrc_exec_t;
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
+init_script_file(puppetagent_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
type puppetca_t;
type puppetca_exec_t;
application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
+role system_r types puppetca_t;
type puppetmaster_t;
type puppetmaster_exec_t;
@@ -56,161 +62,178 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
-# Local policy
+# Puppet personal policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-allow puppet_t self:udp_socket create_socket_perms;
-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
-
-domain_interactive_fd(puppet_t)
-domain_read_all_domains_state(puppet_t)
-
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
-
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
-
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
-
-logging_send_syslog_msg(puppet_t)
-
-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-
-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-
-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
+allow puppetagent_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppetagent_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppetagent_t)
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
+kernel_read_system_state(puppetagent_t)
+kernel_read_crypto_sysctls(puppetagent_t)
+kernel_read_kernel_sysctls(puppetagent_t)
+
+corecmd_read_all_executables(puppetagent_t)
+corecmd_dontaudit_access_all_executables(puppetagent_t)
+corecmd_exec_bin(puppetagent_t)
+corecmd_exec_shell(puppetagent_t)
+
+corenet_all_recvfrom_netlabel(puppetagent_t)
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
+corenet_tcp_bind_generic_node(puppetagent_t)
+corenet_tcp_connect_puppet_port(puppetagent_t)
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
+
+dev_read_rand(puppetagent_t)
+dev_read_sysfs(puppetagent_t)
+dev_read_urand(puppetagent_t)
+
+domain_read_all_domains_state(puppetagent_t)
+domain_interactive_fd(puppetagent_t)
+domain_named_filetrans(puppetagent_t)
+
+files_manage_config_files(puppetagent_t)
+files_manage_config_dirs(puppetagent_t)
+files_manage_etc_dirs(puppetagent_t)
+files_manage_etc_files(puppetagent_t)
+files_read_usr_symlinks(puppetagent_t)
+files_relabel_config_dirs(puppetagent_t)
+files_relabel_config_files(puppetagent_t)
+
+selinux_set_all_booleans(puppetagent_t)
+selinux_set_generic_booleans(puppetagent_t)
+selinux_validate_context(puppetagent_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
+term_dontaudit_getattr_all_ttys(puppetagent_t)
+
+auth_use_nsswitch(puppetagent_t)
+
+init_all_labeled_script_domtrans(puppetagent_t)
+init_domtrans_script(puppetagent_t)
+init_read_utmp(puppetagent_t)
+init_signull_script(puppetagent_t)
+
+logging_send_syslog_msg(puppetagent_t)
+
+miscfiles_read_hwdata(puppetagent_t)
+
+seutil_domtrans_setfiles(puppetagent_t)
+seutil_domtrans_semanage(puppetagent_t)
+seutil_read_file_contexts(puppetagent_t)
+
+sysnet_run_ifconfig(puppetagent_t, system_r)
+
+usermanage_access_check_groupadd(puppetagent_t)
+usermanage_access_check_passwd(puppetagent_t)
+usermanage_access_check_useradd(puppetagent_t)
+
+tunable_policy(`puppetagent_manage_all_files',`
+ files_manage_non_security_files(puppetagent_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+ cfengine_read_lib_files(puppetagent_t)
+')
+
+optional_policy(`
+ consoletype_exec(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
+ hostname_exec(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
+ mount_domtrans(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
+ mta_send_mail(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
+ networkmanager_dbus_chat(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
+ firewalld_dbus_chat(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
+ portage_domtrans(puppetagent_t)
+ portage_domtrans_fetch(puppetagent_t)
+ portage_domtrans_gcc_config(puppetagent_t)
+')
+
+optional_policy(`
+ files_rw_var_files(puppetagent_t)
+
+ rpm_domtrans(puppetagent_t)
+ rpm_manage_db(puppetagent_t)
+ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- files_rw_var_files(puppet_t)
+ shorewall_domtrans(puppetagent_t)
+')
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
+optional_policy(`
+ unconfined_domain_noaudit(puppetagent_t)
')
optional_policy(`
- unconfined_domain(puppet_t)
+ shorewall_domtrans(puppet_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
+ rhsmcertd_dbus_chat(puppetagent_t)
')
########################################
#
-# Ca local policy
+# PuppetCA personal policy
#
-allow puppetca_t self:capability { dac_override setgid setuid };
+allow puppetca_t self:capability { dac_read_search setgid setuid };
allow puppetca_t self:fifo_file rw_fifo_file_perms;
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -221,6 +244,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
@@ -229,15 +253,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
-files_read_etc_files(puppetca_t)
-files_search_pids(puppetca_t)
files_search_var_lib(puppetca_t)
selinux_validate_context(puppetca_t)
logging_search_logs(puppetca_t)
-miscfiles_read_localization(puppetca_t)
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
@@ -246,38 +267,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
+optional_policy(`
+ mta_sendmail_access_check(puppetca_t)
+')
+
+
########################################
#
-# Master local policy
+# Pupper master personal policy
#
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:capability { dac_read_search setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
@@ -289,23 +320,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
+
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
dev_search_sysfs(puppetmaster_t)
-domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
-files_read_usr_files(puppetmaster_t)
selinux_validate_context(puppetmaster_t)
@@ -314,26 +346,32 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
seutil_read_file_contexts(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
+
optional_policy(`
- hostname_exec(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mta_send_mail(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mysql_stream_connect(puppetmaster_t)
+ systemd_dbus_chat_timedated(puppetagent_t)
+ systemd_dbus_chat_timedated(puppetmaster_t)
')
optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
+ hostname_exec(puppetmaster_t)
')
optional_policy(`
@@ -342,3 +380,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
+
+optional_policy(`
+ usermanage_access_check_groupadd(puppetmaster_t)
+ usermanage_access_check_passwd(puppetmaster_t)
+ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/pwauth.fc b/pwauth.fc
index 7e7b44434..e2f8687db 100644
--- a/pwauth.fc
+++ b/pwauth.fc
@@ -1,3 +1,3 @@
-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
diff --git a/pwauth.if b/pwauth.if
index 1148dce1a..86d25ea26 100644
--- a/pwauth.if
+++ b/pwauth.if
@@ -1,72 +1,74 @@
-## <summary>External plugin for mod_authnz_external authenticator.</summary>
+
+## <summary>policy for pwauth</summary>
########################################
## <summary>
-## Role access for pwauth.
+## Transition to pwauth.
## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
-interface(`pwauth_role',`
+interface(`pwauth_domtrans',`
gen_require(`
- type pwauth_t;
+ type pwauth_t, pwauth_exec_t;
')
- pwauth_run($2, $1)
-
- ps_process_pattern($2, pwauth_t)
- allow $2 pwauth_t:process { ptrace signal_perms };
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
')
########################################
## <summary>
-## Execute pwauth in the pwauth domain.
+## Execute pwauth in the pwauth domain, and
+## allow the specified role the pwauth domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the pwauth domain.
## </summary>
## </param>
#
-interface(`pwauth_domtrans',`
+interface(`pwauth_run',`
gen_require(`
- type pwauth_t, pwauth_exec_t;
+ type pwauth_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, pwauth_exec_t, pwauth_t)
+ pwauth_domtrans($1)
+ role $2 types pwauth_t;
')
########################################
## <summary>
-## Execute pwauth in the pwauth
-## domain, and allow the specified
-## role the pwauth domain.
+## Role access for pwauth
## </summary>
-## <param name="domain">
+## <param name="role">
## <summary>
-## Domain allowed to transition.
+## Role allowed access
## </summary>
## </param>
-## <param name="role">
+## <param name="domain">
## <summary>
-## Role allowed access.
+## User domain for the role
## </summary>
## </param>
#
-interface(`pwauth_run',`
+interface(`pwauth_role',`
gen_require(`
- attribute_role pwauth_roles;
+ type pwauth_t;
')
- pwauth_domtrans($1)
- roleattribute $2 pwauth_roles;
+ role $1 types pwauth_t;
+
+ pwauth_domtrans($2)
+
+ ps_process_pattern($2, pwauth_t)
+ allow $2 pwauth_t:process signal;
')
diff --git a/pwauth.te b/pwauth.te
index 3078e349e..215df880c 100644
--- a/pwauth.te
+++ b/pwauth.te
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
# Declarations
#
-attribute_role pwauth_roles;
-roleattribute system_r pwauth_roles;
-
type pwauth_t;
type pwauth_exec_t;
application_domain(pwauth_t, pwauth_exec_t)
-role pwauth_roles types pwauth_t;
+role system_r types pwauth_t;
type pwauth_var_run_t;
files_pid_file(pwauth_var_run_t)
########################################
#
-# Local policy
+# pwauth local policy
#
-
allow pwauth_t self:capability setuid;
allow pwauth_t self:process setrlimit;
+
allow pwauth_t self:fifo_file manage_fifo_file_perms;
-allow pwauth_t self:unix_stream_socket { accept listen };
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
auth_domtrans_chkpwd(pwauth_t)
auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
+auth_rw_lastlog(pwauth_t)
init_read_utmp(pwauth_t)
logging_send_syslog_msg(pwauth_t)
logging_send_audit_msgs(pwauth_t)
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
index 06bec9ba9..1b32632dc 100644
--- a/pxe.te
+++ b/pxe.te
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
domain_use_interactive_fds(pxe_t)
-files_read_etc_files(pxe_t)
fs_getattr_all_fs(pxe_t)
fs_search_auto_mountpoints(pxe_t)
logging_send_syslog_msg(pxe_t)
-miscfiles_read_localization(pxe_t)
-
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_user_home_dirs(pxe_t)
diff --git a/pyicqt.fc b/pyicqt.fc
deleted file mode 100644
index 0c143e3e8..000000000
--- a/pyicqt.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
-
-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/pyicqt.if b/pyicqt.if
deleted file mode 100644
index 0ccea828a..000000000
--- a/pyicqt.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>ICQ transport for XMPP server.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an pyicqt environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pyicqt_admin',`
- gen_require(`
- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
- ')
-
- allow $1 pyicqt_t:process { ptrace signal_perms };
- ps_process_pattern($1, pyicqt_t)
-
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pyicqt_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, pyicqt_log_t)
-
- files_search_spool($1)
- admin_pattern($1, pyicqt_spool_t)
-
- files_search_pids($1)
- admin_pattern($1, pyicqt_var_run_t)
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
index f2863ded4..000000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
-policy_module(pyicqt, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-type pyicqt_var_run_t;
-files_pid_file(pyicqt_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_unlabeled(pyicqt_t)
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
- jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
- mysql_stream_connect(pyicqt_t)
- mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pyicqt_t)
-')
diff --git a/pyzor.fc b/pyzor.fc
index af13139a1..a927c5a15 100644
--- a/pyzor.fc
+++ b/pyzor.fc
@@ -1,12 +1,13 @@
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-
-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
index 593c03d09..2c411af3e 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Role access for pyzor.
+## Role access for pyzor
## </summary>
## <param name="role">
## <summary>
@@ -14,31 +14,30 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`pyzor_role',`
gen_require(`
- attribute_role pyzor_roles;
- type pyzor_t, pyzor_exec_t, pyzor_home_t;
- type pyzor_tmp_t;
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
- roleattribute $1 pyzor_roles;
+ role $1 types pyzor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, pyzor_exec_t, pyzor_t)
- allow $2 pyzor_t:process { ptrace signal_perms };
+ # allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
-
- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
+ allow $2 pyzor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 pyzor_t:process ptrace;
+ ')
')
########################################
## <summary>
-## Send generic signals to pyzor.
+## Send generic signals to pyzor
## </summary>
## <param name="domain">
## <summary>
@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
type pyzor_exec_t, pyzor_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, pyzor_exec_t, pyzor_t)
')
@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
type pyzor_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an pyzor environment.
+## All of the rules required to administrate
+## an pyzor environment
## </summary>
## <param name="domain">
## <summary>
@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the pyzor domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`pyzor_admin',`
gen_require(`
- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
- type pyzor_var_lib_t, pyzor_etc_t;
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
- allow $1 pyzord_t:process { ptrace signal_perms };
+ allow $1 pyzord_t:process signal_perms;
ps_process_pattern($1, pyzord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pyzord_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, pyzor_etc_t)
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, pyzord_log_t)
- files_search_var_lib($1)
- admin_pattern($1, pyzor_var_lib_t)
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
- pyzor_role($2, $1)
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
')
diff --git a/pyzor.te b/pyzor.te
index 2439d1304..d7bd6e9a1 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
# Declarations
#
-attribute_role pyzor_roles;
-roleattribute system_r pyzor_roles;
-
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
-role pyzor_roles types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzor_home_t;
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-userdom_user_home_content(pyzor_home_t)
-
-type pyzor_tmp_t;
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-userdom_user_tmp_file(pyzor_tmp_t)
-
-type pyzor_var_lib_t;
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-files_type(pyzor_var_lib_t)
-ubac_constrained(pyzor_var_lib_t)
-
-type pyzord_t;
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
-type pyzord_initrc_exec_t;
-init_script_file(pyzord_initrc_exec_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_t;
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+',`
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+ application_domain(pyzor_t, pyzor_exec_t)
+ ubac_constrained(pyzor_t)
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
+ files_config_file(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+ userdom_user_home_content(pyzor_home_t)
+
+ type pyzor_tmp_t;
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+ files_tmp_file(pyzor_tmp_t)
+ ubac_constrained(pyzor_tmp_t)
+
+ type pyzor_var_lib_t;
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+ files_type(pyzor_var_lib_t)
+ ubac_constrained(pyzor_var_lib_t)
+
+ type pyzord_t;
+ type pyzord_exec_t;
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
+')
########################################
#
-# Local policy
+# Pyzor client local policy
#
+allow pyzor_t self:udp_socket create_socket_perms;
+
manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t)
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
-corenet_all_recvfrom_unlabeled(pyzor_t)
-corenet_all_recvfrom_netlabel(pyzor_t)
corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
corenet_tcp_sendrecv_generic_node(pyzor_t)
-
-corenet_sendrecv_http_client_packets(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
corenet_tcp_connect_http_port(pyzor_t)
-corenet_tcp_sendrecv_http_port(pyzor_t)
dev_read_urand(pyzor_t)
-fs_getattr_all_fs(pyzor_t)
-fs_search_auto_mountpoints(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
auth_use_nsswitch(pyzor_t)
-miscfiles_read_localization(pyzor_t)
mta_read_queue(pyzor_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(pyzor_t)
- fs_manage_nfs_files(pyzor_t)
- fs_manage_nfs_symlinks(pyzor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(pyzor_t)
- fs_manage_cifs_files(pyzor_t)
- fs_manage_cifs_symlinks(pyzor_t)
-')
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
- amavis_manage_lib_files(pyzor_t)
- amavis_manage_spool_files(pyzor_t)
+ antivirus_manage_db(pyzor_t)
')
optional_policy(`
@@ -111,25 +119,24 @@ optional_policy(`
########################################
#
-# Daemon local policy
+# Pyzor server local policy
#
-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
+allow pyzord_t self:udp_socket create_socket_perms;
+
manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
-allow pyzord_t pyzor_etc_t:file read_file_perms;
-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
-can_exec(pyzord_t, pyzor_exec_t)
-
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_all_recvfrom_unlabeled(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_generic_if(pyzord_t)
corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_generic_node(pyzord_t)
-
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
-corenet_udp_sendrecv_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
-auth_use_nsswitch(pyzord_t)
-logging_send_syslog_msg(pyzord_t)
+auth_use_nsswitch(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
-miscfiles_read_localization(pyzord_t)
+# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
index 86ea53ce1..a2dcf7bb2 100644
--- a/qemu.fc
+++ b/qemu.fc
@@ -1,4 +1,4 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
index eaf56b8b0..408cdccaf 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
-## <summary>QEMU machine emulator and virtualizer.</summary>
+## <summary>QEMU machine emulator and virtualizer</summary>
-#######################################
+########################################
## <summary>
-## The template to define a qemu domain.
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
template(`qemu_domain_template',`
+
##############################
#
- # Declarations
+ # Local Policy
#
type $1_t;
@@ -22,12 +24,15 @@ template(`qemu_domain_template',`
type $1_tmp_t;
files_tmp_file($1_tmp_t)
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
##############################
#
- # Policy
+ # Local Policy
#
- allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:capability { dac_read_search };
allow $1_t self:process { execstack execmem signal getsched };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
@@ -39,9 +44,12 @@ template(`qemu_domain_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
+
kernel_read_system_state($1_t)
- corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
@@ -61,7 +69,6 @@ template(`qemu_domain_template',`
fs_list_inotifyfs($1_t)
fs_rw_anon_inodefs_files($1_t)
- fs_rw_tmpfs_files($1_t)
storage_raw_write_removable_device($1_t)
storage_raw_read_removable_device($1_t)
@@ -70,11 +77,10 @@ template(`qemu_domain_template',`
term_getattr_pty_fs($1_t)
term_use_generic_ptys($1_t)
- miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
@@ -98,38 +104,12 @@ template(`qemu_domain_template',`
########################################
## <summary>
-## Role access for qemu.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`qemu_role',`
- gen_require(`
- type qemu_t;
- ')
-
- qemu_run($2, $1)
-
- allow $2 qemu_t:process { ptrace signal_perms };
- ps_process_pattern($2, qemu_t)
-')
-
-########################################
-## <summary>
## Execute a domain transition to run qemu.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`qemu_domtrans',`
@@ -137,18 +117,17 @@ interface(`qemu_domtrans',`
type qemu_t, qemu_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qemu_exec_t, qemu_t)
')
########################################
## <summary>
-## Execute a qemu in the caller domain.
+## Execute a qemu in the callers domain
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`qemu_exec',`
@@ -156,15 +135,12 @@ interface(`qemu_exec',`
type qemu_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, qemu_exec_t)
')
########################################
## <summary>
-## Execute qemu in the qemu domain,
-## and allow the specified role the
-## qemu domain.
+## Execute qemu in the qemu domain.
## </summary>
## <param name="domain">
## <summary>
@@ -173,23 +149,25 @@ interface(`qemu_exec',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the qemu domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`qemu_run',`
gen_require(`
- attribute_role qemu_roles;
+ type qemu_t;
')
qemu_domtrans($1)
- roleattribute $2 qemu_roles;
+ role $2 types qemu_t;
+ allow qemu_t $1:process signull;
+ allow $1 qemu_t:process signull;
')
########################################
## <summary>
-## Read qemu process state files.
+## Allow the domain to read state files in /proc.
## </summary>
## <param name="domain">
## <summary>
@@ -202,15 +180,12 @@ interface(`qemu_read_state',`
type qemu_t;
')
- kernel_search_proc($1)
- allow $1 qemu_t:dir list_dir_perms;
- allow $1 qemu_t:file read_file_perms;
- allow $1 qemu_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, qemu_t, qemu_t)
')
########################################
## <summary>
-## Set qemu scheduler.
+## Set the schedule on qemu.
## </summary>
## <param name="domain">
## <summary>
@@ -228,7 +203,7 @@ interface(`qemu_setsched',`
########################################
## <summary>
-## Send generic signals to qemu.
+## Send a signal to qemu.
## </summary>
## <param name="domain">
## <summary>
@@ -246,7 +221,7 @@ interface(`qemu_signal',`
########################################
## <summary>
-## Send kill signals to qemu.
+## Send a sigill to qemu
## </summary>
## <param name="domain">
## <summary>
@@ -264,28 +239,68 @@ interface(`qemu_kill',`
########################################
## <summary>
-## Execute a domain transition to
-## run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
## </summary>
+## <desc>
+## <p>
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
## </summary>
## </param>
#
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_spec_domtrans',`
gen_require(`
- type unconfined_qemu_t, qemu_exec_t;
+ type qemu_exec_t;
')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
+')
- corecmd_search_bin($1)
- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the qemu unconfined domain.
+## </summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type unconfined_qemu_t;
+ type qemu_t;
+ ')
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
')
########################################
## <summary>
-## Create, read, write, and delete
-## qemu temporary directories.
+## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
type qemu_tmp_t;
')
- files_search_tmp($1)
manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## qemu temporary files.
+## Manage qemu temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
type qemu_tmp_t;
')
- files_search_tmp($1)
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
## <summary>
-## Execute qemu in a specified domain.
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
## </summary>
-## <desc>
-## <p>
-## Execute qemu in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which qemu_exec_t is an entrypoint.
+## </summary>
## </param>
#
-interface(`qemu_spec_domtrans',`
+interface(`qemu_entry_type',`
gen_require(`
type qemu_exec_t;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
+ domain_entry_file($1, qemu_exec_t)
')
-######################################
+#######################################
## <summary>
-## Make qemu executable files an
-## entrypoint for the specified domain.
+## Getattr on qemu executable.
## </summary>
## <param name="domain">
-## <summary>
-## The domain for which qemu_exec_t is an entrypoint.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
-interface(`qemu_entry_type',`
- gen_require(`
- type qemu_exec_t;
- ')
+interface(`qemu_getattr_exec',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
- domain_entry_file($1, qemu_exec_t)
+ allow $1 qemu_exec_t:file getattr;
')
diff --git a/qemu.te b/qemu.te
index 4f9074343..958c0ef1e 100644
--- a/qemu.te
+++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
#
## <desc>
-## <p>
-## Determine whether qemu has full
-## access to the network.
-## </p>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
## </desc>
gen_tunable(qemu_full_network, false)
-attribute_role qemu_roles;
-roleattribute system_r qemu_roles;
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
-type qemu_exec_t;
-application_executable_file(qemu_exec_t)
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
virt_domain_template(qemu)
-role qemu_roles types qemu_t;
+role system_r types qemu_t;
########################################
#
-# Local policy
+# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmp_files(qemu_t)
+userdom_stream_connect(qemu_t)
+
tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
optional_policy(`
- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+ dbus_read_lib_files(qemu_t)
')
-########################################
-#
-# Unconfined local policy
-#
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+ tunable_policy(`qemu_use_cifs',`
+ samba_domtrans_smbd(qemu_t)
+ ')
+')
optional_policy(`
- type unconfined_qemu_t;
- typealias unconfined_qemu_t alias qemu_unconfined_t;
- application_type(unconfined_qemu_t)
- unconfined_domain(unconfined_qemu_t)
+ virt_domtrans_bridgehelper(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_home_files(qemu_t)
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
- allow unconfined_qemu_t self:process { execstack execmem };
- allow unconfined_qemu_t qemu_exec_t:file execmod;
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
')
diff --git a/qmail.fc b/qmail.fc
index e53fe5a97..edee505d7 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -1,22 +1,6 @@
-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-
-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
@@ -29,9 +13,36 @@
/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/qmail.if b/qmail.if
index e4f0000e5..05e219e13 100644
--- a/qmail.if
+++ b/qmail.if
@@ -1,12 +1,12 @@
-## <summary>Qmail Mail Server.</summary>
+## <summary>Qmail Mail Server</summary>
########################################
## <summary>
-## Template for qmail parent/sub-domain pairs.
+## Template for qmail parent/sub-domain pairs
## </summary>
## <param name="child_prefix">
## <summary>
-## The prefix of the child domain.
+## The prefix of the child domain
## </summary>
## </param>
## <param name="parent_domain">
@@ -16,35 +16,39 @@
## </param>
#
template(`qmail_child_domain_template',`
- gen_require(`
- attribute qmail_child_domain;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_t, qmail_child_domain;
- type $1_exec_t;
+ type $1_t;
domain_type($1_t)
+ type $1_exec_t;
domain_entry_file($1_t, $1_exec_t)
-
+ domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
- ########################################
- #
- # Policy
- #
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
- domtrans_pattern($2, $1_exec_t, $1_t)
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
- kernel_read_system_state($2)
')
########################################
## <summary>
-## Transition to qmail_inject_t.
+## Transition to qmail_inject_t
## </summary>
## <param name="domain">
## <summary>
@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_t, qmail_inject_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
########################################
## <summary>
-## Transition to qmail_queue_t.
+## Transition to qmail_queue_t
## </summary>
## <param name="domain">
## <summary>
@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_t, qmail_queue_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
type qmail_etc_t;
')
- files_search_var($1)
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+ files_search_var($1)
ifdef(`distro_debian',`
+ # handle /etc/qmail
files_search_etc($1)
')
')
########################################
## <summary>
-## Define the specified domain as a
-## qmail-smtp service.
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
## </summary>
## <param name="domain">
## <summary>
@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete qmail
+## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_manage_spool_dirs',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete qmail
+## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_manage_spool_files',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+## Read and write to qmail spool pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`qmail_rw_spool_pipes',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
index 87429441c..53a2fe597 100644
--- a/qmail.te
+++ b/qmail.te
@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
# Declarations
#
-attribute qmail_child_domain;
+attribute qmail_user_domains;
type qmail_alias_home_t;
files_type(qmail_alias_home_t)
@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
type qmail_exec_t;
files_type(qmail_exec_t)
-type qmail_inject_t;
+type qmail_inject_t, qmail_user_domains;
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
mta_mailserver_user_agent(qmail_queue_t)
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
mta_mailserver_sender(qmail_remote_t)
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
qmail_child_domain_template(qmail_send, qmail_start_t)
+
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_keytab_t;
files_type(qmail_keytab_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
type qmail_start_t;
type qmail_start_exec_t;
@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
-# Common qmail child domain local policy
-#
-
-allow qmail_child_domain self:process signal_perms;
-
-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
-allow qmail_child_domain qmail_etc_t:file read_file_perms;
-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
-
-allow qmail_child_domain qmail_start_t:fd use;
-
-corecmd_search_bin(qmail_child_domain)
-
-files_search_var(qmail_child_domain)
-
-fs_getattr_xattr_fs(qmail_child_domain)
-
-miscfiles_read_localization(qmail_child_domain)
-
-########################################
-#
-# Clean local policy
+# qmail-clean local policy
+# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
-# Inject local policy
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
#
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
-miscfiles_read_localization(qmail_inject_t)
qmail_read_config(qmail_inject_t)
########################################
#
-# Local local policy
+# qmail-local local policy
+# this component delivers a mail message
#
-allow qmail_local_t self:fifo_file write_fifo_file_perms;
allow qmail_local_t self:process signal_perms;
-allow qmail_local_t self:unix_stream_socket { accept listen };
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -137,12 +122,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
+ uucp_domtrans(qmail_local_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(qmail_local_t)
')
########################################
#
-# Lspawn local policy
+# qmail-lspawn local policy
+# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
-files_read_etc_files(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
+
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)
########################################
#
-# Queue local policy
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -186,28 +178,34 @@ optional_policy(`
########################################
#
-# Remote local policy
+# qmail-remote local policy
+# this component sends mail via SMTP
#
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
-
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
-corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)
-sysnet_dns_name_resolve(qmail_remote_t)
+sysnet_read_config(qmail_remote_t)
########################################
#
-# Rspawn local policy
+# qmail-rspawn local policy
+# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+corecmd_search_bin(qmail_rspawn_t)
+
########################################
#
-# Send local policy
+# qmail-send local policy
+# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
@@ -237,7 +238,8 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# qmail-smtpd local policy
+# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
@@ -268,26 +270,26 @@ optional_policy(`
########################################
#
-# Splogger local policy
+# splogger local policy
+# this component creates entries in syslog
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-files_read_etc_files(qmail_splogger_t)
init_dontaudit_use_script_fds(qmail_splogger_t)
-miscfiles_read_localization(qmail_splogger_t)
########################################
#
-# Start local policy
+# qmail-start local policy
+# this component starts up the mail delivery component
#
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@@ -304,7 +306,8 @@ optional_policy(`
########################################
#
-# Tcp-env local policy
+# tcp-env local policy
+# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
index fe2adf8ae..f7e9c70b0 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
-## <summary>Apache QPID AMQP messaging server.</summary>
+## <summary>policy for qpidd</summary>
########################################
## <summary>
@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
type qpidd_t, qpidd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-#####################################
+########################################
## <summary>
-## Read and write access qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
## </summary>
## </param>
#
-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
gen_require(`
- type qpidd_t;
+ type qpidd_initrc_exec_t;
')
- allow $1 qpidd_t:sem rw_sem_perms;
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
')
########################################
## <summary>
-## Read and write qpidd shared memory.
+## Read qpidd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
## </summary>
## </param>
#
-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
gen_require(`
- type qpidd_t;
+ type qpidd_var_run_t;
')
- allow $1 qpidd_t:shm rw_shm_perms;
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
')
########################################
## <summary>
-## Execute qpidd init script in
-## the initrc domain.
+## Manage qpidd var_run files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
gen_require(`
- type qpidd_initrc_exec_t;
+ type qpidd_var_run_t;
')
- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
########################################
## <summary>
-## Read qpidd pid files.
+## Search qpidd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
## </summary>
## </param>
#
-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
gen_require(`
- type qpidd_var_run_t;
+ type qpidd_var_lib_t;
')
- files_search_pids($1)
- allow $1 qpidd_var_run_t:file read_file_perms;
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Search qpidd lib directories.
+## Read qpidd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
## </summary>
## </param>
#
-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
## <summary>
-## Read qpidd lib files.
+## Create, read, write, and delete
+## qpidd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
## </summary>
## </param>
#
-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## qpidd lib files.
+## Manage qpidd var_lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
## </summary>
## </param>
#
-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
-########################################
+#####################################
## <summary>
-## All of the rules required to
-## administrate an qpidd environment.
+## Allow read and write access to qpidd semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+## Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ type qpidd_tmpfs_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to
+## administrate an qpidd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Role allowed access.
+## </summary>
## </param>
## <rolecap/>
#
interface(`qpidd_admin',`
- gen_require(`
- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
- type qpidd_var_run_t;
- ')
+ gen_require(`
+ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
+ type qpidd_var_run_t;
+ ')
- allow $1 qpidd_t:process { ptrace signal_perms };
- ps_process_pattern($1, qpidd_t)
+ allow $1 qpidd_t:process { signal_perms };
+ ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 qpidd_t:process ptrace;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, qpidd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, qpidd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
index 83eb09ef6..8f641fc92 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
+type qpidd_tmp_t;
+files_tmp_file(qpidd_tmp_t)
+
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
@@ -33,41 +36,57 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
+
manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file })
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
kernel_read_system_state(qpidd_t)
+kernel_read_network_state(qpidd_t)
+
+auth_read_passwd(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
corenet_tcp_sendrecv_amqp_port(qpidd_t)
+corenet_tcp_connect_amqp_port(qpidd_t)
+
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
+dev_read_rand(qpidd_t)
-files_read_etc_files(qpidd_t)
+# needed by ssl
+files_list_tmp(qpidd_t)
logging_send_syslog_msg(qpidd_t)
-miscfiles_read_localization(qpidd_t)
-
sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
- corosync_stream_connect(qpidd_t)
+ kerberos_use(qpidd_t)
')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(qpidd_t)
+')
+
diff --git a/quantum.fc b/quantum.fc
index 70ab68b02..b985b6570 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -1,10 +1,34 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-metadata-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-netns-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ns-metadata-proxy -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
+/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+
+/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index afc00688d..e974fad4b 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,314 @@
########################################
## <summary>
-## All of the rules required to
-## administrate an quantum environment.
+## Transition to neutron.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`neutron_domtrans',`
+ gen_require(`
+ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+## <summary>
+## Allow read/write neutron pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send sigchld to neutron.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+#
+interface(`neutron_sigchld',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read neutron's log files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
-interface(`quantum_admin',`
+interface(`neutron_read_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+## Append to neutron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_append_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+## Manage neutron log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_manage_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
+ manage_files_pattern($1, neutron_log_t, neutron_log_t)
+ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+## Search neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_search_lib',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_read_lib_files',`
gen_require(`
- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
- type quantum_var_lib_t, quantum_tmp_t;
+ type neutron_var_lib_t;
')
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_manage_lib_files',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+ manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_manage_lib_dirs',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read and write neutron fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_rw_fifo_file',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+## <summary>
+## Connect to neutron over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_stream_connect',`
+ gen_require(`
+ type neutron_t;
+ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+## <summary>
+## Execute neutron server in the neutron domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`neutron_systemctl',`
+ gen_require(`
+ type neutron_t;
+ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 neutron_unit_file_t:file read_file_perms;
+ allow $1 neutron_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, neutron_t)
+')
+
+#######################################
+## <summary>
+## Read neutron process state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_read_state',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:dir search_dir_perms;
+ allow $1 neutron_t:file read_file_perms;
+ allow $1 neutron_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an neutron environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`neutron_admin',`
+ gen_require(`
+ type neutron_t;
+ type neutron_log_t;
+ type neutron_var_lib_t;
+ type neutron_unit_file_t;
+ ')
+
+ allow $1 neutron_t:process { ptrace signal_perms };
+ ps_process_pattern($1, neutron_t)
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
+ neutron_systemctl($1)
+ admin_pattern($1, neutron_unit_file_t)
+ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b3f..62bdc516a 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0)
# Declarations
#
-type quantum_t;
-type quantum_exec_t;
-init_daemon_domain(quantum_t, quantum_exec_t)
+## <desc>
+## <p>
+## Determine whether neutron can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(neutron_can_network, false)
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
+type neutron_t alias quantum_t;
+type neutron_exec_t alias quantum_exec_t;
+init_daemon_domain(neutron_t, neutron_exec_t)
-type quantum_log_t;
-logging_log_file(quantum_log_t)
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
+init_script_file(neutron_initrc_exec_t)
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
+type neutron_log_t alias quantum_log_t;
+logging_log_file(neutron_log_t)
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
+type neutron_tmp_t alias quantum_tmp_t;
+files_tmp_file(neutron_tmp_t)
+
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
+type neutron_var_run_t alias quantum_var_run_t;
+files_pid_file(neutron_var_run_t)
+
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
########################################
#
# Local policy
#
-allow quantum_t self:capability { setgid setuid sys_resource };
-allow quantum_t self:process { setsched setrlimit };
-allow quantum_t self:fifo_file rw_fifo_file_perms;
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
-
-can_exec(quantum_t, quantum_tmp_t)
-
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
-
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
-
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
-
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+allow neutron_t self:capability { chown dac_read_search sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen connectto };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
+manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
+
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+can_exec(neutron_t, neutron_tmp_t)
+
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
+
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
+
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
+
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
+
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
+
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
+
+files_mounton_non_security(neutron_t)
+
+auth_use_nsswitch(neutron_t)
+
+libs_exec_ldconfig(neutron_t)
+
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
+
+netutils_exec(neutron_t)
+
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
+
+tunable_policy(`neutron_can_network',`
+ corenet_sendrecv_all_client_packets(neutron_t)
+ corenet_tcp_connect_all_ports(neutron_t)
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
-files_read_usr_files(quantum_t)
+optional_policy(`
+ dbus_system_bus_client(neutron_t)
+')
-auth_use_nsswitch(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
-libs_exec_ldconfig(quantum_t)
+optional_policy(`
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
+ dnsmasq_kill(neutron_t)
+ dnsmasq_read_state(neutron_t)
+')
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+optional_policy(`
+ rhcs_domtrans_haproxy(neutron_t)
+ rhcs_stream_connect_haproxy(neutron_t)
+')
-miscfiles_read_localization(quantum_t)
+optional_policy(`
+ iptables_domtrans(neutron_t)
+')
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
+ modutils_domtrans_insmod(neutron_t)
+')
optional_policy(`
- brctl_domtrans(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ rpm_exec(neutron_t)
+ rpm_read_db(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ sudo_exec(neutron_t)
')
+
+optional_policy(`
+ udev_domtrans(neutron_t)
+')
diff --git a/quota.fc b/quota.fc
index cadabe360..54ba01d0d 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
index da6421861..3fb8575ca 100644
--- a/quota.if
+++ b/quota.if
@@ -1,4 +1,4 @@
-## <summary>File system quota management.</summary>
+## <summary>File system quota management</summary>
########################################
## <summary>
@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
########################################
## <summary>
-## Execute quota management tools in
-## the quota domain, and allow the
-## specified role the quota domain.
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
## </summary>
## <param name="domain">
## <summary>
@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
#
interface(`quota_run',`
gen_require(`
- attribute_role quota_roles;
+ type quota_t;
')
quota_domtrans($1)
- roleattribute $2 quota_roles;
+ role $2 types quota_t;
')
#######################################
## <summary>
-## Execute quota nld in the quota nld domain.
+## Alow to read of filesystem quota data files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain to not audit.
+## </summary>
## </param>
#
-interface(`quota_domtrans_nld',`
- gen_require(`
- type quota_nld_t, quota_nld_exec_t;
- ')
+interface(`quota_read_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+ allow $1 quota_db_t:file read_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## quota db files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`quota_manage_db_files',`
- gen_require(`
- type quota_db_t;
- ')
-
- allow $1 quota_db_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create specified objects in specified
-## directories with a type transition to
-## the quota db file type.
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`quota_spec_filetrans_db',`
+interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
')
- filetrans_pattern($1, $2, quota_db_t, $3, $4)
+ dontaudit $1 quota_db_t:file getattr_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to get attributes
-## of filesystem quota data files.
+## Create, read, write, and delete quota
+## db files.
## </summary>
## <param name="domain">
## <summary>
@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
## </summary>
## </param>
#
-interface(`quota_dontaudit_getattr_db',`
+interface(`quota_manage_db',`
gen_require(`
type quota_db_t;
')
- dontaudit $1 quota_db_t:file getattr_file_perms;
+ allow $1 quota_db_t:file manage_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## quota flag files.
+## Create, read, write, and delete quota
+## flag files.
## </summary>
## <param name="domain">
## <summary>
@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
########################################
## <summary>
-## All of the rules required to
-## administrate an quota environment.
+## Transition to quota named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`quota_admin',`
+interface(`quota_filetrans_named_content',`
gen_require(`
- type quota_nld_t, quota_t, quota_db_t;
- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
+ type quota_db_t;
')
- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { quota_nld_t quota_t })
-
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
- files_list_all($1)
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+#######################################
+## <summary>
+## Transition to quota_nld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`quota_domtrans_nld',`
+ gen_require(`
+ type quota_nld_t, quota_nld_exec_t;
+ ')
- quota_run($1, $2)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
index f47c8e81f..ffee08201 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
# Declarations
#
-attribute_role quota_roles;
-
type quota_t;
type quota_exec_t;
-init_system_domain(quota_t, quota_exec_t)
-role quota_roles types quota_t;
+application_domain(quota_t, quota_exec_t)
+#init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
@@ -22,9 +20,6 @@ type quota_nld_t;
type quota_nld_exec_t;
init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-type quota_nld_initrc_exec_t;
-init_script_file(quota_nld_initrc_exec_t)
-
type quota_nld_var_run_t;
files_pid_file(quota_nld_var_run_t)
@@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t)
# Local policy
#
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { sys_admin dac_read_search };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
+# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
@@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-kernel_request_load_module(quota_t)
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
-kernel_setsched(quota_t)
+kernel_dontaudit_setsched(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
-files_list_all(quota_t)
-files_read_all_files(quota_t)
-files_read_all_symlinks(quota_t)
-files_getattr_all_pipes(quota_t)
-files_getattr_all_sockets(quota_t)
-files_getattr_all_file_type_fs(quota_t)
-files_read_etc_runtime_files(quota_t)
-
fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
@@ -80,17 +67,29 @@ term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t)
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_domain(quota_t, quota_exec_t)
init_use_fds(quota_t)
init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
-userdom_use_user_terminals(quota_t)
+mta_spool_filetrans(quota_t, quota_db_t, file)
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
+userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
- mta_queue_filetrans(quota_t, quota_db_t, file)
- mta_spool_filetrans(quota_t, quota_db_t, file)
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
')
optional_policy(`
@@ -103,12 +102,13 @@ optional_policy(`
#######################################
#
-# Nld local policy
+# Local policy
#
allow quota_nld_t self:fifo_file rw_fifo_file_perms;
allow quota_nld_t self:netlink_socket create_socket_perms;
-allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:netlink_generic_socket create_socket_perms;
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t)
logging_send_syslog_msg(quota_nld_t)
-miscfiles_read_localization(quota_nld_t)
-
userdom_use_user_terminals(quota_nld_t)
optional_policy(`
- dbus_system_bus_client(quota_nld_t)
- dbus_connect_system_bus(quota_nld_t)
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
index c5ad6de76..44135d4d0 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
index 2c3d33896..7d49554eb 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
@@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',`
#
interface(`rabbitmq_admin',`
gen_require(`
- type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
+ type rabbitmq_t, rabbitmq_initrc_exec_t;
type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
')
- allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
+ allow $1 { rabbitmq_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, rabbitmq_t)
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed87..37aa9a784 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
# Declarations
#
-type rabbitmq_epmd_t;
-type rabbitmq_epmd_exec_t;
-init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
+type rabbitmq_t;
+type rabbitmq_exec_t;
+init_daemon_domain(rabbitmq_t, rabbitmq_exec_t)
-type rabbitmq_beam_t;
-type rabbitmq_beam_exec_t;
-init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+typealias rabbitmq_t alias {rabbitmq_beam_t rabbitmq_epmd_t};
+
+type rabbitmq_unit_file_t;
+systemd_unit_file(rabbitmq_unit_file_t)
type rabbitmq_initrc_exec_t;
init_script_file(rabbitmq_initrc_exec_t)
@@ -19,6 +20,9 @@ init_script_file(rabbitmq_initrc_exec_t)
type rabbitmq_var_lib_t;
files_type(rabbitmq_var_lib_t)
+type rabbitmq_var_lock_t;
+files_lock_file(rabbitmq_var_lock_t)
+
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
@@ -27,98 +31,96 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
-# Beam local policy
+# Rabbitmq local policy
#
-allow rabbitmq_beam_t self:process { setsched signal signull };
-allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_beam_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-
-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-
-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-
-kernel_read_system_state(rabbitmq_beam_t)
-kernel_read_fs_sysctls(rabbitmq_beam_t)
-
-corecmd_exec_bin(rabbitmq_beam_t)
-corecmd_exec_shell(rabbitmq_beam_t)
-
-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-
-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
-
-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
-
-dev_read_sysfs(rabbitmq_beam_t)
-dev_read_urand(rabbitmq_beam_t)
-
-fs_getattr_all_fs(rabbitmq_beam_t)
-fs_search_cgroup_dirs(rabbitmq_beam_t)
-
-files_read_etc_files(rabbitmq_beam_t)
-
-storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
-
-miscfiles_read_localization(rabbitmq_beam_t)
-
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
- optional_policy(`
- couchdb_manage_lib_files(rabbitmq_beam_t)
- couchdb_read_conf_files(rabbitmq_beam_t)
- couchdb_read_log_files(rabbitmq_beam_t)
- couchdb_read_pid_files(rabbitmq_beam_t)
- ')
-
-########################################
-#
-# Epmd local policy
-#
-
-
-allow rabbitmq_epmd_t self:process signal;
-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
-
-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-
-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-
-files_read_etc_files(rabbitmq_epmd_t)
-
-logging_send_syslog_msg(rabbitmq_epmd_t)
+allow rabbitmq_t self:capability setuid;
+
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
+allow rabbitmq_t self:unix_dgram_socket { connect create getopt setopt write };
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
+kernel_dgram_send(rabbitmq_t)
+
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
+
+corecmd_exec_bin(rabbitmq_t)
+corecmd_exec_shell(rabbitmq_t)
+
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
+corenet_all_recvfrom_netlabel(rabbitmq_t)
+corenet_tcp_sendrecv_generic_if(rabbitmq_t)
+corenet_tcp_sendrecv_generic_node(rabbitmq_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_t)
+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_t)
+corenet_sendrecv_amqp_server_packets(rabbitmq_t)
+corenet_sendrecv_epmd_client_packets(rabbitmq_t)
+corenet_tcp_sendrecv_amqp_port(rabbitmq_t)
+corenet_tcp_bind_amqp_port(rabbitmq_t)
+corenet_tcp_bind_epmd_port(rabbitmq_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
+corenet_tcp_connect_amqp_port(rabbitmq_t)
+corenet_tcp_connect_epmd_port(rabbitmq_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
+corenet_tcp_connect_rabbitmq_port(rabbitmq_t)
+
+domain_read_all_domains_state(rabbitmq_t)
+
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
+files_getattr_all_mountpoints(rabbitmq_t)
+
+fs_getattr_all_fs(rabbitmq_t)
+fs_getattr_all_dirs(rabbitmq_t)
+fs_getattr_cgroup(rabbitmq_t)
+fs_search_cgroup_dirs(rabbitmq_t)
+
+dev_read_sysfs(rabbitmq_t)
+dev_read_urand(rabbitmq_t)
+
+storage_getattr_fixed_disk_dev(rabbitmq_t)
+
+sysnet_dns_name_resolve(rabbitmq_t)
+
+logging_send_syslog_msg(rabbitmq_t)
+
+optional_policy(`
+ dbus_system_bus_client(rabbitmq_t)
+')
+
+optional_policy(`
+ hostname_exec(rabbitmq_t)
+')
+
+optional_policy(`
+ rpc_read_nfs_state_data(rabbitmq_t)
+')
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
index d447e8548..76ed794ce 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,7 +9,9 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
+/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
index 44605825c..4c66c2502 100644
--- a/radius.if
+++ b/radius.if
@@ -14,6 +14,30 @@ interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+#######################################
+## <summary>
+## Execute radiusd server in the radiusd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`radiusd_systemctl',`
+ gen_require(`
+ type radiusd_unit_file_t;
+ type radiusd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 radiusd_unit_file_t:file read_file_perms;
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, radiusd_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -35,11 +59,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
- type radiusd_initrc_exec_t;
+ type radiusd_initrc_exec_t, radiusd_unit_file_t;
')
- allow $1 radiusd_t:process { ptrace signal_perms };
+ allow $1 radiusd_t:process signal_perms;
ps_process_pattern($1, radiusd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radiusd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -57,4 +84,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
+
+ admin_pattern($1, radiusd_unit_file_t)
+ bind_systemctl($1)
+ allow $1 radiusd_unit_file_t:service all_service_perms;
+
')
diff --git a/radius.te b/radius.te
index 403a4fed1..590926857 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether radius can use JIT compiler.
+## </p>
+## </desc>
+gen_tunable(radius_use_jit, false)
+
type radiusd_t;
type radiusd_exec_t;
init_daemon_domain(radiusd_t, radiusd_exec_t)
@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
+type radiusd_unit_file_t;
+systemd_unit_file(radiusd_unit_file_t)
+
########################################
#
# Local policy
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal};
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket { accept listen };
allow radiusd_t self:tcp_socket { accept listen };
@@ -43,15 +53,17 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms;
allow radiusd_t radiusd_etc_t:file read_file_perms;
allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms;
+tunable_policy(`deny_ptrace',`',`
+ allow radiusd_t self:process ptrace;
+')
+
manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
@@ -60,11 +72,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+files_dontaudit_list_tmp(radiusd_t)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-corenet_all_recvfrom_unlabeled(radiusd_t)
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
@@ -74,12 +86,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
+corenet_tcp_connect_postgresql_port(radiusd_t)
+corenet_tcp_connect_http_port(radiusd_t)
+
corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_tcp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_tcp_bind_radius_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
+corenet_sendrecv_radsec_server_packets(radiusd_t)
+corenet_tcp_bind_radsec_port(radiusd_t)
+corenet_udp_bind_radsec_port(radiusd_t)
+corenet_tcp_connect_radsec_port(radiusd_t)
+
corenet_sendrecv_snmp_client_packets(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
@@ -97,7 +119,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
-files_read_usr_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
@@ -109,7 +130,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
-miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
@@ -117,11 +137,22 @@ sysnet_use_ldap(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_user_home_dirs(radiusd_t)
+tunable_policy(`radius_use_jit',`
+ allow radiusd_t self:process execmem;
+',`
+ dontaudit radiusd_t self:process execmem;
+')
+
optional_policy(`
cron_system_entry(radiusd_t, radiusd_exec_t)
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
+ kerberos_manage_host_rcache(radiusd_t)
+')
+
+optional_policy(`
logrotate_exec(radiusd_t)
')
@@ -132,6 +163,11 @@ optional_policy(`
')
optional_policy(`
+ postgresql_stream_connect(radiusd_t)
+ postgresql_tcp_connect(radiusd_t)
+')
+
+optional_policy(`
samba_domtrans_winbind_helper(radiusd_t)
')
@@ -140,5 +176,10 @@ optional_policy(`
')
optional_policy(`
+ snmp_read_snmp_var_lib_files(radiusd_t)
+ snmp_read_snmp_var_lib_files(radiusd_t)
+')
+
+optional_policy(`
udev_read_db(radiusd_t)
')
diff --git a/radvd.if b/radvd.if
index ac7058d1e..48739ac1b 100644
--- a/radvd.if
+++ b/radvd.if
@@ -1,5 +1,24 @@
## <summary>IPv6 router advertisement daemon.</summary>
+######################################
+## <summary>
+## Read radvd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`radvd_read_pid_files',`
+ gen_require(`
+ type radvd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -23,8 +42,11 @@ interface(`radvd_admin',`
type radvd_var_run_t;
')
- allow $1 radvd_t:process { ptrace signal_perms };
+ allow $1 radvd_t:process signal_perms;
ps_process_pattern($1, radvd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radvd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
index 6d162e4e6..01b5af0e0 100644
--- a/radvd.te
+++ b/radvd.te
@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
# Local policy
#
-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:fifo_file rw_fifo_file_perms;
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
-miscfiles_read_localization(radvd_t)
-
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
index 5806046b1..2a4769ff4 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,12 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+/etc/mdadm\.conf\.anacbak -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +22,10 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/var/log/iprdbg -- gen_context(system_u:object_r:mdadm_log_t,s0)
+/var/log/iprdump.* -- gen_context(system_u:object_r:mdadm_log_t,s0)
+
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f1b..65666b765 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
-## <summary>RAID array management tools.</summary>
+## <summary>RAID array management tools</summary>
########################################
## <summary>
-## Execute software raid tools in
-## the mdadm domain.
+## Execute software raid tools in the mdadm domain.
## </summary>
## <param name="domain">
## <summary>
@@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',`
######################################
## <summary>
-## Execute mdadm in the mdadm
-## domain, and allow the specified
-## role the mdadm domain.
+## Execute a domain transition to mdadm_t for the
+## specified role, allowing it to use the mdadm_t
+## domain
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed to access mdadm_t domain
## </summary>
## </param>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed to transition to mdadm_t
## </summary>
## </param>
#
interface(`raid_run_mdadm',`
gen_require(`
- attribute_role mdadm_roles;
+ type mdadm_t;
')
+ role $1 types mdadm_t;
raid_domtrans_mdadm($2)
- roleattribute $1 mdadm_roles;
+')
+
+######################################
+## <summary>
+## Execute mdadm server in the mdadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mdadm_systemctl',`
+ gen_require(`
+ type mdadm_t;
+ type mdadm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 mdadm_unit_file_t:file read_file_perms;
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mdadm_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## mdadm pid files.
+## read the mdadm pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -57,47 +79,131 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete the mdadm pid files.
+## </p>
+## <p>
+## Added for use in the init module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`raid_manage_mdadm_pid',`
gen_require(`
type mdadm_var_run_t;
')
- files_search_pids($1)
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
allow $1 mdadm_var_run_t:file manage_file_perms;
')
+#######################################
+## <summary>
+## Check access to the mdadm executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_access_check_mdadm',`
+ gen_require(`
+ type mdadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an mdadm environment.
+## Read mdadm config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`raid_read_conf_files',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
+
+ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+## <summary>
+## Manage mdadm config files.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`raid_admin_mdadm',`
+interface(`raid_manage_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
')
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+## <summary>
+## Transition to mdadm named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_filetrans_named_content',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
+')
- files_search_pids($1)
- admin_pattern($1, mdadm_var_run_t)
+########################################
+## <summary>
+## Relabel from mdadm_var_run_t sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_relabel_mdadm_var_run_content',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
- raid_run_mdadm($2, $1)
+ allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms;
')
diff --git a/raid.te b/raid.te
index c99753f2c..082d5f686 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_conf_t;
+files_config_file(mdadm_conf_t)
+
+type mdadm_unit_file_t;
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
+files_tmp_file(mdadm_tmp_t)
+
+type mdadm_tmpfs_t;
+files_tmpfs_file(mdadm_tmpfs_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
+type mdadm_log_t;
+logging_log_file(mdadm_log_t)
+
########################################
#
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { getsched setsched signal_perms };
+allow mdadm_t self:capability { dac_read_search sys_admin ipc_lock };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
+
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mdadm_t, mdadm_log_t, mdadm_log_t)
+logging_log_filetrans(mdadm_t, mdadm_log_t, file)
+
+can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
+kernel_signal(mdadm_t)
+kernel_signull(mdadm_t)
+kernel_stream_connect(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
-dev_dontaudit_getattr_all_blk_files(mdadm_t)
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_getattr_all(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
-
+dev_read_kvm(mdadm_t)
+dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
+dev_read_rand(mdadm_t)
+dev_rw_nvme(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
-files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
+fs_read_efivarfs_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
+storage_tmp_filetrans_fixed_disk(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
+auth_use_nsswitch(mdadm_t)
+
init_dontaudit_getattr_initctl(mdadm_t)
+init_getattr_script_status_files(mdadm_t)
+logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
+systemd_start_systemd_services(mdadm_t)
+
+term_use_generic_ptys(mdadm_t)
+term_use_unallocated_ttys(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -90,17 +150,38 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(mdadm_t)
+')
+
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
optional_policy(`
+ kdump_manage_kdumpctl_tmp_files(mdadm_t)
+ kdump_rw_lock(mdadm_t)
+')
+
+optional_policy(`
mta_send_mail(mdadm_t)
')
optional_policy(`
+ mdadm_systemctl(mdadm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mdadm_t)
')
optional_policy(`
udev_read_db(mdadm_t)
')
+
+optional_policy(`
+ virt_read_blk_images(mdadm_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/rasdaemon.fc b/rasdaemon.fc
new file mode 100644
index 000000000..8e31dd042
--- /dev/null
+++ b/rasdaemon.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
index 000000000..d57006d9c
--- /dev/null
+++ b/rasdaemon.if
@@ -0,0 +1,157 @@
+
+## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the rasdaemon domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_domtrans',`
+ gen_require(`
+ type rasdaemon_t, rasdaemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
+')
+
+########################################
+## <summary>
+## Search rasdaemon lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_search_lib',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read rasdaemon lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_read_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rasdaemon lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_manage_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rasdaemon lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_manage_lib_dirs',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute rasdaemon server in the rasdaemon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_systemctl',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rasdaemon_unit_file_t:file read_file_perms;
+ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rasdaemon_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rasdaemon environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rasdaemon_admin',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_var_lib_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ allow $1 rasdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rasdaemon_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rasdaemon_var_lib_t)
+
+ rasdaemon_systemctl($1)
+ admin_pattern($1, rasdaemon_unit_file_t)
+ allow $1 rasdaemon_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
index 000000000..dcdca4448
--- /dev/null
+++ b/rasdaemon.te
@@ -0,0 +1,51 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_lib_t;
+files_type(rasdaemon_var_lib_t)
+
+type rasdaemon_unit_file_t;
+systemd_unit_file(rasdaemon_unit_file_t)
+
+########################################
+#
+# rasdaemon local policy
+#
+allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
+allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
+
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
+dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+fs_rw_tracefs_files(rasdaemon_t)
+fs_manage_tracefs_dirs(rasdaemon_t)
+fs_mount_tracefs(rasdaemon_t)
+fs_unmount_tracefs(rasdaemon_t)
+
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+
+auth_use_nsswitch(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
+optional_policy(`
+ dmidecode_exec(rasdaemon_t)
+')
+
diff --git a/razor.fc b/razor.fc
index 6723f4d3b..6e2667392 100644
--- a/razor.fc
+++ b/razor.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
-
-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
index 1e4b523bf..fee3b7cd1 100644
--- a/razor.if
+++ b/razor.if
@@ -1,72 +1,147 @@
## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
+## <desc>
+## <p>
+## A distributed, collaborative, spam detection and filtering network.
+## </p>
+## <p>
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+## </p>
+## </desc>
#######################################
## <summary>
-## The template to define a razor domain.
+## Template to create types and rules common to
+## all razor domains.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
## </summary>
## </param>
#
template(`razor_common_domain_template',`
gen_require(`
- attribute razor_domain;
- type razor_exec_t;
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, razor_domain;
+ type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
- ########################################
- #
- # Declarations
- #
-
- auth_use_nsswitch($1_t)
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+ logging_log_filetrans($1_t, razor_log_t, file)
+
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_read_lib_files($1_t)
+
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
')
########################################
## <summary>
-## Role access for razor.
+## Role access for razor
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`razor_role',`
gen_require(`
- attribute_role razor_roles;
type razor_t, razor_exec_t, razor_home_t;
- type razor_tmp_t;
')
- roleattribute $1 razor_roles;
+ role $1 types razor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, razor_exec_t, razor_t)
+ # allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
-
- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 razor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 razor_t:process ptrace;
+ ')
- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
@@ -81,17 +156,16 @@ interface(`razor_role',`
#
interface(`razor_domtrans',`
gen_require(`
- type system_razor_t, razor_exec_t;
+ type razor_t, razor_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, razor_exec_t, system_razor_t)
+ domtrans_pattern($1, razor_exec_t, razor_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## razor home content.
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
## </summary>
## </param>
#
-interface(`razor_manage_home_content',`
+interface(`razor_manage_user_home_files',`
gen_require(`
type razor_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 razor_home_t:dir manage_dir_perms;
- allow $1 razor_home_t:file manage_file_perms;
- allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
')
########################################
## <summary>
-## Read razor lib files.
+## read razor lib files.
## </summary>
## <param name="domain">
## <summary>
diff --git a/razor.te b/razor.te
index 68455f909..38f69685c 100644
--- a/razor.te
+++ b/razor.te
@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
# Declarations
#
-attribute razor_domain;
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
+
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
+
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
+
+ type razor_log_t;
+ logging_log_file(razor_log_t)
+
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
+
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
+
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
+
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
+
+ ########################################
+ #
+ # System razor local policy
+ #
+
+ # this version of razor is invoked typically
+ # via the system spam filter
+
+ allow system_razor_t self:tcp_socket create_socket_perms;
+
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
+
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
+ auth_use_nsswitch(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
+
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
-attribute_role razor_roles;
+ logging_send_syslog_msg(razor_t)
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ userdom_home_manager(razor_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-userdom_user_tmp_file(razor_tmp_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-userdom_user_application_type(razor_t)
-role razor_roles types razor_t;
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# Common razor domain local policy
-#
-
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow razor_domain self:fd use;
-allow razor_domain self:fifo_file rw_fifo_file_perms;
-allow razor_domain self:unix_dgram_socket sendto;
-allow razor_domain self:unix_stream_socket { accept connectto listen };
-
-allow razor_domain razor_etc_t:dir list_dir_perms;
-allow razor_domain razor_etc_t:file read_file_perms;
-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
-
-allow razor_domain razor_exec_t:file read_file_perms;
-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
-
-kernel_read_system_state(razor_domain)
-kernel_read_network_state(razor_domain)
-kernel_read_software_raid_state(razor_domain)
-kernel_getattr_core_if(razor_domain)
-kernel_getattr_message_if(razor_domain)
-kernel_read_kernel_sysctls(razor_domain)
-
-corecmd_exec_bin(razor_domain)
-
-corenet_all_recvfrom_unlabeled(razor_domain)
-corenet_all_recvfrom_netlabel(razor_domain)
-corenet_tcp_sendrecv_generic_if(razor_domain)
-corenet_tcp_sendrecv_generic_node(razor_domain)
-
-corenet_tcp_sendrecv_razor_port(razor_domain)
-corenet_tcp_connect_razor_port(razor_domain)
-corenet_sendrecv_razor_client_packets(razor_domain)
-
-dev_read_rand(razor_domain)
-dev_read_urand(razor_domain)
-
-files_read_etc_runtime_files(razor_domain)
-
-libs_read_lib_files(razor_domain)
-
-miscfiles_read_localization(razor_domain)
-
-########################################
-#
-# System local policy
-#
-
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-
-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-logging_log_filetrans(system_razor_t, razor_log_t, file)
-
-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
-########################################
-#
-# Session local policy
-#
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-fs_getattr_all_fs(razor_t)
-fs_search_auto_mountpoints(razor_t)
-
-userdom_use_unpriv_users_fds(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/rdisc.fc b/rdisc.fc
index e9765c0f2..ea21331d8 100644
--- a/rdisc.fc
+++ b/rdisc.fc
@@ -1,3 +1,3 @@
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
index 170ef52fb..28ccc4a75 100644
--- a/rdisc.if
+++ b/rdisc.if
@@ -18,3 +18,58 @@ interface(`rdisc_exec',`
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
')
+
+########################################
+## <summary>
+## Execute rdisc server in the rdisc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rdisc_systemctl',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rdisc_unit_file_t:file read_file_perms;
+ allow $1 rdisc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rdisc_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rdisc environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rdisc_admin',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ allow $1 rdisc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rdisc_t)
+
+ rdisc_systemctl($1)
+ admin_pattern($1, rdisc_unit_file_t)
+ allow $1 rdisc_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rdisc.te b/rdisc.te
index 9196c1dbb..b7759316f 100644
--- a/rdisc.te
+++ b/rdisc.te
@@ -9,6 +9,9 @@ type rdisc_t;
type rdisc_exec_t;
init_daemon_domain(rdisc_t, rdisc_exec_t)
+type rdisc_unit_file_t;
+systemd_unit_file(rdisc_unit_file_t)
+
########################################
#
# Local policy
@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_all_recvfrom_unlabeled(rdisc_t)
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
domain_use_interactive_fds(rdisc_t)
-files_read_etc_files(rdisc_t)
logging_send_syslog_msg(rdisc_t)
-miscfiles_read_localization(rdisc_t)
-
sysnet_read_config(rdisc_t)
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
index f01b32fe2..46279e853 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,11 @@
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88fd..06f69c4ad 100644
--- a/readahead.if
+++ b/readahead.if
@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, readahead_exec_t, readahead_t)
')
+
+########################################
+## <summary>
+## Manage readahead var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`readahead_manage_pid_files',`
+ gen_require(`
+ type readahead_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ dev_filetrans($1, readahead_var_run_t, { dir file })
+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
+ init_search_pid_dirs($1)
+')
+
diff --git a/readahead.te b/readahead.te
index c0b02c91c..df24ae78e 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
@@ -22,7 +23,7 @@ init_daemon_run_dir(readahead_var_run_t, "readahead")
# Local policy
#
-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
+allow readahead_t self:capability { sys_admin fowner dac_read_search };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
+kernel_list_all_proc(readahead_t)
-dev_read_sysfs(readahead_t)
+dev_rw_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
+dev_read_urand(readahead_t)
+dev_write_kmsg(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_create_boot_flag(readahead_t)
+files_delete_root_files(readahead_t)
files_getattr_all_pipes(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_search_var_lib(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
+ dev_dontaudit_write_all_chr_files(readahead_t)
+ dev_dontaudit_write_all_blk_files(readahead_t)
+')
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
-mcs_file_read_all(readahead_t)
-
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
+# needs to write to /run/systemd/notify
+init_write_pid_socket(readahead_t)
+init_create_pid_dirs(readahead_t)
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
-miscfiles_read_localization(readahead_t)
-
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
index 04babe3d5..3b92679bb 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1,5 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31dfd2..1663054d9 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
-## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary>
+
+## <summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
########################################
## <summary>
-## Execute realmd in the realmd domain.
+## Execute realmd in the realmd_t domain.
## </summary>
## <param name="domain">
## <summary>
@@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',`
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Search realmd cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_search_cache',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ allow $1 realmd_var_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read realmd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_read_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## realmd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_manage_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+## <summary>
+## Manage realmd cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_manage_cache_dirs',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+
+########################################
+## <summary>
+## Read realmd tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_read_tmp_files',`
+ gen_require(`
+ type realmd_tmp_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
+')
+
+#######################################
+## <summary>
+## Read realmd library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`realmd_read_var_lib',`
+ gen_require(`
+ type realmd_var_lib_t;
+ ')
+
+ list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+ read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+
+')
diff --git a/realmd.te b/realmd.te
index 5bc878b29..573620309 100644
--- a/realmd.te
+++ b/realmd.te
@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+init_daemon_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
+type realmd_tmp_t;
+files_tmp_file(realmd_tmp_t)
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
+
+type realmd_var_lib_t;
+files_type(realmd_var_lib_t)
########################################
#
-# Local policy
+# realmd local policy
#
-allow realmd_t self:capability sys_nice;
+allow realmd_t self:capability { sys_nice };
+allow realmd_t self:capability2 block_suspend;
allow realmd_t self:process setsched;
+allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
+
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
kernel_read_system_state(realmd_t)
+kernel_read_network_state(realmd_t)
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
-corenet_all_recvfrom_unlabeled(realmd_t)
-corenet_all_recvfrom_netlabel(realmd_t)
-corenet_tcp_sendrecv_generic_if(realmd_t)
-corenet_tcp_sendrecv_generic_node(realmd_t)
-
-corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
+corenet_tcp_connect_ldap_port(realmd_t)
+corenet_tcp_connect_smbd_port(realmd_t)
domain_use_interactive_fds(realmd_t)
dev_read_rand(realmd_t)
dev_read_urand(realmd_t)
-fs_getattr_all_fs(realmd_t)
+files_manage_etc_files(realmd_t)
-files_read_usr_files(realmd_t)
+fs_getattr_all_fs(realmd_t)
auth_use_nsswitch(realmd_t)
+init_filetrans_named_content(realmd_t)
+
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
+miscfiles_manage_generic_cert_files(realmd_t)
+
+seutil_domtrans_setfiles(realmd_t)
+seutil_read_file_contexts(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+
+optional_policy(`
+ authconfig_domtrans(realmd_t)
+')
+
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
optional_policy(`
+ certmonger_dbus_chat(realmd_t)
+ ')
+
+ optional_policy(`
networkmanager_dbus_chat(realmd_t)
')
@@ -63,21 +105,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
+ kerberos_rw_config(realmd_t)
+ kerberos_filetrans_named_content(realmd_t)
+')
+
+optional_policy(`
+ ntp_domtrans_ntpdate(realmd_t)
+')
+
+optional_policy(`
+ ssh_domtrans(realmd_t)
+ ssh_systemctl(realmd_t)
')
optional_policy(`
nis_exec_ypbind(realmd_t)
- nis_initrc_domtrans(realmd_t)
+ nis_systemctl_ypbind(realmd_t)
')
optional_policy(`
- gnome_read_generic_home_content(realmd_t)
+ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
+ gnome_manage_cache_home_dir(realmd_t)
+
')
optional_policy(`
samba_domtrans_net(realmd_t)
samba_manage_config(realmd_t)
- samba_getattr_winbind_exec(realmd_t)
+ samba_getattr_winbind(realmd_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(realmd_t)
')
optional_policy(`
@@ -86,5 +147,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
+')
+
+optional_policy(`
+ unconfined_domain(realmd_t)
+')
+
+#####################################
+#
+# realmd consolehelper local policy
+#
+
+optional_policy(`
+ userhelper_console_role_template(realmd, system_r, realmd_t)
+ authconfig_manage_lib_files(realmd_consolehelper_t)
+
+ oddjob_systemctl(realmd_consolehelper_t)
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
index e240ac99c..b9707aaf8 100644
--- a/redis.fc
+++ b/redis.fc
@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
index 16c8ecbe3..4e021eca7 100644
--- a/redis.if
+++ b/redis.if
@@ -1,9 +1,225 @@
-## <summary>Advanced key-value store.</summary>
+## <summary>Advanced key-value store</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an redis environment.
+## Execute redis server in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_domtrans',`
+ gen_require(`
+ type redis_t, redis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_initrc_domtrans',`
+ gen_require(`
+ type redis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read redis's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Append to redis log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_append_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Manage redis log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
+ manage_files_pattern($1, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Search redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_search_lib',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ allow $1 redis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_dirs',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read redis PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_pid_files',`
+ gen_require(`
+ type redis_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_systemctl',`
+ gen_require(`
+ type redis_t;
+ type redis_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an redis environment
## </summary>
## <param name="domain">
## <summary>
@@ -20,7 +236,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
- type redis_log_t, redis_var_run_t;
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
')
allow $1 redis_t:process { ptrace signal_perms };
@@ -32,11 +248,20 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($!, redis_log_t)
+ admin_pattern($1, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/redis.te b/redis.te
index 25cd4175f..cf565276c 100644
--- a/redis.te
+++ b/redis.te
@@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
type redis_initrc_exec_t;
init_script_file(redis_initrc_exec_t)
+type redis_conf_t;
+files_config_file(redis_conf_t)
+
type redis_log_t;
logging_log_file(redis_log_t)
@@ -21,6 +24,12 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
+type redis_tmp_t;
+files_tmp_file(redis_tmp_t)
+
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
########################################
#
# Local policy
@@ -31,6 +40,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
allow redis_t self:unix_stream_socket create_stream_socket_perms;
allow redis_t self:tcp_socket create_stream_socket_perms;
+manage_files_pattern(redis_t, redis_conf_t, redis_conf_t)
+
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
@@ -42,24 +53,32 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+
+
+manage_dirs_pattern(redis_t, redis_tmp_t, redis_tmp_t)
+manage_files_pattern(redis_t, redis_tmp_t, redis_tmp_t)
+files_tmp_filetrans(redis_t, redis_tmp_t, { dir file })
kernel_read_system_state(redis_t)
+kernel_read_net_sysctls(redis_t)
corenet_all_recvfrom_unlabeled(redis_t)
corenet_all_recvfrom_netlabel(redis_t)
corenet_tcp_sendrecv_generic_if(redis_t)
corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
+corenet_tcp_connect_redis_port(redis_t)
corenet_sendrecv_redis_server_packets(redis_t)
corenet_tcp_bind_redis_port(redis_t)
corenet_tcp_sendrecv_redis_port(redis_t)
+corecmd_exec_shell(redis_t)
+
dev_read_sysfs(redis_t)
dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
-miscfiles_read_localization(redis_t)
-
sysnet_dns_name_resolve(redis_t)
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf059..d8691bd14 100644
--- a/remotelogin.fc
+++ b/remotelogin.fc
@@ -1 +1,2 @@
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
index a9ce68e33..92520aa92 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
-## <summary>Rshd, rlogind, and telnetd.</summary>
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
########################################
## <summary>
@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
type remote_login_t;
')
- corecmd_search_bin($1)
auth_domtrans_login_program($1, remote_login_t)
')
########################################
## <summary>
-## Send generic signals to remote login.
+## allow Domain to signal remote login domain.
## </summary>
## <param name="domain">
## <summary>
@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
########################################
## <summary>
-## Create, read, write, and delete
-## remote login temporary content.
+## allow Domain to signal remote login domain.
## </summary>
## <param name="domain">
## <summary>
@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
## </summary>
## </param>
#
-interface(`remotelogin_manage_tmp_content',`
+interface(`remotelogin_signull',`
gen_require(`
- type remote_login_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir manage_dir_perms;
- allow $1 remote_login_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel remote login temporary content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
+ type remote_login_t;
')
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
+ allow $1 remote_login_t:process signull;
')
diff --git a/remotelogin.te b/remotelogin.te
index ae308717f..c627cdf7d 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t)
auth_login_pgm_domain(remote_login_t)
auth_login_entry_type(remote_login_t)
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
########################################
#
-# Local policy
+# Remote login remote policy
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { dac_read_search dac_read_search chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
-allow remote_login_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctls(remote_login_t)
dev_getattr_mouse_dev(remote_login_t)
dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
term_use_all_ptys(remote_login_t)
term_setattr_all_ptys(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-auth_domtrans_pam_console(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t)
corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
domain_read_all_entry_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
-files_read_usr_files(remote_login_t)
files_list_world_readable(remote_login_t)
files_read_world_readable_files(remote_login_t)
files_read_world_readable_symlinks(remote_login_t)
files_read_world_readable_pipes(remote_login_t)
files_read_world_readable_sockets(remote_login_t)
files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
-miscfiles_read_localization(remote_login_t)
+auth_use_nsswitch(remote_login_t)
+
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
+userdom_manage_user_tmp_dirs(remote_login_t)
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
-')
+userdom_home_reader(remote_login_t)
optional_policy(`
alsa_domtrans(remote_login_t)
')
optional_policy(`
+ # Search for mail spool file.
mta_getattr_spool(remote_login_t)
')
diff --git a/resmgr.te b/resmgr.te
index f6eb358ad..472496379 100644
--- a/resmgr.te
+++ b/resmgr.te
@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t)
# Local policy
#
-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+allow resmgrd_t self:capability { dac_read_search sys_admin sys_rawio };
dontaudit resmgrd_t self:capability sys_tty_config;
allow resmgrd_t self:process signal_perms;
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
domain_use_interactive_fds(resmgrd_t)
-files_read_etc_files(resmgrd_t)
fs_search_auto_mountpoints(resmgrd_t)
@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
logging_send_syslog_msg(resmgrd_t)
-miscfiles_read_localization(resmgrd_t)
-
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
index 5421af0b6..91e69b869 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
@@ -1,12 +1,22 @@
-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 1c2f9aa12..a4133dc92 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
-## <summary>Resource Group Manager.</summary>
+## <summary>rgmanager - Resource Group Manager</summary>
#######################################
## <summary>
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rgmanager_domtrans',`
@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
########################################
## <summary>
-## Connect to rgmanager with a unix
-## domain stream socket.
+## Connect to rgmanager over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
')
+########################################
+## <summary>
+## Manage rgmanager pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_pid_files',`
+ gen_require(`
+ type rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
+')
+
######################################
## <summary>
-## Create, read, write, and delete
-## rgmanager tmp files.
+## Allow manage rgmanager tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
######################################
## <summary>
-## Create, read, write, and delete
-## rgmanager tmpfs files.
+## Allow manage rgmanager tmpfs files.
## </summary>
## <param name="domain">
## <summary>
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
######################################
## <summary>
-## All of the rules required to
-## administrate an rgmanager environment.
+## All of the rules required to administrate
+## an rgmanager environment
## </summary>
## <param name="domain">
## <summary>
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the rgmanager domain.
## </summary>
## </param>
## <rolecap/>
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
- allow $1 rgmanager_t:process { ptrace signal_perms };
+ allow $1 rgmanager_t:process signal_perms;
ps_process_pattern($1, rgmanager_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rgmanager_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
+
+
+######################################
+## <summary>
+## Allow the specified domain to manage rgmanager's lib/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_files',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ type rgmanager_var_run_t;
+ ')
+
+ files_list_var_lib($1)
+ admin_pattern($1, rgmanager_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to execute rgmanager's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_execute_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search rgmanager's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_search_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
index c8a1e16e4..8804d048a 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
#
## <desc>
-## <p>
-## Determine whether rgmanager can
-## connect to the network using TCP.
-## </p>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
## </desc>
gen_tunable(rgmanager_can_network_connect, false)
@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t)
+type rgmanager_var_lib_t;
+files_type(rgmanager_var_lib_t)
+
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
########################################
#
-# Local policy
+# rgmanager local policy
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_read_search net_raw sys_resource sys_admin sys_nice ipc_lock };
allow rgmanager_t self:process { setsched signal };
+
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+# var/lib files
+# # needed by hearbeat
+can_exec(rgmanager_t, rgmanager_var_lib_t)
+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
+
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+kernel_kill(rgmanager_t)
kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
kernel_search_network_state(rgmanager_t)
-corenet_all_recvfrom_unlabeled(rgmanager_t)
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
+# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
+fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
+# needed by resources scripts
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
logging_send_syslog_msg(rgmanager_t)
-miscfiles_read_localization(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
- corenet_sendrecv_all_client_packets(rgmanager_t)
corenet_tcp_connect_all_ports(rgmanager_t)
- corenet_tcp_sendrecv_all_ports(rgmanager_t)
')
+# rgmanager can run resource scripts
optional_policy(`
aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
')
optional_policy(`
- consoletype_exec(rgmanager_t)
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
')
optional_policy(`
- corosync_stream_connect(rgmanager_t)
+ consoletype_exec(rgmanager_t)
')
optional_policy(`
- apache_domtrans(rgmanager_t)
- apache_signal(rgmanager_t)
+ dbus_system_bus_client(rgmanager_t)
')
optional_policy(`
@@ -130,7 +150,6 @@ optional_policy(`
optional_policy(`
rhcs_stream_connect_groupd(rgmanager_t)
- rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
@@ -140,6 +159,7 @@ optional_policy(`
optional_policy(`
ccs_manage_config(rgmanager_t)
ccs_stream_connect(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
@@ -147,6 +167,12 @@ optional_policy(`
')
optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
mount_domtrans(rgmanager_t)
')
@@ -174,12 +200,18 @@ optional_policy(`
')
optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+ rpc_systemctl_nfsd(rgmanager_t)
+ rpc_systemctl_rpcd(rgmanager_t)
+
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
rpc_manage_nfs_state_data(rgmanager_t)
')
optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
samba_domtrans_smbd(rgmanager_t)
samba_domtrans_nmbd(rgmanager_t)
samba_manage_var_files(rgmanager_t)
@@ -201,5 +233,9 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d681..6baf5cdae 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,104 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/haproxy-systemd-wrapper -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.*log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/mpath\.devices -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.sock.* -s gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qnetd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qdevice.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/bin/corosync-qnetd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/share/corosync/corosync-qdevice -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+
+
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index c8bdea28d..96da15f8a 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
-## <summary>Red Hat Cluster Suite.</summary>
+## <summary>RHCS - Red Hat Cluster Suite</summary>
#######################################
## <summary>
-## The template to define a rhcs domain.
+## Creates types and rules for a basic
+## rhcs init daemon domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
')
##############################
@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
@@ -56,20 +51,21 @@ template(`rhcs_domain_template',`
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
- ')
+ kernel_read_system_state($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
######################################
## <summary>
-## Execute a domain transition to
-## run dlm_controld.
+## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
@@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',`
#####################################
## <summary>
-## Get attributes of fenced
-## executable files.
+## Connect to dlm_controld over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -92,18 +88,19 @@ interface(`rhcs_domtrans_dlm_controld',`
## </summary>
## </param>
#
-interface(`rhcs_getattr_fenced_exec_files',`
+interface(`rhcs_stream_connect_dlm_controld',`
gen_require(`
- type fenced_exec_t;
+ type dlm_controld_t, dlm_controld_var_run_t;
')
- allow $1 fenced_exec_t:file getattr_file_perms;
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
')
#####################################
## <summary>
-## Connect to dlm_controld with a
-## unix domain stream socket.
+## Connect to haproxy over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -111,18 +108,36 @@ interface(`rhcs_getattr_fenced_exec_files',`
## </summary>
## </param>
#
-interface(`rhcs_stream_connect_dlm_controld',`
+interface(`rhcs_stream_connect_haproxy',`
gen_require(`
- type dlm_controld_t, dlm_controld_var_run_t;
+ type haproxy_t, haproxy_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+ stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
+')
+
+########################################
+## <summary>
+## Send a null signal to haproxy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_signull_haproxy',`
+ gen_require(`
+ type haproxy_t;
+ ')
+
+ allow $1 haproxy_t:process signull;
')
#####################################
## <summary>
-## Read and write dlm_controld semaphores.
+## Allow read and write access to dlm_controld semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
+#####################################
+## <summary>
+## Allow a domain to getattr on fenced executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_getattr_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ allow $1 fenced_exec_t:file getattr;
+')
+
######################################
## <summary>
-## Read and write fenced semaphores.
+## Allow read and write access to fenced semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',`
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
-####################################
+######################################
## <summary>
-## Connect to all cluster domains
-## with a unix domain stream socket.
+## Read fenced PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -192,19 +224,18 @@ interface(`rhcs_rw_fenced_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_stream_connect_cluster',`
+interface(`rhcs_read_fenced_pid_files',`
gen_require(`
- attribute cluster_domain, cluster_pid;
+ type fenced_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
')
######################################
## <summary>
-## Connect to fenced with an unix
-## domain stream socket.
+## Connect to fenced over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -221,10 +252,49 @@ interface(`rhcs_stream_connect_fenced',`
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
+######################################
+## <summary>
+## Send and receive messages from
+## fenced over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_dbus_chat_fenced',`
+ gen_require(`
+ type fenced_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fenced_t:dbus send_msg;
+ allow fenced_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_haproxy',`
+ gen_require(`
+ type haproxy_t, haproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
#####################################
## <summary>
-## Execute a domain transition
-## to run gfs_controld.
+## Execute a domain transition to run gfs_controld.
## </summary>
## <param name="domain">
## <summary>
@@ -243,7 +313,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
## <summary>
-## Read and write gfs_controld semaphores.
+## Allow read and write access to gfs_controld semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -264,7 +334,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
########################################
## <summary>
-## Read and write gfs_controld_t shared memory.
+## Read and write to gfs_controld_t shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -285,8 +355,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
-## Connect to gfs_controld_t with
-## a unix domain stream socket.
+## Connect to gfs_controld_t over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -324,8 +393,8 @@ interface(`rhcs_domtrans_groupd',`
#####################################
## <summary>
-## Connect to groupd with a unix
-## domain stream socket.
+## Connect to groupd over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -342,10 +411,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
+#####################################
+## <summary>
+## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
########################################
## <summary>
-## Read and write all cluster domains
-## shared memory.
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -366,8 +476,7 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
-## Read and write all cluster
-## domains semaphores.
+## Read and write access to cluster domains semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -383,9 +492,10 @@ interface(`rhcs_rw_cluster_semaphores',`
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
-#####################################
+####################################
## <summary>
-## Read and write groupd semaphores.
+## Connect to cluster domains over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -393,20 +503,44 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_stream_connect_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain, cluster_pid;
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+#####################################
+## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster_to',`
+ gen_require(`
+ attribute cluster_domain;
+ attribute cluster_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
')
########################################
## <summary>
-## Read and write groupd shared memory.
+## Send a null signal to cluster.
## </summary>
## <param name="domain">
## <summary>
@@ -414,15 +548,12 @@ interface(`rhcs_rw_groupd_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_signull_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ type cluster_t;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ allow $1 cluster_t:process signull;
')
######################################
@@ -446,52 +577,423 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
-## All of the rules required to
-## administrate an rhcs environment.
+## Allow domain to read qdiskd tmpfs files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
+ type qdiskd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Allow domain to read cluster lib files
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
- type fenced_tmp_t, qdiskd_var_lib_t;
+ type cluster_var_lib_t;
')
- allow $1 cluster_domain:process { ptrace signal_perms };
- ps_process_pattern($1, cluster_domain)
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
+
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_pids($1)
- admin_pattern($1, cluster_pid)
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_relabel_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_cluster',`
+ gen_require(`
+ type cluster_t, cluster_exec_t;
+ ')
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
+#######################################
+## <summary>
+## Execute cluster init scripts in
+## the init script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_initrc_domtrans_cluster',`
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+## Execute cluster in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_exec_cluster',`
+ gen_require(`
+ type cluster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, cluster_exec_t)
+')
+
+######################################
+## <summary>
+## Read cluster log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_log_cluster',`
+ gen_require(`
+ type cluster_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
+ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+######################################
+## <summary>
+## Setattr cluster log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_setattr_log_cluster',`
+ gen_require(`
+ type cluster_var_log_t;
+ ')
+
+ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to read/write inherited cluster's tmpf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
+ gen_require(`
+ type cluster_tmp_t;
+ ')
+
+ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
+')
+
+#####################################
+## <summary>
+## Allow manage cluster tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_tmp_files',`
+ gen_require(`
+ type cluster_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to read/write cluster's tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_tmpfs',`
+ gen_require(`
+ type cluster_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+ delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Allow manage cluster tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_tmpfs_files',`
+ gen_require(`
+ type cluster_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Allow read cluster pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_cluster_pid_files',`
+ gen_require(`
+ type cluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+
+#####################################
+## <summary>
+## Allow manage cluster pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_pid_files',`
+ gen_require(`
+ type cluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+#######################################
+## <summary>
+## Execute cluster server in the cluster domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_systemctl_cluster',`
+ gen_require(`
+ type cluster_t;
+ type cluster_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 cluster_unit_file_t:file read_file_perms;
+ allow $1 cluster_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cluster_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## a cluster service over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_dbus_chat_cluster',`
+ gen_require(`
+ type cluster_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cluster_t:dbus send_msg;
+ allow cluster_t $1:dbus send_msg;
+')
+
+
+
+#####################################
+## <summary>
+## All of the rules required to administrate
+## an cluster environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the rgmanager domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhcs_admin_cluster',`
+ gen_require(`
+ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+ type cluster_unit_file_t;
+ ')
+
+ allow $1 cluster_t:process signal_perms;
+ ps_process_pattern($1, cluster_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cluster_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cluster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cluster_tmp_t)
+
+ admin_pattern($1, cluster_tmpfs_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cluster_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cluster_var_run_t)
+
+ rhcs_systemctl_cluster($1)
+ admin_pattern($1, cluster_unit_file_t)
+ allow $1 cluster_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Start haproxy unit files domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_start_haproxy_services',`
+ gen_require(`
+ type haproxy_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 haproxy_unit_file_t:service {status start};
+')
+
+########################################
+## <summary>
+## Create log files with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_named_filetrans_log_dir',`
+ gen_require(`
+ type var_log_t;
+ ')
- logging_search_logs($1)
- admin_pattern($1, cluster_log)
+ logging_log_named_filetrans($1, var_log_t, dir, "bundles")
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c449..63c113978 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
## </desc>
gen_tunable(fenced_can_ssh, false)
+## <desc>
+## <p>
+## Allow cluster administrative domains to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(cluster_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow cluster administrative domains to manage all files on a system.
+## </p>
+## </desc>
+gen_tunable(cluster_manage_all_files, false)
+
+## <desc>
+## <p>
+## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
+## </p>
+## </desc>
+gen_tunable(cluster_use_execmem, false)
+
+## <desc>
+## <p>
+## Determine whether haproxy can
+## connect to all TCP ports.
+## </p>
+## </desc>
+gen_tunable(haproxy_connect_any, false)
+
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
@@ -44,34 +73,295 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
+rhcs_domain_template(haproxy)
+
+type haproxy_var_lib_t;
+files_type(haproxy_var_lib_t)
+
+type haproxy_unit_file_t;
+systemd_unit_file(haproxy_unit_file_t)
+
rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
+# cluster_t is a new domain for administrative generic cluster services
+# (rgmanager, corosync, hearbeat, cman, pacemaker)
+rhcs_domain_template(cluster)
+
+typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
+typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
+typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
+typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
+
+type cluster_initrc_exec_t;
+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t };
+init_script_file(cluster_initrc_exec_t)
+
+type cluster_tmp_t;
+typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
+files_tmp_file(cluster_tmp_t)
+
+type cluster_var_lib_t;
+typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
+files_type(cluster_var_lib_t)
+
+type cluster_unit_file_t;
+typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
+systemd_unit_file(cluster_unit_file_t)
+
#####################################
#
# Common cluster domains local policy
#
allow cluster_domain self:capability sys_nice;
-allow cluster_domain self:process setsched;
+allow cluster_domain self:process { signal setsched };
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
-miscfiles_read_localization(cluster_domain)
+tunable_policy(`cluster_use_execmem',`
+ allow cluster_domain self:process execmem;
+')
optional_policy(`
ccs_stream_connect(cluster_domain)
')
optional_policy(`
- corosync_stream_connect(cluster_domain)
+ dbus_system_bus_client(cluster_domain)
+')
+
+#####################################
+#
+# cluster domain local policy
+#
+
+allow cluster_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
+# for hearbeat
+allow cluster_t self:capability { net_raw chown };
+allow cluster_t self:capability2 block_suspend;
+allow cluster_t self:process { setpgid setrlimit setsched signull };
+
+allow cluster_t self:tcp_socket create_stream_socket_perms;
+allow cluster_t self:shm create_shm_perms;
+
+manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
+
+can_exec(cluster_t, cluster_var_lib_t)
+manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
+
+can_exec(cluster_t, cluster_exec_t)
+
+kernel_kill(cluster_t)
+kernel_read_all_sysctls(cluster_t)
+kernel_rw_rpc_sysctls(cluster_t)
+kernel_search_debugfs(cluster_t)
+kernel_search_network_state(cluster_t)
+
+corecmd_exec_bin(cluster_t)
+corecmd_exec_shell(cluster_t)
+
+corenet_all_recvfrom_unlabeled(cluster_t)
+corenet_all_recvfrom_netlabel(cluster_t)
+corenet_udp_sendrecv_generic_if(cluster_t)
+corenet_udp_sendrecv_generic_node(cluster_t)
+corenet_udp_bind_generic_node(cluster_t)
+
+corenet_sendrecv_netsupport_server_packets(cluster_t)
+corenet_udp_bind_netsupport_port(cluster_t)
+corenet_udp_sendrecv_netsupport_port(cluster_t)
+
+corenet_sendrecv_cluster_server_packets(cluster_t)
+corenet_udp_bind_cluster_port(cluster_t)
+corenet_udp_sendrecv_cluster_port(cluster_t)
+
+# need to write to /dev/misc/dlm-contro
+dev_rw_dlm_control(cluster_t)
+dev_setattr_dlm_control(cluster_t)
+dev_read_sysfs(cluster_t)
+dev_read_rand(cluster_t)
+dev_read_urand(cluster_t)
+
+domain_read_all_domains_state(cluster_t)
+
+fs_getattr_xattr_fs(cluster_t)
+fs_getattr_all_fs(cluster_t)
+
+storage_raw_read_fixed_disk(cluster_t)
+
+term_getattr_pty_fs(cluster_t)
+
+files_manage_mounttab(cluster_t)
+# needed by resources scripts
+files_read_non_security_files(cluster_t)
+auth_dontaudit_getattr_shadow(cluster_t)
+
+init_domtrans_script(cluster_t)
+init_initrc_domain(cluster_t)
+init_read_script_state(cluster_t)
+init_rw_script_tmp_files(cluster_t)
+init_manage_script_status_files(cluster_t)
+
+systemd_dbus_chat_logind(cluster_t)
+
+userdom_delete_user_tmp_files(cluster_t)
+userdom_rw_user_tmp_files(cluster_t)
+userdom_kill_all_users(cluster_t)
+
+tunable_policy(`cluster_can_network_connect',`
+ corenet_tcp_connect_all_ports(cluster_t)
+')
+
+# we need to have dirs created with var_run_t in /run/cluster
+files_create_var_run_dirs(cluster_t)
+
+tunable_policy(`cluster_manage_all_files',`
+ files_getattr_all_symlinks(cluster_t)
+ files_list_all(cluster_t)
+ files_manage_mnt_dirs(cluster_t)
+ files_manage_mnt_files(cluster_t)
+ files_manage_mnt_symlinks(cluster_t)
+ files_manage_isid_type_files(cluster_t)
+ files_manage_isid_type_dirs(cluster_t)
+ fs_manage_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+ ccs_read_config(cluster_t)
+')
+
+optional_policy(`
+ cmirrord_rw_shm(cluster_t)
+')
+
+optional_policy(`
+ consoletype_exec(cluster_t)
+')
+
+optional_policy(`
+ lvm_domtrans(cluster_t)
+ lvm_rw_clvmd_tmpfs_files(cluster_t)
+ lvm_delete_clvmd_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cluster_t)
+')
+
+optional_policy(`
+ rpc_dbus_chat_nfsd(cluster_t)
+')
+
+optional_policy(`
+ hostname_exec(cluster_t)
+')
+
+optional_policy(`
+ ccs_manage_config(cluster_t)
+ ccs_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ fprintd_dbus_chat(cluster_t)
+')
+
+optional_policy(`
+ ldap_systemctl(cluster_t)
+')
+
+optional_policy(`
+ mount_domtrans(cluster_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(cluster_t)
+ mysql_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ netutils_domtrans(cluster_t)
+ netutils_domtrans_ping(cluster_t)
+')
+
+optional_policy(`
+ postgresql_signal(cluster_t)
+')
+
+optional_policy(`
+ rhcs_getattr_fenced(cluster_t)
+ rhcs_rw_cluster_shm(cluster_t)
+ rhcs_rw_cluster_semaphores(cluster_t)
+ rhcs_stream_connect_cluster(cluster_t)
+ rhcs_relabel_cluster_lib_files(cluster_t)
+')
+
+optional_policy(`
+ rdisc_exec(cluster_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(cluster_t)
+')
+
+optional_policy(`
+ rhcs_named_filetrans_log_dir(cluster_t)
+')
+
+optional_policy(`
+ rpc_systemctl_nfsd(cluster_t)
+ rpc_systemctl_rpcd(cluster_t)
+
+ rpc_domtrans_nfsd(cluster_t)
+ rpc_domtrans_rpcd(cluster_t)
+ rpc_manage_nfs_state_data(cluster_t)
+ rpc_filetrans_var_lib_nfs_content(cluster_t)
+')
+
+optional_policy(`
+ samba_manage_var_files(cluster_t)
+ samba_rw_config(cluster_t)
+ samba_signal_smbd(cluster_t)
+ samba_signal_nmbd(cluster_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cluster_t)
+')
+
+optional_policy(`
+ udev_read_db(cluster_t)
+')
+
+optional_policy(`
+ virt_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ unconfined_domain(cluster_t)
+')
+
+optional_policy(`
+ wdmd_rw_tmpfs(cluster_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(cluster_t)
')
#####################################
@@ -79,13 +369,14 @@ optional_policy(`
# dlm_controld local policy
#
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+allow dlm_controld_t self:capability { dac_read_search net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
+
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-kernel_read_system_state(dlm_controld_t)
kernel_rw_net_sysctls(dlm_controld_t)
corecmd_exec_bin(dlm_controld_t)
@@ -98,16 +389,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
+logging_send_syslog_msg(dlm_controld_t)
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(dlm_controld_t)
+')
+
#######################################
#
# fenced local policy
#
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
+allow fenced_t self:process { getsched setcap setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
allow fenced_t self:unix_stream_socket connectto;
+can_exec(fenced_t, fenced_exec_t)
+
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
@@ -118,9 +423,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-can_exec(fenced_t, fenced_exec_t)
-
-kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
+kernel_read_fs_sysctls(fenced_t)
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
@@ -140,6 +444,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
+corenet_udp_bind_zented_port(fenced_t)
+corenet_tcp_connect_zented_port(fenced_t)
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
@@ -148,9 +454,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
-
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
+dev_read_rand(fenced_t)
+dev_rw_lvm_control(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +465,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
-auth_use_nsswitch(fenced_t)
+logging_send_syslog_msg(fenced_t)
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
@@ -182,7 +487,8 @@ optional_policy(`
')
optional_policy(`
- corosync_exec(fenced_t)
+ rhcs_exec_cluster(fenced_t)
+ rhcs_rw_cluster_tmpfs(fenced_t)
')
optional_policy(`
@@ -190,12 +496,17 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
+ libs_exec_ldconfig(fenced_t)
')
optional_policy(`
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
+ lvm_stream_connect(fenced_t)
+')
+
+optional_policy(`
+ sanlock_domtrans(fenced_t)
')
optional_policy(`
@@ -203,6 +514,21 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
+optional_policy(`
+ virt_domtrans(fenced_t)
+ virt_read_config(fenced_t)
+ virt_read_pid_files(fenced_t)
+ virt_stream_connect(fenced_t)
+')
+
+optional_policy(`
+ watchdog_unconfined_exec_read_lnk_files(fenced_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(fenced_t)
+')
+
#######################################
#
# foghorn local policy
@@ -221,16 +547,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
+corenet_tcp_connect_snmp_port(foghorn_t)
+
dev_read_urand(foghorn_t)
-files_read_usr_files(foghorn_t)
+logging_send_syslog_msg(foghorn_t)
optional_policy(`
dbus_connect_system_bus(foghorn_t)
+
+ optional_policy(`
+ rhcs_dbus_chat_fenced(foghorn_t)
+ ')
')
optional_policy(`
- snmp_read_snmp_var_lib_files(foghorn_t)
+ snmp_manage_var_lib_files(foghorn_t)
snmp_stream_connect(foghorn_t)
')
@@ -247,16 +579,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-kernel_read_system_state(gfs_controld_t)
dev_rw_dlm_control(gfs_controld_t)
dev_setattr_dlm_control(gfs_controld_t)
dev_rw_sysfs(gfs_controld_t)
+storage_getattr_fixed_disk_dev(gfs_controld_t)
+
+fs_getattr_all_fs(gfs_controld_t)
storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
+logging_send_syslog_msg(gfs_controld_t)
+
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +611,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
-files_read_etc_files(groupd_t)
-
init_rw_script_tmp_files(groupd_t)
+logging_send_syslog_msg(groupd_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+# bug in haproxy and process vs pid owner
+allow haproxy_t self:capability { dac_read_search kill };
+
+allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw };
+allow haproxy_t self:capability2 block_suspend;
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
+allow haproxy_t self:tcp_socket create_stream_socket_perms;
+allow haproxy_t self: udp_socket create_socket_perms;
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
+can_exec(haproxy_t, haproxy_exec_t)
+
+corenet_sendrecv_unlabeled_packets(haproxy_t)
+
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+corenet_tcp_bind_http_port(haproxy_t)
+corenet_tcp_bind_http_cache_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
+corenet_tcp_connect_http_port(haproxy_t)
+corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+dev_read_rand(haproxy_t)
+dev_read_urand(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
+tunable_policy(`haproxy_connect_any',`
+ corenet_tcp_connect_all_ports(haproxy_t)
+ corenet_tcp_bind_all_ports(haproxy_t)
+ corenet_sendrecv_all_packets(haproxy_t)
+ corenet_tcp_sendrecv_all_ports(haproxy_t)
+')
+
######################################
#
# qdiskd local policy
@@ -292,7 +677,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
-kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -321,6 +705,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
+logging_send_syslog_msg(qdiskd_t)
+
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
index 000000000..013d1d964
--- /dev/null
+++ b/rhev.fc
@@ -0,0 +1,14 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
+/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/rhev.if b/rhev.if
new file mode 100644
index 000000000..bf11e2563
--- /dev/null
+++ b/rhev.if
@@ -0,0 +1,76 @@
+## <summary>rhev polic module contains policies for rhev apps</summary>
+
+#####################################
+## <summary>
+## Execute rhev-agentd in the rhev_agentd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_domtrans_agentd',`
+ gen_require(`
+ type rhev_agentd_t, rhev_agentd_exec_t;
+ ')
+
+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
+')
+
+####################################
+## <summary>
+## Read rhev-agentd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_read_pid_files_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+')
+
+#####################################
+## <summary>
+## Connect to rhev_agentd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_stream_connect_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t, rhev_agentd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
+
+######################################
+## <summary>
+## Send sigchld to rhev-agentd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`rhev_sigchld_agentd',`
+ gen_require(`
+ type rhev_agentd_t;
+ ')
+
+ allow $1 rhev_agentd_t:process sigchld;
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
index 000000000..8b7aa12d8
--- /dev/null
+++ b/rhev.te
@@ -0,0 +1,128 @@
+policy_module(rhev,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhev_agentd_t;
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
+type rhev_agentd_unit_file_t;
+systemd_unit_file(rhev_agentd_unit_file_t)
+
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
+type rhev_agentd_log_t;
+logging_log_file(rhev_agentd_log_t)
+
+########################################
+#
+# rhev_agentd_t local policy
+#
+
+allow rhev_agentd_t self:capability { setuid setgid sys_nice };
+allow rhev_agentd_t self:process setsched;
+
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
+
+kernel_read_system_state(rhev_agentd_t)
+kernel_read_kernel_sysctls(rhev_agentd_t)
+
+corecmd_exec_bin(rhev_agentd_t)
+corecmd_exec_shell(rhev_agentd_t)
+
+dev_read_urand(rhev_agentd_t)
+
+term_use_virtio_console(rhev_agentd_t)
+
+fs_getattr_all_fs(rhev_agentd_t)
+
+files_getattr_all_mountpoints(rhev_agentd_t)
+files_search_all_mountpoints(rhev_agentd_t)
+
+auth_use_nsswitch(rhev_agentd_t)
+
+init_read_utmp(rhev_agentd_t)
+
+libs_exec_ldconfig(rhev_agentd_t)
+logging_send_syslog_msg(rhev_agentd_t)
+
+optional_policy(`
+ rpm_read_db(rhev_agentd_t)
+ rpm_dontaudit_manage_db(rhev_agentd_t)
+')
+
+optional_policy(`
+ ssh_signull(rhev_agentd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rhev_agentd_t)
+ dbus_connect_system_bus(rhev_agentd_t)
+ dbus_session_bus_client(rhev_agentd_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(rhev_agentd_t)
+ ')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(rhev_agentd_t)
+ ')
+
+')
+
+optional_policy(`
+ udev_read_db(rhev_agentd_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(rhev_agentd_t)
+')
+
+######################################
+#
+# rhev_agentd_t consolehelper local policy
+#
+
+optional_policy(`
+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
+ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
+
+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+ kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+ term_use_virtio_console(rhev_agentd_consolehelper_t)
+
+ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
+
+ optional_policy(`
+ dbus_session_bus_client(rhev_agentd_consolehelper_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
+ ')
+')
diff --git a/rhgb.if b/rhgb.if
index 1a134a72e..793a29f88 100644
--- a/rhgb.if
+++ b/rhgb.if
@@ -1,4 +1,4 @@
-## <summary> Red Hat Graphical Boot.</summary>
+## <summary> Red Hat Graphical Boot </summary>
########################################
## <summary>
@@ -18,7 +18,7 @@ interface(`rhgb_stub',`
########################################
## <summary>
-## Inherit and use rhgb file descriptors.
+## Use a rhgb file descriptor.
## </summary>
## <param name="domain">
## <summary>
@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',`
########################################
## <summary>
-## Send generic signals to rhgb.
+## Send a signal to rhgb.
## </summary>
## <param name="domain">
## <summary>
@@ -72,8 +72,7 @@ interface(`rhgb_signal',`
########################################
## <summary>
-## Read and write inherited rhgb unix
-## domain stream sockets.
+## Read and write to unix stream sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
########################################
## <summary>
-## Connected to rhgb with a unix
-## domain stream socket.
+## Connected to rhgb unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
#
interface(`rhgb_stream_connect',`
gen_require(`
- type rhgb_t, rhgb_tmpfs_t;
+ type rhgb_t;
')
- fs_search_tmpfs($1)
- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
+ allow $1 rhgb_t:unix_stream_socket connectto;
')
########################################
@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',`
########################################
## <summary>
-## Read and write rhgb pty devices.
+## Read from and write to the rhgb devpts.
## </summary>
## <param name="domain">
## <summary>
@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',`
type rhgb_devpts_t;
')
- dev_list_all_dev_nodes($1)
allow $1 rhgb_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write rhgb pty devices.
+## dontaudit Read from and write to the rhgb devpts.
## </summary>
## <param name="domain">
## <summary>
@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',`
########################################
## <summary>
-## Read and write to rhgb tmpfs files.
+## Read and write to rhgb temporary file system.
## </summary>
## <param name="domain">
## <summary>
@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
-
fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/rhgb.te b/rhgb.te
index 3f32e4bb3..f97ea42f8 100644
--- a/rhgb.te
+++ b/rhgb.te
@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_all_recvfrom_unlabeled(rhgb_t)
corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_tcp_sendrecv_generic_node(rhgb_t)
@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t)
domain_use_interactive_fds(rhgb_t)
-files_read_etc_files(rhgb_t)
files_read_var_files(rhgb_t)
files_read_etc_runtime_files(rhgb_t)
files_search_tmp(rhgb_t)
-files_read_usr_files(rhgb_t)
files_mounton_mnt(rhgb_t)
files_dontaudit_rw_root_dir(rhgb_t)
files_dontaudit_read_default_files(rhgb_t)
@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t)
logging_send_syslog_msg(rhgb_t)
-miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
miscfiles_dontaudit_write_fonts(rhgb_t)
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
index 000000000..860a91df8
--- /dev/null
+++ b/rhnsd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
+
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
+
+/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
index 000000000..a161c70f9
--- /dev/null
+++ b/rhnsd.if
@@ -0,0 +1,120 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
+## <summary>
+## Transition to rhnsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhnsd_domtrans',`
+ gen_require(`
+ type rhnsd_t, rhnsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
+')
+
+########################################
+## <summary>
+## Execute rhnsd server in the rhnsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhnsd_initrc_domtrans',`
+ gen_require(`
+ type rhnsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute rhnsd server in the rhnsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhnsd_systemctl',`
+ gen_require(`
+ type rhnsd_t;
+ type rhnsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rhnsd_unit_file_t:file read_file_perms;
+ allow $1 rhnsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rhnsd_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## rhnsd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhnsd_manage_config',`
+ gen_require(`
+ type rhnsd_conf_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
+ manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rhnsd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhnsd_admin',`
+ gen_require(`
+ type rhnsd_t;
+ type rhnsd_initrc_exec_t;
+ ')
+
+ allow $1 rhnsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rhnsd_t)
+
+ rhnsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhnsd_initrc_exec_t system_r;
+ allow $2 system_r;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
index 000000000..b947f092a
--- /dev/null
+++ b/rhnsd.te
@@ -0,0 +1,48 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhnsd_t;
+type rhnsd_exec_t;
+init_daemon_domain(rhnsd_t, rhnsd_exec_t)
+
+type rhnsd_var_run_t;
+files_pid_file(rhnsd_var_run_t)
+
+type rhnsd_initrc_exec_t;
+init_script_file(rhnsd_initrc_exec_t)
+
+type rhnsd_unit_file_t;
+systemd_unit_file(rhnsd_unit_file_t)
+
+type rhnsd_conf_t;
+files_config_file(rhnsd_conf_t)
+
+########################################
+#
+# rhnsd local policy
+#
+
+allow rhnsd_t self:capability { kill };
+allow rhnsd_t self:process { fork signal };
+allow rhnsd_t self:fifo_file rw_fifo_file_perms;
+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
+manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+manage_lnk_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+
+corecmd_exec_bin(rhnsd_t)
+
+logging_send_syslog_msg(rhnsd_t)
+
+optional_policy(`
+ # execute rhn_check
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.fc b/rhsmcertd.fc
index 8c0280418..896c8c67f 100644
--- a/rhsmcertd.fc
+++ b/rhsmcertd.fc
@@ -2,6 +2,8 @@
/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+/usr/libexec/rhsmd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905b3..42e4306c8 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
-## <summary>Subscription Management Certificate Daemon.</summary>
+## <summary>Subscription Management Certificate Daemon policy</summary>
########################################
## <summary>
-## Execute rhsmcertd in the rhsmcertd domain.
+## Transition to rhsmcertd.
## </summary>
## <param name="domain">
## <summary>
@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',`
########################################
## <summary>
-## Execute rhsmcertd init scripts
-## in the initrc domain.
+## Execute rhsmcertd server in the rhsmcertd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',`
########################################
## <summary>
-## Read rhsmcertd log files.
+## Read rhsmcertd's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',`
########################################
## <summary>
-## Append rhsmcertd log files.
+## Append to rhsmcertd log files.
## </summary>
## <param name="domain">
## <summary>
@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## rhsmcertd log files.
+## Manage rhsmcertd log files
## </summary>
## <param name="domain">
## <summary>
@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',`
type rhsmcertd_var_lib_t;
')
- files_search_var_lib($1)
allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',`
########################################
## <summary>
-## Create, read, write, and delete
-## rhsmcertd lib files.
+## Manage rhsmcertd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',`
########################################
## <summary>
-## Create, read, write, and delete
-## rhsmcertd lib directories.
+## Manage rhsmcertd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
########################################
## <summary>
-## Read rhsmcertd pid files.
+## Read rhsmcertd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',`
allow $1 rhsmcertd_var_run_t:file read_file_perms;
')
-####################################
+########################################
+## <summary>
+## Read rhsmcertd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_pid_files',`
+ gen_require(`
+ type rhsmcertd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+')
+
+########################################
+## <summary>
+## Read/wirte inherited lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
+ ')
+
+ files_search_locks($1)
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
+########################################
## <summary>
-## Connect to rhsmcertd with a
-## unix domain stream socket.
+## Read/wirte lock files.
## </summary>
## <param name="domain">
## <summary>
@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',`
## </summary>
## </param>
#
+interface(`rhsmcertd_rw_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
+ ')
+
+ files_search_locks($1)
+ allow $1 rhsmcertd_lock_t:file rw_file_perms;
+')
+
+####################################
+## <summary>
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
## <summary>
-## Do not audit attempts to send
-## and receive messages from
-## rhsmcertd over dbus.
+## Dontaudit Send and receive messages from
+## rhsmcertd over dbus.
## </summary>
## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`rhsmcertd_dontaudit_dbus_chat',`
- gen_require(`
- type rhsmcertd_t;
- class dbus send_msg;
- ')
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
- dontaudit $1 rhsmcertd_t:dbus send_msg;
- dontaudit rhsmcertd_t $1:dbus send_msg;
+ dontaudit $1 rhsmcertd_t:dbus send_msg;
+ dontaudit rhsmcertd_t $1:dbus send_msg;
')
########################################
## <summary>
-## All of the rules required to
-## administrate an rhsmcertd environment.
+## All of the rules required to administrate
+## an rhsmcertd environment
## </summary>
## <param name="domain">
## <summary>
@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
## </summary>
## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Role allowed access.
+## </summary>
## </param>
## <rolecap/>
#
+
interface(`rhsmcertd_admin',`
gen_require(`
type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
+ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t;
')
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
+ allow $1 rhsmcertd_t:process signal_perms;
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
- logging_search_logs($1)
- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
+ files_search_locks($1)
+ admin_pattern($1, rhsmcertd_lock_t)
- files_search_locks($1)
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a279..795cd3890 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
type rhsmcertd_lock_t;
files_lock_file(rhsmcertd_lock_t)
+type rhsmcertd_tmp_t;
+files_tmp_file(rhsmcertd_tmp_t)
+
type rhsmcertd_var_lib_t;
files_type(rhsmcertd_var_lib_t)
@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
# Local policy
#
-allow rhsmcertd_t self:capability sys_nice;
-allow rhsmcertd_t self:process { signal setsched };
+allow rhsmcertd_t self:capability { kill sys_nice };
+allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file })
+
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
@@ -50,25 +56,98 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
+kernel_read_net_sysctls(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t)
+kernel_signull(rhsmcertd_t)
+
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
+corenet_tcp_connect_netport_port(rhsmcertd_t)
+corenet_tcp_connect_websm_port(rhsmcertd_t)
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
dev_read_sysfs(rhsmcertd_t)
dev_read_rand(rhsmcertd_t)
dev_read_urand(rhsmcertd_t)
+dev_read_raw_memory(rhsmcertd_t)
files_list_tmp(rhsmcertd_t)
-files_read_etc_files(rhsmcertd_t)
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
+files_create_boot_flag(rhsmcertd_t)
+files_dontaudit_write_all_mountpoints(rhsmcertd_t)
+
+fs_dontaudit_write_configfs_dirs(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
+
+libs_exec_ldconfig(rhsmcertd_t)
init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_generic_cert_files(rhsmcertd_t)
+miscfiles_manage_generic_cert_dirs(rhsmcertd_t)
+
+nis_use_ypbind(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
+ifdef(`hide_broken_symptoms',`
+ exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+ exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+')
+
+optional_policy(`
+ dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(rhsmcertd_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(rhsmcertd_t)
+')
+
+optional_policy(`
+ hostname_exec(rhsmcertd_t)
+')
+
+optional_policy(`
+ rhnsd_manage_config(rhsmcertd_t)
+')
+
+optional_policy(`
+ snmp_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ sosreport_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ setroubleshoot_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ rpm_manage_db(rhsmcertd_t)
+ rpm_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ virt_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ unconfined_signull(rhsmcertd_t)
+')
+
optional_policy(`
- rpm_read_db(rhsmcertd_t)
+ unconfined_server_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1d4..23d579cde 100644
--- a/ricci.if
+++ b/ricci.if
@@ -1,13 +1,13 @@
-## <summary>Ricci cluster management agent.</summary>
+## <summary>Ricci cluster management agent</summary>
########################################
## <summary>
## Execute a domain transition to run ricci.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans',`
@@ -15,19 +15,35 @@ interface(`ricci_domtrans',`
type ricci_t, ricci_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
-########################################
+#######################################
## <summary>
-## Execute a domain transition to
-## run ricci modcluster.
+## Execute ricci server in the ricci domain.
## </summary>
## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_initrc_domtrans',`
+ gen_require(`
+ type ricci_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
+########################################
## <summary>
-## Domain allowed to transition.
+## Execute a domain transition to run ricci_modcluster.
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`ricci_domtrans_modcluster',`
@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',`
type ricci_modcluster_t, ricci_modcluster_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
')
########################################
## <summary>
## Do not audit attempts to use
-## ricci modcluster file descriptors.
+## ricci_modcluster file descriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
########################################
## <summary>
## Do not audit attempts to read write
-## ricci modcluster unamed pipes.
+## ricci_modcluster unamed pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Connect to ricci_modclusterd with
-## a unix domain stream socket.
+## Connect to ricci_modclusterd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',`
########################################
## <summary>
-## Execute a domain transition to
-## run ricci modlog.
+## Read and write to ricci_modcluserd temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+ gen_require(`
+ type ricci_modclusterd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modlog.
## </summary>
## <param name="domain">
## <summary>
@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',`
type ricci_modlog_t, ricci_modlog_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run ricci modrpm.
+## Execute a domain transition to run ricci_modrpm.
## </summary>
## <param name="domain">
## <summary>
@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',`
type ricci_modrpm_t, ricci_modrpm_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run ricci modservice.
+## Execute a domain transition to run ricci_modservice.
## </summary>
## <param name="domain">
## <summary>
@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',`
type ricci_modservice_t, ricci_modservice_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run ricci modstorage.
+## Execute a domain transition to run ricci_modstorage.
## </summary>
## <param name="domain">
## <summary>
@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',`
type ricci_modstorage_t, ricci_modstorage_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+####################################
+## <summary>
+## Allow the specified domain to manage ricci's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_manage_lib_files',`
+ gen_require(`
+ type ricci_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an ricci environment.
+## All of the rules required to administrate
+## an ricci environment
## </summary>
## <param name="domain">
## <summary>
@@ -200,10 +245,13 @@ interface(`ricci_admin',`
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
')
- allow $1 ricci_t:process { ptrace signal_perms };
+ allow $1 ricci_t:process signal_perms;
ps_process_pattern($1, ricci_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ricci_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ ricci_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
index 0ba2569a5..98b952398 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
-corenet_all_recvfrom_unlabeled(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_generic_if(ricci_t)
corenet_tcp_sendrecv_generic_node(ricci_t)
@@ -136,7 +135,6 @@ dev_read_urand(ricci_t)
domain_read_all_domains_state(ricci_t)
-files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
-miscfiles_read_localization(ricci_t)
+systemd_start_power_services(ricci_t)
sysnet_dns_name_resolve(ricci_t)
@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-
optional_policy(`
- aisexec_stream_connect(ricci_modcluster_t)
- corosync_stream_connect(ricci_modcluster_t)
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
')
optional_policy(`
@@ -271,7 +264,7 @@ optional_policy(`
')
optional_policy(`
- rgmanager_stream_connect(ricci_modcluster_t)
+ rhcs_stream_connect_cluster(ricci_modcluster_t)
')
########################################
@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
-miscfiles_read_localization(ricci_modclusterd_t)
-
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
optional_policy(`
- aisexec_stream_connect(ricci_modclusterd_t)
- corosync_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
')
optional_policy(`
- rgmanager_stream_connect(ricci_modclusterd_t)
+ rhcs_stream_connect_cluster(ricci_modclusterd_t)
')
optional_policy(`
@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
-files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)
logging_read_generic_logs(ricci_modlog_t)
-miscfiles_read_localization(ricci_modlog_t)
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
-files_read_etc_files(ricci_modrpm_t)
-miscfiles_read_localization(ricci_modrpm_t)
+logging_send_syslog_msg(ricci_modrpm_t)
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
@@ -418,7 +401,7 @@ optional_policy(`
# Modservice local policy
#
-allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:capability {dac_read_search sys_nice };
allow ricci_modservice_t self:process setsched;
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
-files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
files_manage_etc_symlinks(ricci_modservice_t)
init_domtrans_script(ricci_modservice_t)
-miscfiles_read_localization(ricci_modservice_t)
+logging_send_syslog_msg(ricci_modservice_t)
optional_policy(`
ccs_read_config(ricci_modservice_t)
@@ -460,7 +442,6 @@ optional_policy(`
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
-files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
-optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
- corosync_stream_connect(ricci_modstorage_t)
-')
+logging_send_syslog_msg(ricci_modstorage_t)
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
diff --git a/rkhunter.fc b/rkhunter.fc
new file mode 100644
index 000000000..645a9cc1a
--- /dev/null
+++ b/rkhunter.fc
@@ -0,0 +1 @@
+/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
diff --git a/rkhunter.if b/rkhunter.if
new file mode 100644
index 000000000..0be4ceec0
--- /dev/null
+++ b/rkhunter.if
@@ -0,0 +1,39 @@
+## <summary> policy for rkhunter </summary>
+
+########################################
+## <summary>
+## Append rkhunter lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkhunter_append_lib_files',`
+ gen_require(`
+ type rkhunter_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rkhunter lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkhunter_manage_lib_files',`
+ gen_require(`
+ type rkhunter_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
+')
diff --git a/rkhunter.te b/rkhunter.te
new file mode 100644
index 000000000..44de48092
--- /dev/null
+++ b/rkhunter.te
@@ -0,0 +1,4 @@
+policy_module(rkhunter, 1.1)
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
diff --git a/rkt.fc b/rkt.fc
new file mode 100644
index 000000000..19414579e
--- /dev/null
+++ b/rkt.fc
@@ -0,0 +1,11 @@
+/usr/bin/rkt -- gen_context(system_u:object_r:rkt_exec_t,s0)
+
+/usr/lib/systemd/system/rkt-gc.service -- gen_context(system_u:object_r:rkt_unit_file_t,s0)
+
+/usr/lib/systemd/system/rkt-gc.timer -- gen_context(system_u:object_r:rkt_unit_file_t,s0)
+
+/usr/lib/systemd/system/rkt-metadata.service -- gen_context(system_u:object_r:rkt_unit_file_t,s0)
+
+/usr/lib/systemd/system/rkt-metadata.socket -- gen_context(system_u:object_r:rkt_unit_file_t,s0)
+
+/var/lib/rkt(/.*)? gen_context(system_u:object_r:rkt_var_lib_t,s0)
diff --git a/rkt.if b/rkt.if
new file mode 100644
index 000000000..8f367ed44
--- /dev/null
+++ b/rkt.if
@@ -0,0 +1,177 @@
+## <summary>CLI for running app containers</summary>
+
+########################################
+## <summary>
+## Execute rkt_exec_t in the rkt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rkt_domtrans',`
+ gen_require(`
+ type rkt_t, rkt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rkt_exec_t, rkt_t)
+')
+
+######################################
+## <summary>
+## Execute rkt in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_exec',`
+ gen_require(`
+ type rkt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rkt_exec_t)
+')
+
+########################################
+## <summary>
+## Search rkt lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_search_lib',`
+ gen_require(`
+ type rkt_var_lib_t;
+ ')
+
+ allow $1 rkt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read rkt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_read_lib_files',`
+ gen_require(`
+ type rkt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rkt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_manage_lib_files',`
+ gen_require(`
+ type rkt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rkt lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_manage_lib_dirs',`
+ gen_require(`
+ type rkt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute rkt server in the rkt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rkt_systemctl',`
+ gen_require(`
+ type rkt_t;
+ type rkt_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rkt_unit_file_t:file read_file_perms;
+ allow $1 rkt_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rkt_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rkt environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rkt_admin',`
+ gen_require(`
+ type rkt_t;
+ type rkt_var_lib_t;
+ type rkt_unit_file_t;
+ ')
+
+ allow $1 rkt_t:process { signal_perms };
+ ps_process_pattern($1, rkt_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rkt_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, rkt_var_lib_t)
+
+ rkt_systemctl($1)
+ admin_pattern($1, rkt_unit_file_t)
+ allow $1 rkt_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rkt.te b/rkt.te
new file mode 100644
index 000000000..4e962a7bf
--- /dev/null
+++ b/rkt.te
@@ -0,0 +1,38 @@
+policy_module(rkt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rkt_t;
+type rkt_exec_t;
+init_daemon_domain(rkt_t, rkt_exec_t)
+
+type rkt_var_lib_t;
+files_type(rkt_var_lib_t)
+
+type rkt_unit_file_t;
+systemd_unit_file(rkt_unit_file_t)
+
+########################################
+#
+# rkt local policy
+#
+allow rkt_t self:capability net_admin;
+allow rkt_t self:fifo_file rw_fifo_file_perms;
+allow rkt_t self:unix_stream_socket create_stream_socket_perms;
+allow rkt_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t)
+manage_files_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t)
+manage_lnk_files_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t)
+files_var_lib_filetrans(rkt_t, rkt_var_lib_t, { dir file lnk_file })
+
+kernel_read_net_sysctls(rkt_t)
+
+corenet_tcp_bind_generic_node(rkt_t)
+
+domain_use_interactive_fds(rkt_t)
+
+sysnet_dns_name_resolve(rkt_t)
diff --git a/rlogin.fc b/rlogin.fc
index f11187720..e361ee9e2 100644
--- a/rlogin.fc
+++ b/rlogin.fc
@@ -1,5 +1,7 @@
-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/rlogin.if b/rlogin.if
index 050479dea..0e1b364fb 100644
--- a/rlogin.if
+++ b/rlogin.if
@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',`
## </summary>
## </param>
#
-template(`rlogin_read_home_content',`
+interface(`rlogin_read_home_content',`
gen_require(`
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
index ee2794858..248d080f6 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
-allow rlogind_t self:tcp_socket { accept listen };
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
@@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
@@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_all_recvfrom_unlabeled(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_tcp_sendrecv_generic_node(rlogind_t)
@@ -65,6 +65,10 @@ corenet_sendrecv_rlogind_server_packets(rlogind_t)
corenet_tcp_bind_rlogind_port(rlogind_t)
corenet_tcp_sendrecv_rlogind_port(rlogind_t)
+corenet_sendrecv_rlogin_server_packets(rlogind_t)
+corenet_tcp_bind_rlogin_port(rlogind_t)
+corenet_tcp_sendrecv_rlogin_port(rlogind_t)
+
dev_read_urand(rlogind_t)
domain_interactive_fd(rlogind_t)
@@ -73,6 +77,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
+auth_signal_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
@@ -83,29 +88,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
-miscfiles_read_localization(rlogind_t)
-
seutil_read_config(rlogind_t)
userdom_search_user_home_dirs(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
userdom_use_user_terminals(rlogind_t)
+userdom_home_reader(rlogind_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(rlogind_t)
- fs_read_nfs_files(rlogind_t)
- fs_read_nfs_symlinks(rlogind_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
- fs_read_cifs_symlinks(rlogind_t)
-')
+rlogin_read_home_content(rlogind_t)
optional_policy(`
kerberos_read_keytab(rlogind_t)
- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
kerberos_manage_host_rcache(rlogind_t)
kerberos_use(rlogind_t)
')
diff --git a/rngd.fc b/rngd.fc
index fa19aa8de..90eb481c1 100644
--- a/rngd.fc
+++ b/rngd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/rngd.if b/rngd.if
index 13f788fd5..10e203301 100644
--- a/rngd.if
+++ b/rngd.if
@@ -2,6 +2,29 @@
########################################
## <summary>
+## Execute rngd in the rngd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rng_systemctl_rngd',`
+ gen_require(`
+ type rngd_t, rngd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 rngd_unit_file_t:file read_file_perms;
+ allow $1 rngd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rngd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an rng environment.
## </summary>
@@ -17,14 +40,18 @@
## </param>
## <rolecap/>
#
-interface(`rngd_admin',`
+interface(`rng_admin',`
gen_require(`
- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
')
- allow $1 rngd_t:process { ptrace signal_perms };
+ allow $1 rngd_t:process signal_perms;
ps_process_pattern($1, rngd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rngd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
@@ -32,4 +59,8 @@ interface(`rngd_admin',`
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
+
+ rng_systemctl_rngd($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
diff --git a/rngd.te b/rngd.te
index a7b7717b7..cdf68a3ae 100644
--- a/rngd.te
+++ b/rngd.te
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
type rngd_initrc_exec_t;
init_script_file(rngd_initrc_exec_t)
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
+
type rngd_var_run_t;
files_pid_file(rngd_var_run_t)
@@ -34,9 +37,8 @@ dev_read_rand(rngd_t)
dev_read_urand(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
-
-files_read_etc_files(rngd_t)
+dev_read_sysfs(rngd_t)
logging_send_syslog_msg(rngd_t)
-miscfiles_read_localization(rngd_t)
+term_use_usb_ttys(rngd_t)
diff --git a/rolekit.fc b/rolekit.fc
new file mode 100644
index 000000000..504b6e13e
--- /dev/null
+++ b/rolekit.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/rolekit.* -- gen_context(system_u:object_r:rolekit_unit_file_t,s0)
+
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
index 000000000..b11fb8f6d
--- /dev/null
+++ b/rolekit.if
@@ -0,0 +1,120 @@
+## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
+
+########################################
+## <summary>
+## Execute rolekit in the rolekit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rolekit_domtrans',`
+ gen_require(`
+ type rolekit_t, rolekit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rolekit_exec_t, rolekit_t)
+')
+
+########################################
+## <summary>
+## Execute rolekit server in the rolekit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rolekit_systemctl',`
+ gen_require(`
+ type rolekit_t;
+ type rolekit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rolekit_unit_file_t:file read_file_perms;
+ allow $1 rolekit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rolekit_t)
+')
+#######################################
+## <summary>
+## Manage rolekit kernel keyrings.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rolekit_manage_keys',`
+ gen_require(`
+ type rolekit_t;
+ ')
+
+ allow $1 rolekit_t:key manage_key_perms;
+ allow rolekit_t $1:key manage_key_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## policykit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rolekit_dbus_chat',`
+ gen_require(`
+ type rolekit_t;
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(rolekit_t, $1)
+
+ allow $1 rolekit_t:dbus send_msg;
+ allow rolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rolekit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rolekit_admin',`
+ gen_require(`
+ type rolekit_t;
+ type rolekit_unit_file_t;
+ ')
+
+ allow $1 rolekit_t:process { signal_perms };
+ ps_process_pattern($1, rolekit_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rolekit_t:process ptrace;
+ ')
+
+ rolekit_systemctl($1)
+ admin_pattern($1, rolekit_unit_file_t)
+ allow $1 rolekit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rolekit.te b/rolekit.te
new file mode 100644
index 000000000..da944537b
--- /dev/null
+++ b/rolekit.te
@@ -0,0 +1,47 @@
+policy_module(rolekit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rolekit_t;
+type rolekit_exec_t;
+init_daemon_domain(rolekit_t, rolekit_exec_t)
+
+type rolekit_tmp_t;
+files_tmp_file(rolekit_tmp_t)
+
+type rolekit_unit_file_t;
+systemd_unit_file(rolekit_unit_file_t)
+
+########################################
+#
+# rolekit local policy
+#
+
+allow rolekit_t self:fifo_file rw_fifo_file_perms;
+allow rolekit_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
+manage_dirs_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
+files_tmp_filetrans(rolekit_t, rolekit_tmp_t, { file dir })
+
+kernel_read_system_state(rolekit_t)
+
+auth_use_nsswitch(rolekit_t)
+
+optional_policy(`
+ sssd_domtrans(rolekit_t)
+')
+
+optional_policy(`
+ rpm_transition_script(rolekit_t, system_r)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rolekit_t)
+ #should be changed for debugging
+ #unconfined_domain(rolekit_t)
+ domain_named_filetrans(rolekit_t)
+')
diff --git a/roundup.fc b/roundup.fc
index 6f05cd06a..dc2a9aaee 100644
--- a/roundup.fc
+++ b/roundup.fc
@@ -2,4 +2,4 @@
/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
-/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
+/var/lib/roundup(/.*)? gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/roundup.if b/roundup.if
index 975bb6a45..ce4f5ead8 100644
--- a/roundup.if
+++ b/roundup.if
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
type roundup_initrc_exec_t;
')
- allow $1 roundup_t:process { ptrace signal_perms };
+ allow $1 roundup_t:process signal_perms;
ps_process_pattern($1, roundup_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 roundup_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
index ccb5991ed..fa10c5a2d 100644
--- a/roundup.te
+++ b/roundup.te
@@ -38,10 +38,10 @@ files_pid_filetrans(roundup_t, roundup_var_run_t, file)
kernel_read_kernel_sysctls(roundup_t)
kernel_list_proc(roundup_t)
kernel_read_proc_symlinks(roundup_t)
+kernel_read_system_state(roundup_t)
corecmd_exec_bin(roundup_t)
-corenet_all_recvfrom_unlabeled(roundup_t)
corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_tcp_sendrecv_generic_node(roundup_t)
@@ -60,19 +60,19 @@ dev_read_urand(roundup_t)
domain_use_interactive_fds(roundup_t)
-files_read_etc_files(roundup_t)
-files_read_usr_files(roundup_t)
-
fs_getattr_all_fs(roundup_t)
fs_search_auto_mountpoints(roundup_t)
logging_send_syslog_msg(roundup_t)
-miscfiles_read_localization(roundup_t)
-
sysnet_dns_name_resolve(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+
+optional_policy(`
+ apache_search_config(roundup_t)
+')
+
userdom_dontaudit_search_user_home_dirs(roundup_t)
optional_policy(`
diff --git a/rpc.fc b/rpc.fc
index a6fb30cb3..e11f3a0f3 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,12 +1,31 @@
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+
+/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+#
+# /usr
+#
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -16,7 +35,16 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
index 0bf13c220..2ee527f2a 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
-## <summary>Remote Procedure Call Daemon.</summary>
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
########################################
## <summary>
@@ -20,15 +20,21 @@ interface(`rpc_stub',`
## <summary>
## The template to define a rpc domain.
## </summary>
-## <param name="domain_prefix">
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new rpc daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
## <summary>
-## Domain prefix to be used.
+## The type of daemon to be used.
## </summary>
## </param>
#
template(`rpc_domain_template',`
gen_require(`
- attribute rpc_domain;
+ attribute rpc_domain;
')
########################################
@@ -42,12 +48,19 @@ template(`rpc_domain_template',`
domain_use_interactive_fds($1_t)
- ########################################
+ ####################################
#
- # Policy
+ # Local Policy
#
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
@@ -66,8 +79,8 @@ interface(`rpc_udp_send',`
########################################
## <summary>
-## Do not audit attempts to get
-## attributes of export files.
+## Do not audit attempts to get the attributes
+## of the NFS export file.
## </summary>
## <param name="domain">
## <summary>
@@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
- dontaudit $1 exports_t:file getattr;
+ dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
## <summary>
-## Read export files.
+## Allow read access to exports.
## </summary>
## <param name="domain">
## <summary>
@@ -103,7 +116,7 @@ interface(`rpc_read_exports',`
########################################
## <summary>
-## Write export files.
+## Allow write access to exports.
## </summary>
## <param name="domain">
## <summary>
@@ -116,12 +129,12 @@ interface(`rpc_write_exports',`
type exports_t;
')
- allow $1 exports_t:file write;
+ allow $1 exports_t:file write_file_perms;
')
########################################
## <summary>
-## Execute nfsd in the nfsd domain.
+## Execute domain in nfsd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',`
type nfsd_t, nfsd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
')
#######################################
## <summary>
-## Execute nfsd init scripts in
-## the initrc domain.
+## Execute domain in nfsd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
-## Execute rpcd in the rpcd domain.
+## Execute nfsd server in the nfsd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -167,120 +178,128 @@ interface(`rpc_initrc_domtrans_nfsd',`
## </summary>
## </param>
#
-interface(`rpc_domtrans_rpcd',`
+interface(`rpc_systemctl_nfsd',`
gen_require(`
- type rpcd_t, rpcd_exec_t;
+ type nfsd_unit_file_t;
+ type nfsd_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nfsd_t)
')
-#######################################
+########################################
## <summary>
-## Execute rpcd init scripts in
-## the initrc domain.
+## Send kill signals to rpcd.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`rpc_initrc_domtrans_rpcd',`
+interface(`rpc_kill_rpcd',`
gen_require(`
- type rpcd_initrc_exec_t;
+ type rpcd_t;
')
- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ allow $1 rpcd_t:process sigkill;
')
########################################
## <summary>
-## Read nfs exported content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`rpc_read_nfs_content',`
+interface(`rpc_domtrans_rpcd',`
gen_require(`
- type nfsd_ro_t, nfsd_rw_t;
+ type rpcd_t, rpcd_exec_t;
')
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
')
########################################
## <summary>
-## Create, read, write, and delete
-## nfs exported read write content.
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
-interface(`rpc_manage_nfs_rw_content',`
+interface(`rpc_run_rpcd',`
gen_require(`
- type nfsd_rw_t;
+ type rpcd_t;
')
- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
')
-########################################
+#######################################
## <summary>
-## Create, read, write, and delete
-## nfs exported read only content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`rpc_manage_nfs_ro_content',`
+interface(`rpc_initrc_domtrans_rpcd',`
gen_require(`
- type nfsd_ro_t;
+ type rpcd_initrc_exec_t;
')
- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
')
########################################
## <summary>
-## Read and write to nfsd tcp sockets.
+## Execute rpcd server in the rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`rpc_tcp_rw_nfs_sockets',`
+interface(`rpc_systemctl_rpcd',`
gen_require(`
- type nfsd_t;
+ type rpcd_unit_file_t;
+ type rpcd_t;
')
- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
')
########################################
## <summary>
-## Read and write to nfsd udp sockets.
+## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
## <summary>
@@ -312,7 +331,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
-## Search nfs lib directories.
+## Search NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_list_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data_dir',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Read nfs lib files.
+## Read NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
@@ -346,12 +403,12 @@ interface(`rpc_read_nfs_state_data',`
files_search_var_lib($1)
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## nfs lib files.
+## Manage NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
@@ -366,31 +423,68 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
########################################
## <summary>
-## All of the rules required to
-## administrate an rpc environment.
+## Write keys for all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`rpc_rw_gssd_keys',`
+ gen_require(`
+ type gssd_t;
+ ')
+
+ allow $1 gssd_t:key { read search setattr view write };
+')
+
+########################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
+#
+interface(`rpc_filetrans_var_lib_nfs_content',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
+')
+
+#######################################
+## <summary>
+## All of the rules required to
+## administrate an rpc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`rpc_admin',`
- gen_require(`
+ gen_require(`
attribute rpc_domain;
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
- type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ type nfsd_rw_t, gssd_keytab_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
@@ -411,10 +505,49 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
- admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
+ admin_pattern($1, nfsd_rw_t )
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
fs_search_nfsd_fs($1)
')
+
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_gssd_noatsecure',`
+ gen_require(`
+ type gssd_t;
+ ')
+
+ allow $1 gssd_t:process { noatsecure rlimitinh };
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## ganesha over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_dbus_chat_nfsd',`
+ gen_require(`
+ type nfsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 nfsd_t:dbus send_msg;
+ allow nfsd_t $1:dbus send_msg;
+')
diff --git a/rpc.te b/rpc.te
index 2da9fca2f..f06eb2732 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
#
## <desc>
-## <p>
-## Determine whether gssd can read
-## generic user temporary content.
-## </p>
+## <p>
+## Allow gssd to list tmp directories and read the kerberos credential cache.
+## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, false)
+gen_tunable(gssd_read_tmp, true)
## <desc>
-## <p>
-## Determine whether nfs can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
## </desc>
-gen_tunable(allow_nfsd_anon_write, false)
+gen_tunable(nfsd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow rpcd_t to manage fuse files
+## </p>
+## </desc>
+gen_tunable(rpcd_use_fusefs, false)
attribute rpc_domain;
@@ -39,25 +44,36 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
+type rpcd_lock_t;
+files_lock_file(rpcd_lock_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
-type nfsd_rw_t;
-files_type(nfsd_rw_t)
-
-type nfsd_ro_t;
-files_type(nfsd_ro_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
+type nfsd_tmp_t;
+files_tmp_file(nfsd_tmp_t)
+
+typealias nfsd_exec_t alias ganesha_exec_t;
+typealias nfsd_unit_file_t alias ganesha_unit_file_t;
+
########################################
#
# Common rpc domain local policy
@@ -71,7 +87,6 @@ allow rpc_domain self:tcp_socket { accept listen };
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
-kernel_read_system_state(rpc_domain)
kernel_read_kernel_sysctls(rpc_domain)
kernel_rw_rpc_sysctls(rpc_domain)
@@ -79,8 +94,6 @@ dev_read_sysfs(rpc_domain)
dev_read_urand(rpc_domain)
dev_read_rand(rpc_domain)
-corenet_all_recvfrom_unlabeled(rpc_domain)
-corenet_all_recvfrom_netlabel(rpc_domain)
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
@@ -108,41 +121,48 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
-logging_send_syslog_msg(rpc_domain)
-
-miscfiles_read_localization(rpc_domain)
-
userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
optional_policy(`
- rpcbind_stream_connect(rpc_domain)
+ rpcbind_stream_connect(rpc_domain)
')
optional_policy(`
- seutil_sigchld_newrole(rpc_domain)
+ seutil_sigchld_newrole(rpc_domain)
')
optional_policy(`
- udev_read_db(rpc_domain)
+ udev_read_db(rpc_domain)
')
########################################
#
-# Local policy
+# RPC local policy
#
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search setgid setuid };
allow rpcd_t self:capability2 block_suspend;
+
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
+
+allow rpcd_t rpcd_lock_t:file manage_file_perms;
+files_lock_filetrans(rpcd_t, rpcd_lock_t, file)
+
+# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
+kernel_read_system_state(rpcd_t)
+kernel_write_proc_files(rpcd_t)
kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
@@ -163,13 +183,21 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
+init_read_utmp(rpcd_t)
+
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
-seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
-userdom_signal_all_users(rpcd_t)
+tunable_policy(`rpcd_use_fusefs',`
+ fs_manage_fusefs_dirs(rpcd_t)
+ fs_manage_fusefs_files(rpcd_t)
+ fs_read_fusefs_symlinks(rpcd_t)
+ fs_getattr_fusefs(rpcd_t)
+')
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
@@ -181,19 +209,27 @@ optional_policy(`
')
optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
+ quota_manage_db(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
+ quota_read_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
+ rhcs_manage_cluster_tmp_files(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
+ samba_stream_connect_nmbd(rpcd_t)
')
########################################
@@ -201,42 +237,75 @@ optional_policy(`
# NFSD local policy
#
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
+
+allow nfsd_t self:process { setcap };
allow nfsd_t exports_t:file read_file_perms;
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
+
+manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
+files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
-kernel_setsched(nfsd_t)
+kernel_dontaudit_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
+kernel_create_rpc_sysctls(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
-corenet_sendrecv_nfs_server_packets(nfsd_t)
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
corenet_udp_bind_nfs_port(nfsd_t)
-
-corecmd_exec_shell(nfsd_t)
+corenet_udp_bind_mountd_port(nfsd_t)
+corenet_tcp_bind_mountd_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
dev_rw_lvm_control(nfsd_t)
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+fs_read_configfs_files(nfsd_t)
+fs_read_configfs_dirs(nfsd_t)
+fs_mounton_nfsd_fs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
-fs_rw_nfsd_fs(nfsd_t)
-# fs_manage_nfsd_fs(nfsd_t)
+fs_manage_nfsd_fs(nfsd_t)
-storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
+allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
+systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file)
+systemd_create_unit_file_dirs(nfsd_t)
+systemd_create_unit_file_lnk(nfsd_t)
+
+# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-tunable_policy(`allow_nfsd_anon_write',`
+userdom_filetrans_home_content(nfsd_t)
+userdom_list_user_tmp(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
@@ -245,7 +314,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- files_manage_non_auth_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +325,21 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- files_list_non_auth_dirs(nfsd_t)
- files_read_non_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
+')
+
+optional_policy(`
+ glusterd_manage_log(nfsd_t)
+ glusterd_manage_pid(nfsd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(nfsd_t)
')
optional_policy(`
mount_exec(nfsd_t)
+ mount_manage_pid_files(nfsd_t)
')
########################################
@@ -270,7 +347,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
@@ -280,6 +357,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -288,25 +366,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
-fs_list_inotifyfs(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-fs_read_nfs_files(gssd_t)
+fs_read_nfsd_files(gssd_t)
+fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
files_dontaudit_write_var_dirs(gssd_t)
+auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
+auth_login_manage_key(gssd_t)
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
+userdom_manage_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_manage_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
optional_policy(`
@@ -314,9 +398,12 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
kerberos_use(gssd_t)
')
diff --git a/rpcbind.fc b/rpcbind.fc
index d31220e08..0b6894a67 100644
--- a/rpcbind.fc
+++ b/rpcbind.fc
@@ -1,8 +1,12 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/usr/lib/systemd/system/rpcbind\.service -- gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
+
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/usr/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9eed6..ff1163ff6 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -1,4 +1,4 @@
-## <summary>Universal Addresses to RPC Program Number Mapper.</summary>
+## <summary>Universal Addresses to RPC Program Number Mapper</summary>
########################################
## <summary>
@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',`
type rpcbind_t, rpcbind_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
')
########################################
## <summary>
-## Connect to rpcbindd with a
-## unix domain stream socket.
+## Connect to rpcbindd over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',`
########################################
## <summary>
-## Read rpcbind pid files.
+## Read rpcbind PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
')
########################################
@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Send null signals to rpcbind.
+## Send a null signal to rpcbind.
## </summary>
## <param name="domain">
## <summary>
@@ -136,8 +134,44 @@ interface(`rpcbind_signull',`
########################################
## <summary>
-## All of the rules required to
-## administrate an rpcbind environment.
+## Transition to rpcbind named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_filetrans_named_content',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
+')
+
+########################################
+## <summary>
+## Relabel from rpcbind sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_relabel_sock_file',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rpcbind environment
## </summary>
## <param name="domain">
## <summary>
@@ -146,7 +180,7 @@ interface(`rpcbind_signull',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the rpcbind domain.
## </summary>
## </param>
## <rolecap/>
@@ -157,17 +191,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
- allow $1 rpcbind_t:process { ptrace signal_perms };
+ allow $1 rpcbind_t:process signal_perms;
ps_process_pattern($1, rpcbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rpcbind_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, rpcbind_var_run_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, rpcbind_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
index 54de77ccd..db13fcff8 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
type rpcbind_initrc_exec_t;
init_script_file(rpcbind_initrc_exec_t)
+type rpcbind_tmp_t;
+files_tmp_file(rpcbind_tmp_t)
+
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
@@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
+type rpcbind_unit_file_t;
+systemd_unit_file(rpcbind_unit_file_t)
+
########################################
#
# Local policy
#
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:capability { chown dac_read_search dac_override setgid setuid sys_tty_config };
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
allow rpcbind_t self:unix_stream_socket { accept listen };
allow rpcbind_t self:tcp_socket { accept listen };
+manage_files_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t)
+manage_dirs_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t)
+files_tmp_filetrans(rpcbind_t, rpcbind_tmp_t, { file dir })
+
manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
@@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
-corenet_all_recvfrom_unlabeled(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
@@ -68,7 +77,15 @@ auth_use_nsswitch(rpcbind_t)
logging_send_syslog_msg(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
+sysnet_dns_name_resolve(rpcbind_t)
+
+optional_policy(`
+ nis_use_ypbind(rpcbind_t)
+')
+
+optional_policy(`
+ systemd_tmpfiles_exec(rpcbind_t)
+')
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
index ebe91fc70..6ba4338cb 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -1,61 +1,80 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
-
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-deprecated -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-ifdef(`distro_redhat',`
-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpmrebuilddb.*(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+')
ifdef(`enable_mls',`
-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
index ef3b22507..79518530e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
-## <summary>Redhat package manager.</summary>
+## <summary>Policy for the RPM package manager.</summary>
########################################
## <summary>
-## Execute rpm in the rpm domain.
+## Execute rpm programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
@@ -13,16 +13,18 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
+ rpm_debuginfo_domtrans($1)
')
########################################
## <summary>
-## Execute debuginfo install
-## in the rpm domain.
+## Execute debuginfo_install programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',`
########################################
## <summary>
-## Execute rpm scripts in the rpm script domain.
+## Execute rpm_script programs in the rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',`
type rpm_script_t;
')
+ # transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
-
allow rpm_script_t $1:fd use;
- allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
## <summary>
-## Execute rpm in the rpm domain,
-## and allow the specified roles the
-## rpm domain.
+## Execute RPM programs in the RPM domain.
## </summary>
## <param name="domain">
## <summary>
@@ -74,23 +74,30 @@ interface(`rpm_domtrans_script',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the RPM domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
- attribute_role rpm_roles;
+ type rpm_t, rpm_script_t;
+ attribute_role rpm_script_roles;
')
rpm_domtrans($1)
- roleattribute $2 rpm_roles;
+ roleattribute $2 rpm_script_roles;
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
+
+ rpm_transition_script($1, $2)
')
########################################
## <summary>
-## Execute the rpm in the caller domain.
+## Execute the rpm client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -109,7 +116,25 @@ interface(`rpm_exec',`
########################################
## <summary>
-## Send null signals to rpm.
+## Do not audit to execute a rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_exec',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ dontaudit $1 rpm_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
@@ -127,7 +152,7 @@ interface(`rpm_signull',`
########################################
## <summary>
-## Inherit and use file descriptors from rpm.
+## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
## <summary>
@@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
########################################
## <summary>
-## Read rpm unnamed pipes.
+## Read from an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
########################################
## <summary>
-## Read and write rpm unnamed pipes.
+## Read and write an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
+## Read and write an unnamed RPM script pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t, rpm_var_cache_t;
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:dir getattr;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
@@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
## <summary>
## Send and receive messages from
-## rpm script over dbus.
+## rpm_script over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
########################################
## <summary>
-## Search rpm log directories.
+## Search RPM log directory.
## </summary>
## <param name="domain">
## <summary>
@@ -263,7 +342,8 @@ interface(`rpm_search_log',`
#####################################
## <summary>
-## Append rpm log files.
+## Allow the specified domain to append
+## to rpm log files.
## </summary>
## <param name="domain">
## <summary>
@@ -276,14 +356,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## rpm log files.
+## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
########################################
## <summary>
-## Inherit and use rpm script file descriptors.
+## Create rpm logs with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_named_filetrans',`
+ gen_require(`
+ type rpm_log_t;
+ type rpm_var_lib_t;
+ ')
+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
+ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+ files_var_filetrans($1, rpm_var_lib_t, dir, "dnf")
+ files_var_filetrans($1, rpm_var_lib_t, dir, "yum")
+ files_var_filetrans($1, rpm_var_lib_t, dir, "rpm")
+ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
+ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
+ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
-## Create, read, write, and delete
-## rpm script temporary files.
+## Create, read, write, and delete RPM
+## script temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
## <summary>
-## Append rpm temporary files.
+## Allow the specified domain to append
+## to rpm tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
- files_search_tmp($1)
- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ allow $1 rpm_tmp_t:file append_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## rpm temporary files.
+## Create, read, write, and delete RPM
+## temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
-## Read rpm script temporary files.
+## Read rpm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ read_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## Read RPM script temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
-## Read rpm cache content.
+## Read the RPM cache.
## </summary>
## <param name="domain">
## <summary>
@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
-## Create, read, write, and delete
-## rpm cache content.
+## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
-## Read rpm lib content.
+## Read the RPM package database.
## </summary>
## <param name="domain">
## <summary>
@@ -459,11 +603,13 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
+ rpm_read_cache($1)
')
########################################
## <summary>
-## Delete rpm lib files.
+## Delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
@@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
-## Create, read, write, and delete
-## rpm lib files.
+## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
@@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_read_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file read_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
-## write, and delete rpm lib content.
+## write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 rpm_var_lib_t:file map;
')
#####################################
@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
-## Create, read, write, and delete
-## rpm pid files.
+## Create, read, write, and delete rpm pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
-## Create files in pid directories
-## with the rpm pid file type.
+## Create files in /var/run with the rpm pid file type.
## </summary>
## <param name="domain">
## <summary>
@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
- rpm_pid_filetrans_rpm_pid($1, file)
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
## <summary>
-## Create specified objects in pid directories
-## with the rpm pid file type.
+## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
+
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+## Make rpm_exec_t an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-#
-interface(`rpm_pid_filetrans_rpm_pid',`
+#
+interface(`rpm_entry_type',`
gen_require(`
- type rpm_var_run_t;
+ type rpm_exec_t;
')
- files_pid_filetrans($1, rpm_var_run_t, $3, $4)
+ domain_entry_file($1, rpm_exec_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an rpm environment.
+## Allow application to transition to rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary>
## </param>
## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Role allowed access.
+## </summary>
## </param>
-## <rolecap/>
#
-interface(`rpm_admin',`
+interface(`rpm_transition_script',`
gen_require(`
- type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+ type rpm_script_t;
+ attribute rpm_transition_domain;
+ attribute_role rpm_script_roles;
')
- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rpm_t rpm_script_t })
+ typeattribute $1 rpm_transition_domain;
+ allow $1 rpm_script_t:process transition;
+ roleattribute $2 rpm_script_roles;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+## All of the rules required to
+## administrate an rpm environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpm_admin',`
+ gen_require(`
+ type rpm_t, rpm_script_t, rpm_initrc_exec_t;
+ type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+ type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+ type rpm_var_run_t;
+ ')
+
+ allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { rpm_t rpm_script_t })
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
@@ -641,9 +852,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
- files_list_var($1)
- admin_pattern($1, rpm_cache_t)
-
files_list_tmp($1)
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
index 6fc360e60..32a4ca12d 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
policy_module(rpm, 1.16.0)
+attribute rpm_transition_domain;
+attribute_role rpm_script_roles;
+roleattribute system_r rpm_script_roles;
+
########################################
#
# Declarations
#
-
-attribute_role rpm_roles;
-
-type debuginfo_exec_t;
-domain_entry_file(rpm_t, debuginfo_exec_t)
-
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
-role rpm_roles types rpm_t;
+role rpm_script_roles types rpm_t;
-type rpm_initrc_exec_t;
-init_script_file(rpm_initrc_exec_t)
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
type rpm_file_t;
files_type(rpm_file_t)
@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
-type rpm_lock_t;
-files_lock_file(rpm_lock_t)
-
type rpm_log_t;
logging_log_file(rpm_log_t)
@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-role rpm_roles types rpm_script_t;
-role system_r types rpm_script_t;
+role rpm_script_roles types rpm_script_t;
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability2 block_suspend;
+allow rpm_t self:capability { chown dac_read_search fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
-allow rpm_t self:unix_stream_socket { accept connectto listen };
-allow rpm_t self:udp_socket connect;
-allow rpm_t self:tcp_socket { accept listen };
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
-allow rpm_t self:file rw_file_perms;
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t)
-files_lock_filetrans(rpm_t, rpm_lock_t, file)
-
-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file })
-
-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_all_recvfrom_unlabeled(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
-
-corenet_sendrecv_all_client_packets(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
dev_read_raw_memory(rpm_t)
-
dev_manage_all_dev_nodes(rpm_t)
-dev_relabel_all_dev_nodes(rpm_t)
+#devices_manage_all_device_types(rpm_t)
dev_create_generic_blk_files(rpm_t)
dev_create_generic_chr_files(rpm_t)
-
-domain_read_all_domains_state(rpm_t)
-domain_getattr_all_domains(rpm_t)
-domain_use_interactive_fds(rpm_t)
-domain_dontaudit_getattr_all_pipes(rpm_t)
-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
-domain_signull_all_domains(rpm_t)
-
-files_exec_etc_files(rpm_t)
-files_relabel_non_auth_files(rpm_t)
-files_manage_non_auth_files(rpm_t)
+dev_delete_all_blk_files(rpm_t)
+dev_delete_all_chr_files(rpm_t)
+dev_relabel_all_dev_nodes(rpm_t)
+dev_rename_generic_blk_files(rpm_t)
+dev_rename_generic_chr_files(rpm_t)
+dev_setattr_all_blk_files(rpm_t)
+dev_setattr_all_chr_files(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
+# transition to rpm script:
rpm_domtrans_script(rpm_t)
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+domain_signull_all_domains(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
init_signull_script(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-libs_run_ldconfig(rpm_t, rpm_roles)
logging_send_syslog_msg(rpm_t)
+miscfiles_filetrans_named_content(rpm_t)
+
+# allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
-userdom_use_user_terminals(rpm_t)
+userdom_use_inherited_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
@@ -224,13 +233,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
- optional_policy(`
- unconfined_dbus_chat(rpm_t)
- ')
')
optional_policy(`
- prelink_run(rpm_t, rpm_roles)
+ prelink_domtrans(rpm_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
########################################
@@ -238,19 +251,21 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
-allow rpm_script_t self:unix_stream_socket { accept connectto listen };
+allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
+allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
allow rpm_script_t rpm_tmp_t:file read_file_perms;
@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
-corenet_all_recvfrom_unlabeled(rpm_script_t)
-corenet_all_recvfrom_netlabel(rpm_script_t)
-corenet_tcp_sendrecv_generic_if(rpm_script_t)
-corenet_tcp_sendrecv_generic_node(rpm_script_t)
-
-corenet_sendrecv_http_client_packets(rpm_script_t)
+# needed by rhn_check
corenet_tcp_connect_http_port(rpm_script_t)
-corenet_tcp_sendrecv_http_port(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
+# needed by unbound-anchor
+corenet_udp_bind_all_unreserved_ports(rpm_script_t)
dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
dev_manage_generic_blk_files(rpm_script_t)
dev_manage_generic_chr_files(rpm_script_t)
dev_manage_all_blk_files(rpm_script_t)
dev_manage_all_chr_files(rpm_script_t)
-domain_read_all_domains_state(rpm_script_t)
-domain_getattr_all_domains(rpm_script_t)
-domain_use_interactive_fds(rpm_script_t)
-domain_signal_all_domains(rpm_script_t)
-domain_signull_all_domains(rpm_script_t)
-
-files_exec_etc_files(rpm_script_t)
-files_exec_usr_files(rpm_script_t)
-files_manage_non_auth_files(rpm_script_t)
-files_relabel_non_auth_files(rpm_script_t)
-
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
fs_search_all(rpm_script_t)
fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
-mcs_killall(rpm_script_t)
-
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
+term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
+corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+# ideally we would not need this
+files_manage_all_files(rpm_script_t)
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
+init_disable_services(rpm_script_t)
+init_enable_services(rpm_script_t)
+init_reload_services(rpm_script_t)
+init_manage_transient_unit(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
+init_dbus_chat(rpm_script_t)
+
+systemd_config_all_services(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_run_ldconfig(rpm_script_t, rpm_roles)
+libs_ldconfig_exec_entry_type(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
+logging_send_audit_msgs(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
+miscfiles_filetrans_named_content(rpm_script_t)
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
+seutil_run_loadpolicy(rpm_script_t, rpm_script_roles)
+seutil_run_setfiles(rpm_script_t, rpm_script_roles)
+seutil_run_semanage(rpm_script_t, rpm_script_roles)
+seutil_run_setsebool(rpm_script_t, rpm_script_roles)
userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
+ mta_role_access_system_mail(rpm_script_roles)
mta_system_content(rpm_var_run_t)
')
')
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
allow rpm_script_t self:process execmem;
')
optional_policy(`
- bootloader_run(rpm_script_t, rpm_roles)
+ bootloader_run(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+ bind_systemctl(rpm_script_t)
+')
+
+optional_policy(`
+ certmonger_dbus_chat(rpm_script_t)
+')
+
+optional_policy(`
+ cups_filetrans_named_content(rpm_script_t)
+')
+
+optional_policy(`
+ glusterd_filetrans_named_pid(rpm_script_t)
+')
+
+optional_policy(`
+ sblim_filetrans_named_content(rpm_script_t)
')
optional_policy(`
dbus_system_bus_client(rpm_script_t)
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
+ systemd_dbus_chat_timedated(rpm_script_t)
+ systemd_dbus_chat_localed(rpm_script_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+ ntp_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- lvm_run(rpm_script_t, rpm_roles)
+ modutils_run_depmod(rpm_script_t, rpm_script_roles)
+ modutils_run_insmod(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- ntp_domtrans(rpm_script_t)
+ openshift_initrc_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- tzdata_run(rpm_t, rpm_roles)
- tzdata_run(rpm_script_t, rpm_roles)
+ tzdata_domtrans(rpm_t)
+ tzdata_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- udev_domtrans(rpm_script_t)
+ udev_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- unconfined_domtrans(rpm_script_t)
+ unconfined_domain_noaudit(rpm_script_t)
+ domain_named_filetrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
@@ -409,6 +466,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_run_groupadd(rpm_script_t, rpm_roles)
- usermanage_run_useradd(rpm_script_t, rpm_roles)
+ usermanage_run_groupadd(rpm_script_t, rpm_script_roles)
+ usermanage_run_useradd(rpm_script_t, rpm_script_roles)
')
diff --git a/rshd.fc b/rshd.fc
index 9ad0d58dc..6a4db031f 100644
--- a/rshd.fc
+++ b/rshd.fc
@@ -1,3 +1,4 @@
+
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/rshd.if b/rshd.if
index 7ad29c046..2e87d76b4 100644
--- a/rshd.if
+++ b/rshd.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Execute rshd in the rshd domain.
+## Domain transition to rshd.
## </summary>
## <param name="domain">
## <summary>
@@ -15,6 +15,7 @@ interface(`rshd_domtrans',`
type rshd_exec_t, rshd_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rshd_exec_t, rshd_t)
')
diff --git a/rshd.te b/rshd.te
index 864e089a0..f9ad3ab47 100644
--- a/rshd.te
+++ b/rshd.te
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
#
# Declarations
#
-
type rshd_t;
type rshd_exec_t;
-auth_login_pgm_domain(rshd_t)
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
type rshd_keytab_t;
files_type(rshd_keytab_t)
@@ -17,51 +18,66 @@ files_type(rshd_keytab_t)
#
# Local policy
#
-
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
-allow rshd_t self:process { signal_perms setsched setpgid setexec };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
allow rshd_t rshd_keytab_t:file read_file_perms;
kernel_read_kernel_sysctls(rshd_t)
+kernel_read_net_sysctls(rshd_t)
-corenet_all_recvfrom_unlabeled(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_generic_node(rshd_t)
-
-corenet_sendrecv_all_server_packets(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
corenet_tcp_bind_all_rpc_ports(rshd_t)
corenet_tcp_connect_all_ports(rshd_t)
corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+domain_interactive_fd(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
logging_search_logs(rshd_t)
-miscfiles_read_localization(rshd_t)
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
-')
+userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(rshd_t)
- fs_read_cifs_symlinks(rshd_t)
-')
+userdom_home_reader(rshd_t)
optional_policy(`
kerberos_manage_host_rcache(rshd_t)
kerberos_read_keytab(rshd_t)
- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0")
kerberos_use(rshd_t)
')
diff --git a/rssh.te b/rssh.te
index 5c5465feb..60059323f 100644
--- a/rssh.te
+++ b/rssh.te
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)
-files_read_etc_files(rssh_t)
files_read_etc_runtime_files(rssh_t)
files_list_home(rssh_t)
-files_read_usr_files(rssh_t)
files_list_var(rssh_t)
fs_search_auto_mountpoints(rssh_t)
logging_send_syslog_msg(rssh_t)
-miscfiles_read_localization(rssh_t)
-
rssh_domtrans_chroot_helper(rssh_t)
ssh_rw_tcp_sockets(rssh_t)
@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
auth_use_nsswitch(rssh_chroot_helper_t)
logging_send_syslog_msg(rssh_chroot_helper_t)
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
index d25301b85..f3eeec7b6 100644
--- a/rsync.fc
+++ b/rsync.fc
@@ -1,7 +1,8 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
index f1140efe4..642e062f4 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,32 @@
-## <summary>Fast incremental file transfer for synchronization.</summary>
+## <summary>Fast incremental file transfer for synchronization</summary>
+
+#######################################
+## <summary>
+## Sendmail stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_stub',`
+ gen_require(`
+ type rsync_t;
+ ')
+')
########################################
## <summary>
-## Make rsync executable file an
-## entry point for the specified domain.
+## Make rsync an entry point for
+## the specified domain.
## </summary>
## <param name="domain">
## <summary>
-## The domain for which rsync_exec_t is an entrypoint.
+## The domain for which init scripts are an entrypoint.
## </summary>
## </param>
-#
+# cjp: added for portage
interface(`rsync_entry_type',`
gen_require(`
type rsync_exec_t;
@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
## Domain to transition to.
## </summary>
## </param>
-#
+# cjp: added for portage
interface(`rsync_entry_spec_domtrans',`
gen_require(`
type rsync_exec_t;
')
- corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_trans($1, rsync_exec_t, $2)
')
########################################
@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',`
## Domain to transition to.
## </summary>
## </param>
-#
+# cjp: added for portage
interface(`rsync_entry_domtrans',`
gen_require(`
type rsync_exec_t;
')
- corecmd_search_bin($1)
domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
## <summary>
-## Execute the rsync program in the rsync domain.
+## Execute rsync in the caller domain domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`rsync_domtrans',`
+interface(`rsync_exec',`
gen_require(`
- type rsync_t, rsync_exec_t;
+ type rsync_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, rsync_exec_t, rsync_t)
+ can_exec($1, rsync_exec_t)
')
########################################
## <summary>
-## Execute rsync in the rsync domain, and
-## allow the specified role the rsync domain.
+## Read rsync config files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`rsync_run',`
- gen_require(`
- attribute_role rsync_roles;
- ')
-
- rsync_domtrans($1)
- roleattribute $2 rsync_roles;
-')
-
-########################################
## <summary>
-## Execute rsync in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`rsync_exec',`
+interface(`rsync_read_config',`
gen_require(`
- type rsync_exec_t;
+ type rsync_etc_t;
')
- corecmd_search_bin($1)
- can_exec($1, rsync_exec_t)
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
')
########################################
## <summary>
-## Read rsync config files.
+## Read rsync data files.
## </summary>
## <param name="domain">
## <summary>
@@ -160,23 +149,23 @@ interface(`rsync_exec',`
## </summary>
## </param>
#
-interface(`rsync_read_config',`
+interface(`rsync_read_data',`
gen_require(`
- type rsync_etc_t;
+ type rsync_data_t;
')
- files_search_etc($1)
- allow $1 rsync_etc_t:file read_file_perms;
+ read_files_pattern($1, rsync_data_t, rsync_data_t)
')
+
########################################
## <summary>
-## Write rsync config files.
+## Write to rsync config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`rsync_write_config',`
@@ -184,14 +173,13 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
- allow $1 rsync_etc_t:file write_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## rsync config files.
+## Manage rsync config files.
## </summary>
## <param name="domain">
## <summary>
@@ -199,18 +187,18 @@ interface(`rsync_write_config',`
## </summary>
## </param>
#
-interface(`rsync_manage_config_files',`
+interface(`rsync_manage_config',`
gen_require(`
type rsync_etc_t;
')
- files_search_etc($1)
manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
')
########################################
## <summary>
-## Create specified objects in etc directories
+## Create objects in etc directories
## with rsync etc type.
## </summary>
## <param name="domain">
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
########################################
## <summary>
-## All of the rules required to
-## administrate an rsync environment.
+## Transition to rsync named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`rsync_admin',`
+interface(`rsync_filetrans_named_content',`
gen_require(`
- type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+ type rsync_etc_t;
+ type rsync_var_run_t;
')
- allow $1 rsync_t:process { ptrace signal_perms };
- ps_process_pattern($1, rsync_t)
-
- files_search_etc($1)
- admin_pattern($1, rsync_etc_t)
-
- admin_pattern($1, rsync_data_t)
-
- logging_search_logs($1)
- admin_pattern($1, rsync_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, rsync_tmp_t)
-
- files_search_pids($1)
- admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
index abeb302a7..55ee48de0 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0)
#
## <desc>
-## <p>
-## Determine whether rsync can use
-## cifs file systems.
-## </p>
+## <p>
+## Allow rsync to run as a client
+## </p>
## </desc>
-gen_tunable(rsync_use_cifs, false)
+gen_tunable(rsync_client, false)
## <desc>
-## <p>
-## Determine whether rsync can
-## use fuse file systems.
-## </p>
+## <p>
+## Allow rsync to export any files/directories read only.
+## </p>
## </desc>
-gen_tunable(rsync_use_fusefs, false)
+gen_tunable(rsync_export_all_ro, false)
## <desc>
-## <p>
-## Determine whether rsync can use
-## nfs file systems.
-## </p>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
## </desc>
-gen_tunable(rsync_use_nfs, false)
+gen_tunable(rsync_anon_write, false)
## <desc>
## <p>
-## Determine whether rsync can
-## run as a client
+## Allow rsync server to manage all files/directories on the system.
## </p>
## </desc>
-gen_tunable(rsync_client, false)
+gen_tunable(rsync_full_access, false)
-## <desc>
-## <p>
-## Determine whether rsync can
-## export all content read only.
-## </p>
-## </desc>
-gen_tunable(rsync_export_all_ro, false)
-
-## <desc>
-## <p>
-## Determine whether rsync can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(allow_rsync_anon_write, false)
-
-attribute_role rsync_roles;
type rsync_t;
type rsync_exec_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
type rsync_etc_t;
files_config_file(rsync_etc_t)
-type rsync_data_t; # customizable
+type rsync_data_t;
files_type(rsync_data_t)
type rsync_log_t;
@@ -83,18 +62,28 @@ files_pid_file(rsync_var_run_t)
# Local policy
#
-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:capability { chown dac_read_search fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
-allow rsync_t self:tcp_socket { accept listen };
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
-allow rsync_t rsync_data_t:file read_file_perms;
-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+allow rsync_t rsync_data_t:dir_file_class_set getattr;
+allow rsync_t rsync_data_t:socket_class_set getattr;
+allow rsync_t rsync_data_t:sock_file setattr;
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
-
-corenet_sendrecv_rsync_server_packets(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
-corenet_tcp_sendrecv_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
dev_read_urand(rsync_t)
-fs_getattr_all_fs(rsync_t)
+fs_getattr_xattr_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
files_search_home(rsync_t)
-auth_can_read_shadow_passwords(rsync_t)
auth_use_nsswitch(rsync_t)
logging_send_syslog_msg(rsync_t)
-miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-tunable_policy(`allow_rsync_anon_write',`
- miscfiles_manage_public_files(rsync_t)
+userdom_home_manager(rsync_t)
+
+optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
')
-tunable_policy(`rsync_client',`
- corenet_sendrecv_rsync_client_packets(rsync_t)
- corenet_tcp_connect_rsync_port(rsync_t)
+optional_policy(`
+ kerberos_use(rsync_t)
+')
- corenet_sendrecv_ssh_client_packets(rsync_t)
- corenet_tcp_connect_ssh_port(rsync_t)
- corenet_tcp_sendrecv_ssh_port(rsync_t)
+optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
+')
- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+optional_policy(`
+ mta_send_mail(rsync_t)
+')
+
+tunable_policy(`rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+')
+
+tunable_policy(`rsync_full_access',`
+ allow rsync_t self:capability { dac_read_search };
+ files_manage_non_auth_files(rsync_t)
')
tunable_policy(`rsync_export_all_ro',`
@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',`
auth_tunable_read_shadow(rsync_t)
')
-tunable_policy(`rsync_use_cifs',`
- fs_list_cifs(rsync_t)
- fs_read_cifs_files(rsync_t)
- fs_read_cifs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_fusefs',`
- fs_search_fusefs(rsync_t)
- fs_read_fusefs_files(rsync_t)
- fs_read_fusefs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_nfs',`
- fs_list_nfs(rsync_t)
- fs_read_nfs_files(rsync_t)
- fs_read_nfs_symlinks(rsync_t)
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
')
optional_policy(`
tunable_policy(`rsync_client',`
- ssh_exec(rsync_t)
+ ssh_exec(rsync_t)
')
')
-optional_policy(`
- daemontools_service_domain(rsync_t, rsync_exec_t)
-')
-
-optional_policy(`
- kerberos_use(rsync_t)
-')
+auth_can_read_shadow_passwords(rsync_t)
optional_policy(`
- inetd_service_domain(rsync_t, rsync_exec_t)
+ swift_manage_data_files(rsync_t)
+ swift_manage_lock(rsync_t)
+ swift_filetrans_named_lock(rsync_t)
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
index 000000000..8d12521d2
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
+
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+/usr/libexec/ppc64-diag/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/platform.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/epow_status.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
index 000000000..92cc49d7f
--- /dev/null
+++ b/rtas.if
@@ -0,0 +1,163 @@
+
+## <summary>Platform diagnostics report firmware events.</summary>
+
+########################################
+## <summary>
+## Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_domtrans',`
+ gen_require(`
+ type rtas_errd_t, rtas_errd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
+
+########################################
+## <summary>
+## Read rtas_errd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rtas_errd_read_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+## Append to rtas_errd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_append_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+## Manage rtas_errd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_manage_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+## Read rtas_errd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_read_pid_files',`
+ gen_require(`
+ type rtas_errd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute rtas_errd server in the rtas_errd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_systemctl',`
+ gen_require(`
+ type rtas_errd_t;
+ type rtas_errd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rtas_errd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rtas_errd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_admin',`
+ gen_require(`
+ type rtas_errd_t;
+ type rtas_errd_log_t, rtas_errd_var_run_t;
+ type rtas_errd_unit_file_t;
+ ')
+
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rtas_errd_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, rtas_errd_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rtas_errd_var_run_t)
+
+ rtas_errd_systemctl($1)
+ admin_pattern($1, rtas_errd_unit_file_t)
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
index 000000000..9a5164c7e
--- /dev/null
+++ b/rtas.te
@@ -0,0 +1,95 @@
+policy_module(rtas, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtas_errd_t;
+type rtas_errd_exec_t;
+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t)
+
+type rtas_errd_log_t;
+logging_log_file(rtas_errd_log_t)
+
+type rtas_errd_var_run_t;
+files_pid_file(rtas_errd_var_run_t)
+
+type rtas_errd_var_lock_t;
+files_lock_file(rtas_errd_var_lock_t)
+
+type rtas_errd_unit_file_t;
+systemd_unit_file(rtas_errd_unit_file_t)
+
+type rtas_errd_tmp_t;
+files_tmp_file(rtas_errd_tmp_t)
+
+type rtas_errd_tmpfs_t;
+files_tmpfs_file(rtas_errd_tmpfs_t)
+
+########################################
+#
+# rtas_errd local policy
+#
+
+allow rtas_errd_t self:capability { net_admin chown sys_admin };
+allow rtas_errd_t self:process { fork signull };
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file })
+
+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } )
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
+manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
+files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
+
+manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
+manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
+fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
+
+kernel_read_all_sysctls(rtas_errd_t)
+kernel_read_system_state(rtas_errd_t)
+kernel_read_network_state(rtas_errd_t)
+
+domain_read_all_domains_state(rtas_errd_t)
+
+auth_use_nsswitch(rtas_errd_t)
+
+corecmd_exec_bin(rtas_errd_t)
+
+dev_read_rand(rtas_errd_t)
+dev_read_urand(rtas_errd_t)
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
+dev_read_sysfs(rtas_errd_t)
+dev_rw_nvram(rtas_errd_t)
+
+files_manage_system_db_files(rtas_errd_t)
+
+logging_send_syslog_msg(rtas_errd_t)
+logging_read_generic_logs(rtas_errd_t)
+
+optional_policy(`
+ hostname_exec(rtas_errd_t)
+')
+
+optional_policy(`
+ rpm_exec(rtas_errd_t)
+ rpm_dontaudit_manage_db(rtas_errd_t)
+')
+
+optional_policy(`
+ unconfined_domain(rtas_errd_t)
+')
diff --git a/rtkit.if b/rtkit.if
index e904ec472..e0dd20eeb 100644
--- a/rtkit.if
+++ b/rtkit.if
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
type rtkit_daemon_t, rtkit_daemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
')
@@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
## <summary>
-## Allow rtkit to control scheduling for your process.
+## Do not audit send and receive messages from
+## rtkit_daemon over dbus.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`rtkit_scheduled',`
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
gen_require(`
type rtkit_daemon_t;
+ class dbus send_msg;
')
- allow rtkit_daemon_t $1:process { getsched setsched };
-
- kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
-
- optional_policy(`
- rtkit_daemon_dbus_chat($1)
- ')
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
')
########################################
## <summary>
-## All of the rules required to
-## administrate an rtkit environment.
+## Allow rtkit to control scheduling for your process
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`rtkit_admin',`
+interface(`rtkit_scheduled',`
gen_require(`
- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t;
+ type rtkit_daemon_t;
')
- allow $1 rtkit_daemon_t:process { ptrace signal_perms };
- ps_process_pattern($1, rtkit_daemon_t)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+
+ kernel_search_proc($1)
+ ps_process_pattern(rtkit_daemon_t, $1)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ optional_policy(`
+ rtkit_daemon_dbus_chat($1)
+ ')
')
diff --git a/rtkit.te b/rtkit.te
index 7eea21f3f..714064633 100644
--- a/rtkit.te
+++ b/rtkit.te
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
-miscfiles_read_localization(rtkit_daemon_t)
-
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
diff --git a/rwho.if b/rwho.if
index 0360ff013..e6cb34f71 100644
--- a/rwho.if
+++ b/rwho.if
@@ -139,8 +139,11 @@ interface(`rwho_admin',`
type rwho_initrc_exec_t;
')
- allow $1 rwho_t:process { ptrace signal_perms };
+ allow $1 rwho_t:process signal_perms;
ps_process_pattern($1, rwho_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rwho_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
index 7fb75f457..9ccbd95c2 100644
--- a/rwho.te
+++ b/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
files_type(rwho_log_t)
type rwho_spool_t;
-files_type(rwho_spool_t)
+files_spool_file(rwho_spool_t)
########################################
#
@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
kernel_read_system_state(rwho_t)
-corenet_all_recvfrom_unlabeled(rwho_t)
corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_generic_if(rwho_t)
corenet_udp_sendrecv_generic_node(rwho_t)
@@ -50,15 +49,16 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
domain_use_interactive_fds(rwho_t)
-files_read_etc_files(rwho_t)
+auth_use_nsswitch(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
-logging_send_syslog_msg(rwho_t)
+auth_use_nsswitch(rwho_t)
-miscfiles_read_localization(rwho_t)
+logging_send_syslog_msg(rwho_t)
sysnet_dns_name_resolve(rwho_t)
-# userdom_getattr_user_terminals(rwho_t)
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
index b8b66ff4d..a93346efe 100644
--- a/samba.fc
+++ b/samba.fc
@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+#
+# /usr
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+#
+# /var
+#
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -45,7 +58,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_spool_t,s0)
-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
index 50d07fb2e..e1474fde7 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
-## <summary>SMB and CIFS client/server programs.</summary>
+## <summary>
+## SMB and CIFS client/server programs for UNIX and
+## name Service Switch daemon for resolving names
+## from Windows NT servers.
+## </summary>
########################################
## <summary>
-## Execute nmbd in the nmbd domain.
+## Execute nmbd net in the nmbd_t domain.
## </summary>
## <param name="domain">
## <summary>
@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',`
#######################################
## <summary>
-## Send generic signals to nmbd.
+## Allow domain to signal samba
## </summary>
## <param name="domain">
## <summary>
@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',`
########################################
## <summary>
-## Connect to nmbd with a unix domain
-## stream socket.
+## Search the samba pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`samba_search_pid',`
+ gen_require(`
+ type smbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 smbd_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Connect to nmbd.
## </summary>
## <param name="domain">
## <summary>
@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',`
#
interface(`samba_stream_connect_nmbd',`
gen_require(`
- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type nmbd_t, nmbd_var_run_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t)
+ samba_search_pid($1)
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
')
########################################
## <summary>
-## Execute samba init scripts in
-## the init script domain.
+## Execute samba server in the samba domain.
## </summary>
## <param name="domain">
## <summary>
@@ -77,7 +98,31 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
-## Execute samba net in the samba net domain.
+## Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_systemctl',`
+ gen_require(`
+ type samba_unit_file_t;
+ type smbd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, smbd_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
## <summary>
@@ -96,9 +141,27 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
-## Execute samba net in the samba net
-## domain, and allow the specified
-## role the samba net domain.
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
## </summary>
## <param name="domain">
## <summary>
@@ -114,11 +177,56 @@ interface(`samba_domtrans_net',`
#
interface(`samba_run_net',`
gen_require(`
- attribute_role samba_net_roles;
+ type samba_net_t;
')
samba_domtrans_net($1)
- roleattribute $2 samba_net_roles;
+ role $2 types samba_net_t;
+')
+
+#######################################
+## <summary>
+## The role for the samba module.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
')
########################################
@@ -142,9 +250,8 @@ interface(`samba_domtrans_smbmount',`
########################################
## <summary>
-## Execute smbmount in the smbmount
-## domain, and allow the specified
-## role the smbmount domain.
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
## </summary>
## <param name="domain">
## <summary>
@@ -160,16 +267,17 @@ interface(`samba_domtrans_smbmount',`
#
interface(`samba_run_smbmount',`
gen_require(`
- attribute_role smbmount_roles;
+ type smbmount_t;
')
samba_domtrans_smbmount($1)
- roleattribute $2 smbmount_roles;
+ role $2 types smbmount_t;
')
########################################
## <summary>
-## Read samba configuration files.
+## Allow the specified domain to read
+## samba configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -184,12 +292,14 @@ interface(`samba_read_config',`
')
files_search_etc($1)
+ list_dirs_pattern($1, samba_etc_t, samba_etc_t)
read_files_pattern($1, samba_etc_t, samba_etc_t)
')
########################################
## <summary>
-## Read and write samba configuration files.
+## Allow the specified domain to read
+## and write samba configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -209,8 +319,8 @@ interface(`samba_rw_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## samba configuration files.
+## Allow the specified domain to read
+## and write samba configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -231,7 +341,7 @@ interface(`samba_manage_config',`
########################################
## <summary>
-## Read samba log files.
+## Allow the specified domain to read samba's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -252,7 +362,7 @@ interface(`samba_read_log',`
########################################
## <summary>
-## Append to samba log files.
+## Allow the specified domain to append to samba's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -273,7 +383,7 @@ interface(`samba_append_log',`
########################################
## <summary>
-## Execute samba log files in the caller domain.
+## Execute samba log in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -292,7 +402,7 @@ interface(`samba_exec_log',`
########################################
## <summary>
-## Read samba secret files.
+## Allow the specified domain to read samba's secrets.
## </summary>
## <param name="domain">
## <summary>
@@ -311,7 +421,7 @@ interface(`samba_read_secrets',`
########################################
## <summary>
-## Read samba share files.
+## Allow the specified domain to read samba's shares
## </summary>
## <param name="domain">
## <summary>
@@ -330,7 +440,8 @@ interface(`samba_read_share_files',`
########################################
## <summary>
-## Search samba var directories.
+## Allow the specified domain to search
+## samba /var directories.
## </summary>
## <param name="domain">
## <summary>
@@ -343,13 +454,15 @@ interface(`samba_search_var',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
########################################
## <summary>
-## Read samba var files.
+## Allow the specified domain to
+## read samba /var files.
## </summary>
## <param name="domain">
## <summary>
@@ -362,14 +475,15 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
## <summary>
-## Do not audit attempts to write
-## samba var files.
+## Do not audit attempts to write samba
+## /var files.
## </summary>
## <param name="domain">
## <summary>
@@ -387,7 +501,8 @@ interface(`samba_dontaudit_write_var_files',`
########################################
## <summary>
-## Read and write samba var files.
+## Allow the specified domain to
+## read and write samba /var files.
## </summary>
## <param name="domain">
## <summary>
@@ -400,14 +515,16 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
+ allow $1 samba_var_t:file { map};
')
########################################
## <summary>
-## Create, read, write, and delete
-## samba var files.
+## Allow the specified domain to
+## read and write samba /var files.
## </summary>
## <param name="domain">
## <summary>
@@ -421,33 +538,55 @@ interface(`samba_manage_var_files',`
')
files_search_var_lib($1)
+ files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
## <summary>
-## Execute smbcontrol in the smbcontrol domain.
+## Allow the specified domain to
+## read and write samba /var directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
+interface(`samba_manage_var_dirs',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
- type smbcontrol_t, smbcontrol_exec_t;
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
')
########################################
## <summary>
-## Execute smbcontrol in the smbcontrol
-## domain, and allow the specified
-## role the smbcontrol domain.
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
## </summary>
## <param name="domain">
## <summary>
@@ -462,16 +601,16 @@ interface(`samba_domtrans_smbcontrol',`
#
interface(`samba_run_smbcontrol',`
gen_require(`
- attribute_role smbcontrol_roles;
+ type smbcontrol_t;
')
samba_domtrans_smbcontrol($1)
- roleattribute $2 smbcontrol_roles;
+ role $2 types smbcontrol_t;
')
########################################
## <summary>
-## Execute smbd in the smbd domain.
+## Execute smbd in the smbd_t domain.
## </summary>
## <param name="domain">
## <summary>
@@ -488,9 +627,27 @@ interface(`samba_domtrans_smbd',`
domtrans_pattern($1, smbd_exec_t, smbd_t)
')
+########################################
+## <summary>
+## Set attributes of samba_share directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_setattr_samba_share_dirs',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:dir setattr_dir_perms;
+')
+
######################################
## <summary>
-## Send generic signals to smbd.
+## Allow domain to signal samba
## </summary>
## <param name="domain">
## <summary>
@@ -505,10 +662,26 @@ interface(`samba_signal_smbd',`
allow $1 smbd_t:process signal;
')
+######################################
+## <summary>
+## Allow domain to signull samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signull;
+')
+
########################################
## <summary>
-## Do not audit attempts to inherit
-## and use smbd file descriptors.
+## Do not audit attempts to use file descriptors from samba.
## </summary>
## <param name="domain">
## <summary>
@@ -526,7 +699,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
## <summary>
-## Write smbmount tcp sockets.
+## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -544,7 +717,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
## <summary>
-## Read and write smbmount tcp sockets.
+## Allow the specified domain to read and write to smbmount tcp sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -560,49 +733,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
-########################################
+#######################################
## <summary>
-## Execute winbind helper in the
-## winbind helper domain.
+## Allow to getattr on winbind binary.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
-interface(`samba_domtrans_winbind_helper',`
- gen_require(`
- type winbind_helper_t, winbind_helper_exec_t;
- ')
+interface(`samba_getattr_winbind',`
+ gen_require(`
+ type winbind_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_exec_t:file getattr;
')
-#######################################
+########################################
## <summary>
-## Get attributes of winbind executable files.
+## Execute winbind_helper in the winbind_helper domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`samba_getattr_winbind_exec',`
+interface(`samba_domtrans_winbind_helper',`
gen_require(`
- type winbind_exec_t;
+ type winbind_helper_t, winbind_helper_exec_t;
')
- allow $1 winbind_exec_t:file getattr_file_perms;
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
## <summary>
-## Execute winbind helper in the winbind
-## helper domain, and allow the specified
-## role the winbind helper domain.
+## Execute winbind_helper in the winbind_helper domain, and
+## allow the specified role the winbind_helper domain.
## </summary>
## <param name="domain">
## <summary>
@@ -618,16 +789,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
- attribute_role winbind_helper_roles;
+ type winbind_helper_t;
')
samba_domtrans_winbind_helper($1)
- roleattribute $2 winbind_helper_roles;
+ role $2 types winbind_helper_t;
')
########################################
## <summary>
-## Read winbind pid files.
+## Allow the specified domain to read the winbind pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -637,17 +808,71 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
- type winbind_var_run_t, smbd_var_run_t;
+ type winbind_var_run_t;
+ ')
+
+ samba_search_pid($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage winbind PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_manage_winbind_pid',`
+ gen_require(`
+ type winbind_var_run_t;
')
files_search_pids($1)
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t)
+ manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
+ manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
+')
+
+######################################
+## <summary>
+## Allow domain to signull winbind
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_winbind',`
+ gen_require(`
+ type winbind_t;
+ ')
+ allow $1 winbind_t:process signull;
+')
+
+######################################
+## <summary>
+## Allow domain to signull samba_unconfined_net
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+ allow $1 samba_unconfined_net_t:process signull;
')
########################################
## <summary>
-## Connect to winbind with a unix
-## domain stream socket.
+## Connect to winbind.
## </summary>
## <param name="domain">
## <summary>
@@ -657,17 +882,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t;
+ type samba_var_t, winbind_t, winbind_var_run_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t)
+ samba_search_pid($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+ samba_read_config($1)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+ type winbind_tmp_t;
+ ')
+
+ # the default for the socket is (poorly named):
+ # /tmp/.winbindd/pipe
+ files_search_tmp($1)
+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+ ')
+')
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ role system_r;
+ ')
+
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
')
########################################
## <summary>
-## All of the rules required to
-## administrate an samba environment.
+## All of the rules required to administrate
+## an samba environment
## </summary>
## <param name="domain">
## <summary>
@@ -676,7 +945,7 @@ interface(`samba_stream_connect_winbind',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the samba domain.
## </summary>
## </param>
## <rolecap/>
@@ -689,11 +958,30 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
- type smbd_keytab_t;
+ type smbd_keytab_t, samba_unit_file_t;
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
')
- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
+ ')
+
+ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
+ allow $1 samba_unconfined_script_t:process signal_perms;
+ ps_process_pattern($1, samba_unconfined_script_t)
+
+ samba_run_smbcontrol($1, $2)
+ samba_run_winbind_helper($1, $2)
+ samba_run_smbmount($1, $2)
+ samba_run_net($1, $2)
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
@@ -703,23 +991,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ admin_pattern($1, samba_log_t)
logging_list_logs($1)
- admin_pattern($1, { samba_log_t winbind_log_t })
- files_list_var($1)
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+ admin_pattern($1, samba_secrets_t)
- files_list_spool($1)
- admin_pattern($1, smbd_spool_t)
+ admin_pattern($1, samba_share_t)
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+ admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
+ admin_pattern($1, smbd_tmp_t)
files_list_tmp($1)
- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
- samba_run_smbcontrol($1, $2)
- samba_run_winbind_helper($1, $2)
- samba_run_smbmount($1, $2)
- samba_run_net($1, $2)
+ admin_pattern($1, swat_var_run_t)
+
+ admin_pattern($1, swat_tmp_t)
+
+ admin_pattern($1, winbind_log_t)
+
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
+ admin_pattern($1, samba_unit_file_t)
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
index 2b7c441e7..0f95635dd 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
#
## <desc>
-## <p>
-## Determine whether samba can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow samba to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
-gen_tunable(allow_smbd_anon_write, false)
+gen_tunable(smbd_anon_write, false)
## <desc>
-## <p>
-## Determine whether samba can
-## create home directories via pam.
-## </p>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
## </desc>
gen_tunable(samba_create_home_dirs, false)
## <desc>
-## <p>
-## Determine whether samba can act as the
-## domain controller, add users, groups
-## and change passwords.
-## </p>
+## <p>
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+## </p>
## </desc>
gen_tunable(samba_domain_controller, false)
## <desc>
-## <p>
-## Determine whether samba can
-## act as a portmapper.
-## </p>
+## <p>
+## Allow samba to act as a portmapper
+##
+## </p>
## </desc>
gen_tunable(samba_portmapper, false)
## <desc>
-## <p>
-## Determine whether samba can share
-## users home directories.
-## </p>
+## <p>
+## Allow samba to share users home directories.
+## </p>
## </desc>
gen_tunable(samba_enable_home_dirs, false)
## <desc>
-## <p>
-## Determine whether samba can share
-## any content read only.
-## </p>
+## <p>
+## Allow samba to share any file/directory read only.
+## </p>
## </desc>
gen_tunable(samba_export_all_ro, false)
## <desc>
-## <p>
-## Determine whether samba can share any
-## content readable and writable.
-## </p>
+## <p>
+## Allow samba to share any file/directory read/write.
+## </p>
## </desc>
gen_tunable(samba_export_all_rw, false)
## <desc>
-## <p>
-## Determine whether samba can
-## run unconfined scripts.
-## </p>
+## <p>
+## Allow samba to run unconfined scripts
+## </p>
## </desc>
gen_tunable(samba_run_unconfined, false)
## <desc>
-## <p>
-## Determine whether samba can
-## use nfs file systems.
-## </p>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
## </desc>
gen_tunable(samba_share_nfs, false)
## <desc>
-## <p>
-## Determine whether samba can
-## use fuse file systems.
-## </p>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
## </desc>
gen_tunable(samba_share_fusefs, false)
-attribute_role samba_net_roles;
-roleattribute system_r samba_net_roles;
-
-attribute_role smbcontrol_roles;
-roleattribute system_r smbcontrol_roles;
-
-attribute_role smbmount_roles;
-roleattribute system_r smbmount_roles;
-
-attribute_role winbind_helper_roles;
-roleattribute system_r winbind_helper_roles;
+## <desc>
+## <p>
+## Allow smbd to load libgfapi from gluster.
+## </p>
+## </desc>
+gen_tunable(samba_load_libgfapi, false)
type nmbd_t;
type nmbd_exec_t;
@@ -113,13 +100,16 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
type samba_log_t;
logging_log_file(samba_log_t)
type samba_net_t;
type samba_net_exec_t;
application_domain(samba_net_t, samba_net_exec_t)
-role samba_net_roles types samba_net_t;
+role system_r types samba_net_t;
type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)
@@ -130,13 +120,16 @@ files_type(samba_secrets_t)
type samba_share_t; # customizable
files_type(samba_share_t)
+type samba_spool_t;
+files_type(samba_spool_t)
+
type samba_var_t;
files_type(samba_var_t)
type smbcontrol_t;
type smbcontrol_exec_t;
application_domain(smbcontrol_t, smbcontrol_exec_t)
-role smbcontrol_roles types smbcontrol_t;
+role system_r types smbcontrol_t;
type smbd_t;
type smbd_exec_t;
@@ -148,13 +141,17 @@ files_type(smbd_keytab_t)
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
+type smbd_tmpfs_t;
+files_tmpfs_file(smbd_tmpfs_t)
+
type smbd_var_run_t;
files_pid_file(smbd_var_run_t)
type smbmount_t;
+domain_type(smbmount_t)
+
type smbmount_exec_t;
-application_domain(smbmount_t, smbmount_exec_t)
-role smbmount_roles types smbmount_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
type swat_t;
type swat_exec_t;
@@ -173,28 +170,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
type winbind_helper_exec_t;
-application_domain(winbind_helper_t, winbind_helper_exec_t)
-role winbind_helper_roles types winbind_helper_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
########################################
#
-# Net local policy
+# Samba net local policy
#
-
-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
@@ -208,19 +206,26 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
+allow samba_net_t samba_var_t:file { map } ;
+kernel_read_proc_symlinks(samba_net_t)
kernel_read_system_state(samba_net_t)
kernel_read_network_state(samba_net_t)
-corenet_all_recvfrom_unlabeled(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
corenet_tcp_sendrecv_generic_node(samba_net_t)
-
-corenet_sendrecv_smbd_client_packets(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
-corenet_tcp_sendrecv_smbd_port(samba_net_t)
dev_read_urand(samba_net_t)
@@ -233,15 +238,22 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
-miscfiles_read_localization(samba_net_t)
-
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
+sysnet_use_ldap(samba_net_t)
+
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
- ldap_stream_connect(samba_net_t)
+ ctdbd_stream_connect(samba_net_t)
+ ctdbd_manage_lib_dirs(samba_net_t)
+ ctdbd_manage_lib_files(samba_net_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(samba_net_t)
+ dirsrv_stream_connect(samba_net_t)
')
optional_policy(`
@@ -249,46 +261,59 @@ optional_policy(`
')
optional_policy(`
+ realmd_manage_cache_files(samba_net_t)
+ realmd_read_tmp_files(samba_net_t)
+')
+
+optional_policy(`
kerberos_use(samba_net_t)
- kerberos_etc_filetrans_keytab(samba_net_t, file)
+ kerberos_etc_filetrans_keytab(samba_net_t)
')
########################################
#
-# Smbd Local policy
+# smbd Local policy
#
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_read_search net_admin };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+dontaudit smbd_t self:capability2 block_suspend;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:tcp_socket { accept listen };
-allow smbd_t self:unix_dgram_socket sendto;
-allow smbd_t self:unix_stream_socket { accept connectto listen };
+allow smbd_t self:key manage_key_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
+allow smbd_t nmbd_t:process { signal signull };
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
allow smbd_t smbd_keytab_t:file read_file_perms;
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
-append_files_pattern(smbd_t, samba_log_t, samba_log_t)
-create_files_pattern(smbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
-allow smbd_t samba_net_tmp_t:file getattr_file_perms;
+allow smbd_t samba_net_tmp_t:file getattr;
manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
@@ -297,66 +322,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+allow smbd_t samba_var_t:file { map } ;
+
+manage_dirs_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_lnk_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_sock_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+files_spool_filetrans(smbd_t, samba_spool_t, dir, "samba")
+
+allow smbd_t smbcontrol_t:process { signal signull };
+allow smbd_t smbcontrol_t:unix_dgram_socket sendto;
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
+manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
+fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir })
+
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+allow smbd_t swat_t:process signal;
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
+kernel_read_net_sysctls(smbd_t)
kernel_read_fs_sysctls(smbd_t)
kernel_read_kernel_sysctls(smbd_t)
+kernel_read_usermodehelper_state(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
-corecmd_exec_bin(smbd_t)
corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
-corenet_all_recvfrom_unlabeled(smbd_t)
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
corenet_tcp_bind_generic_node(smbd_t)
-
-corenet_sendrecv_smbd_client_packets(smbd_t)
-corenet_tcp_connect_smbd_port(smbd_t)
-corenet_sendrecv_smbd_server_packets(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
-corenet_tcp_sendrecv_smbd_port(smbd_t)
-
-corenet_sendrecv_ipp_client_packets(smbd_t)
corenet_tcp_connect_ipp_port(smbd_t)
-corenet_tcp_sendrecv_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
+dev_dontaudit_write_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
-domain_use_interactive_fds(smbd_t)
-domain_dontaudit_list_all_domains_state(smbd_t)
-
-files_list_var_lib(smbd_t)
-files_read_etc_runtime_files(smbd_t)
-files_read_usr_files(smbd_t)
-files_search_spool(smbd_t)
-files_dontaudit_getattr_all_dirs(smbd_t)
-files_dontaudit_list_all_mountpoints(smbd_t)
-files_list_mnt(smbd_t)
+domain_dontaudit_signull_all_domains(smbd_t)
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
@@ -366,44 +399,53 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
-term_use_ptmx(smbd_t)
-
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
-miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
sysnet_use_ldap(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-userdom_home_filetrans_user_home_dir(smbd_t)
-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
usermanage_read_crack_db(smbd_t)
-ifdef(`hide_broken_symptoms',`
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
- fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
-tunable_policy(`allow_smbd_anon_write',`
+tunable_policy(`smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
-')
+')
-tunable_policy(`samba_create_home_dirs',`
- allow smbd_t self:capability chown;
- userdom_create_user_home_dirs(smbd_t)
+tunable_policy(`samba_portmapper',`
+ corenet_tcp_bind_epmap_port(smbd_t)
+ corenet_tcp_bind_all_unreserved_ports(smbd_t)
')
tunable_policy(`samba_domain_controller',`
@@ -419,20 +461,16 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(smbd_t)
- userdom_manage_user_home_content_files(smbd_t)
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_manage_user_home_content(smbd_t)
')
-tunable_policy(`samba_portmapper',`
- corenet_sendrecv_all_server_packets(smbd_t)
- corenet_tcp_bind_epmap_port(smbd_t)
- corenet_tcp_bind_all_unreserved_ports(smbd_t)
- corenet_tcp_sendrecv_all_ports(smbd_t)
+optional_policy(`
+ tunable_policy(`samba_enable_home_dirs',`
+ apache_manage_user_content(smbd_t)
+ ')
')
+# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -441,6 +479,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
+# Support Samba sharing of ntfs/fusefs mount points
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
@@ -448,15 +487,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(smbd_t)
- files_list_non_auth_dirs(smbd_t)
- files_read_non_auth_files(smbd_t)
-')
-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(smbd_t)
- files_manage_non_auth_files(smbd_t)
+tunable_policy(`samba_load_libgfapi',`
+ corenet_tcp_connect_all_ports(smbd_t)
+ corenet_tcp_bind_all_ports(smbd_t)
+ corenet_sendrecv_all_packets(smbd_t)
')
optional_policy(`
@@ -466,6 +500,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
+ ctdbd_manage_lib_dirs(smbd_t)
')
optional_policy(`
@@ -474,11 +509,31 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(smbd_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(smbd_t)
+ oddjob_domtrans_mkhomedir(smbd_t)
+ ')
+')
+
+optional_policy(`
+ glusterd_read_conf(smbd_t)
+ glusterd_rw_lib(smbd_t)
+ glusterd_manage_pid(smbd_t)
+')
+
+optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
')
optional_policy(`
+ ldap_stream_connect(smbd_t)
+ dirsrv_stream_connect(smbd_t)
+')
+
+optional_policy(`
lpd_exec_lpr(smbd_t)
')
@@ -488,6 +543,10 @@ optional_policy(`
')
optional_policy(`
+ rhcs_signull_cluster(smbd_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(smbd_t)
')
@@ -499,12 +558,53 @@ optional_policy(`
udev_read_db(smbd_t)
')
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+')
+
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
+ allow nmbd_t self:capability { dac_read_search };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
+ files_dontaudit_list_security_dirs(smbd_t)
+ files_dontaudit_search_security_files(smbd_t)
+ files_dontaudit_read_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
+ files_dontaudit_list_security_dirs(nmbd_t)
+ files_dontaudit_search_security_files(nmbd_t)
+ files_dontaudit_read_security_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+ allow nmbd_t self:capability { dac_read_search };
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ files_manage_non_security_dirs(smbd_t)
+ files_dontaudit_list_security_dirs(smbd_t)
+ files_dontaudit_search_security_files(smbd_t)
+ files_dontaudit_read_security_files(smbd_t)
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+ files_manage_non_security_dirs(nmbd_t)
+ files_dontaudit_list_security_dirs(nmbd_t)
+ files_dontaudit_search_security_files(nmbd_t)
+ files_dontaudit_read_security_files(nmbd_t)
+')
+
+userdom_filetrans_home_content(nmbd_t)
+
########################################
#
-# Nmbd Local policy
+# nmbd Local policy
#
dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:capability {net_admin};
+allow nmbd_t self:capability2 block_suspend;
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
@@ -512,9 +612,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:tcp_socket { accept listen };
-allow nmbd_t self:unix_dgram_socket sendto;
-allow nmbd_t self:unix_stream_socket { accept connectto listen };
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +628,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
+allow nmbd_t samba_var_t:file map;
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
-
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t smbcontrol_t:process signal;
+allow nmbd_t smbcontrol_t:unix_dgram_socket sendto;
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -547,53 +646,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
+kernel_read_usermodehelper_state(nmbd_t)
-corenet_all_recvfrom_unlabeled(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
corenet_tcp_sendrecv_generic_node(nmbd_t)
corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
corenet_udp_bind_generic_node(nmbd_t)
-
-corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
-corenet_udp_sendrecv_nmbd_port(nmbd_t)
-
-corenet_sendrecv_smbd_client_packets(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
-corenet_tcp_sendrecv_smbd_port(nmbd_t)
-dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
+dev_read_sysfs(nmbd_t)
+dev_read_urand(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-files_read_usr_files(nmbd_t)
files_list_var_lib(nmbd_t)
-fs_getattr_all_fs(nmbd_t)
-fs_search_auto_mountpoints(nmbd_t)
-
auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
-miscfiles_read_localization(nmbd_t)
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
+ ctdbd_manage_lib_dirs(nmbd_t)
+ ctdbd_manage_lib_files(nmbd_t)
')
optional_policy(`
@@ -606,18 +696,29 @@ optional_policy(`
########################################
#
-# Smbcontrol local policy
+# smbcontrol local policy
#
-allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
-allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:capability2 block_suspend;
allow smbcontrol_t self:process { signal signull };
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
+
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+
+allow smbcontrol_t nmbd_t:unix_dgram_socket sendto;
+allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
+allow smbcontrol_t winbind_t:unix_dgram_socket sendto;
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -627,39 +728,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
-files_read_etc_files(smbcontrol_t)
-files_search_var_lib(smbcontrol_t)
-
term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
+auth_read_passwd(smbcontrol_t)
sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
+ ctdbd_sigchld(smbcontrol_t)
')
########################################
#
-# Smbmount Local policy
+# smbmount Local policy
#
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
-allow smbmount_t self:process signal_perms;
-allow smbmount_t self:tcp_socket { accept listen };
+allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
allow smbmount_t samba_etc_t:dir list_dir_perms;
allow smbmount_t samba_etc_t:file read_file_perms;
-allow smbmount_t samba_log_t:dir list_dir_perms;
-append_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-create_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t)
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -668,26 +768,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
-can_exec(smbmount_t, smbmount_exec_t)
+files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
-corenet_all_recvfrom_unlabeled(smbmount_t)
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
corenet_tcp_sendrecv_generic_node(smbmount_t)
-
-corenet_sendrecv_all_client_packets(smbmount_t)
-corenet_tcp_connect_all_ports(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
-
-corecmd_list_bin(smbmount_t)
-
-files_list_mnt(smbmount_t)
-files_list_var_lib(smbmount_t)
-files_mounton_mnt(smbmount_t)
-files_manage_etc_runtime_files(smbmount_t)
-files_etc_filetrans_etc_runtime(smbmount_t, file)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
@@ -699,58 +795,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
-auth_use_nsswitch(smbmount_t)
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
-miscfiles_read_localization(smbmount_t)
+auth_use_nsswitch(smbmount_t)
-mount_use_fds(smbmount_t)
locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
-userdom_use_user_terminals(smbmount_t)
+userdom_use_inherited_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
optional_policy(`
cups_read_rw_config(smbmount_t)
')
+optional_policy(`
+ mount_use_fds(smbmount_t)
+')
+
########################################
#
-# Swat Local policy
+# SWAT Local policy
#
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability { dac_read_search setuid setgid sys_resource };
+allow swat_t self:capability2 block_suspend;
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:tcp_socket { accept listen };
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-append_files_pattern(swat_t, samba_log_t, samba_log_t)
-create_files_pattern(swat_t, samba_log_t, samba_log_t)
-setattr_files_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
allow swat_t smbd_exec_t:file mmap_file_perms ;
-allow swat_t { winbind_t smbd_t }:process { signal signull };
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +874,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
-
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
-samba_domtrans_smbd(swat_t)
-samba_domtrans_nmbd(swat_t)
-
+allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -777,36 +888,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
-corenet_all_recvfrom_unlabeled(swat_t)
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
corenet_tcp_sendrecv_generic_node(swat_t)
corenet_udp_sendrecv_generic_node(swat_t)
-corenet_tcp_bind_generic_node(swat_t)
-corenet_udp_bind_generic_node(swat_t)
-
-corenet_sendrecv_nmbd_server_packets(swat_t)
-corenet_udp_bind_nmbd_port(swat_t)
-corenet_udp_sendrecv_nmbd_port(swat_t)
-
-corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
corenet_tcp_connect_smbd_port(swat_t)
-corenet_sendrecv_smbd_server_packets(swat_t)
-corenet_tcp_bind_smbd_port(swat_t)
-corenet_tcp_sendrecv_smbd_port(swat_t)
-
-corenet_sendrecv_ipp_client_packets(swat_t)
corenet_tcp_connect_ipp_port(swat_t)
-corenet_tcp_sendrecv_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
files_search_home(swat_t)
-files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-files_list_var_lib(swat_t)
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
@@ -818,10 +918,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
-miscfiles_read_localization(swat_t)
-
sysnet_use_ldap(swat_t)
+
+userdom_dontaudit_search_admin_dir(swat_t)
+
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -840,17 +941,20 @@ optional_policy(`
# Winbind local policy
#
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
-dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:capability { kill dac_read_search ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
+dontaudit winbind_t self:capability { net_admin sys_tty_config };
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
-allow winbind_t self:tcp_socket { accept listen };
+allow winbind_t self:unix_dgram_socket { create_socket_perms sendto };
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
+samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +964,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
-append_files_pattern(winbind_t, samba_log_t, samba_log_t)
-create_files_pattern(winbind_t, samba_log_t, samba_log_t)
-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -870,41 +972,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+allow winbind_t samba_var_t:file { map } ;
-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-# This needs a file context specification
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
-
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+# /run/samba/krb5cc_samba
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
+kernel_read_usermodehelper_state(winbind_t)
+kernel_signull(winbind_t)
corecmd_exec_bin(winbind_t)
-corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
-
-corenet_sendrecv_all_client_packets(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,38 +1019,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-domain_use_interactive_fds(winbind_t)
-
-files_read_usr_symlinks(winbind_t)
-files_list_var_lib(winbind_t)
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
+fs_read_anon_inodefs_files(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
+domain_use_interactive_fds(winbind_t)
+
+files_read_usr_symlinks(winbind_t)
+files_list_var_lib(winbind_t)
+
logging_send_syslog_msg(winbind_t)
-miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
+sysnet_use_ldap(winbind_t)
+
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
userdom_manage_user_home_content_files(winbind_t)
userdom_manage_user_home_content_symlinks(winbind_t)
userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(winbind_t)
optional_policy(`
ctdbd_stream_connect(winbind_t)
ctdbd_manage_lib_files(winbind_t)
+ ctdbd_manage_lib_dirs(winbind_t)
+')
+
+
+optional_policy(`
+ dirsrv_stream_connect(winbind_t)
')
optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
+')
+
+optional_policy(`
+ nis_authenticate(winbind_t)
')
optional_policy(`
@@ -959,31 +1080,36 @@ optional_policy(`
# Winbind helper local policy
#
-allow winbind_helper_t self:unix_stream_socket { accept listen };
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_helper_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
allow winbind_t smbcontrol_t:process signal;
+allow winbind_t smbcontrol_t:unix_dgram_socket sendto;
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
-domain_use_interactive_fds(winbind_helper_t)
-
-files_list_var_lib(winbind_helper_t)
+dev_read_urand(winbind_helper_t)
term_list_ptys(winbind_helper_t)
+corecmd_exec_bin(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+files_list_tmp(winbind_helper_t)
+
auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
-miscfiles_read_localization(winbind_helper_t)
-
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -997,25 +1123,38 @@ optional_policy(`
########################################
#
-# Unconfined script local policy
+# samba_unconfined_script_t local policy
#
optional_policy(`
- type samba_unconfined_script_t;
- type samba_unconfined_script_exec_t;
- domain_type(samba_unconfined_script_t)
- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
- corecmd_shell_entry_type(samba_unconfined_script_t)
- role system_r types samba_unconfined_script_t;
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
+
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
- tunable_policy(`samba_run_unconfined',`
+tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ',`
- can_exec(smbd_t, samba_unconfined_script_exec_t)
- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
index e18b0a284..fc24be67c 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t;
# Local policy
#
-allow sambagui_t self:capability dac_override;
+allow sambagui_t self:capability { dac_read_search };
allow sambagui_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(sambagui_t)
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
-files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
auth_use_nsswitch(sambagui_t)
auth_dontaudit_read_shadow(sambagui_t)
-logging_send_syslog_msg(sambagui_t)
+init_access_check(sambagui_t)
-miscfiles_read_localization(sambagui_t)
+logging_send_syslog_msg(sambagui_t)
sysnet_use_ldap(sambagui_t)
@@ -59,8 +59,10 @@ optional_policy(`
samba_append_log(sambagui_t)
samba_manage_config(sambagui_t)
samba_manage_var_files(sambagui_t)
+ samba_manage_var_dirs(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
+ samba_systemctl(sambagui_t)
samba_domtrans_smbd(sambagui_t)
samba_domtrans_nmbd(sambagui_t)
')
diff --git a/samhain.if b/samhain.if
index f0236d67d..37665a1b6 100644
--- a/samhain.if
+++ b/samhain.if
@@ -23,6 +23,8 @@ template(`samhain_service_template',`
files_read_all_files($1_t)
mls_file_write_all_levels($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
diff --git a/samhain.te b/samhain.te
index c41ce4bff..4b010abe6 100644
--- a/samhain.te
+++ b/samhain.te
@@ -48,7 +48,7 @@ ifdef(`enable_mls',`
# Common samhain domain local policy
#
-allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
+allow samhain_domain self:capability { dac_read_search fowner ipc_lock };
dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
allow samhain_domain self:fd use;
allow samhain_domain self:process { setsched setrlimit signull };
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
init_read_utmp(samhain_domain)
-logging_send_syslog_msg(samhain_domain)
-
########################################
#
# Client local policy
@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t)
seutil_sigchld_newrole(samhain_t)
-userdom_use_user_terminals(samhain_t)
+userdom_use_inherited_user_terminals(samhain_t)
########################################
#
diff --git a/sandbox.fc b/sandbox.fc
new file mode 100644
index 000000000..b7db25411
--- /dev/null
+++ b/sandbox.fc
@@ -0,0 +1 @@
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
index 000000000..cc29a063b
--- /dev/null
+++ b/sandbox.if
@@ -0,0 +1,96 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_transition',`
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+
+ sandbox_dyntransition($1) #885288
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+
+ role $2 types sandbox_domain;
+
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit sandbox_domain $1:process signal;
+ dontaudit sandbox_domain $1:key { link read search view };
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_dyntransition',`
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+
+ allow $1 sandbox_domain:process dyntransition;
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+ type $1_t, sandbox_domain;
+
+ application_type($1_t)
+
+ # this is to satisfy the assertion:
+ dev_raw_memory_reader($1_t)
+ dev_raw_memory_writer($1_t)
+
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+
+ # this is to satisfy the assertion:
+ storage_rw_inherited_fixed_disk_dev($1_t)
+ storage_rw_inherited_scsi_generic($1_t)
+
+ # this is to satisfy the assertion:
+ auth_reader_shadow($1_t)
+ auth_writer_shadow($1_t)
+
+ #optional_policy(`
+ # unconfined_typebounds($1_t)
+ #')
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
index 000000000..402257c49
--- /dev/null
+++ b/sandbox.te
@@ -0,0 +1,66 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
+
+########################################
+#
+# Declarations
+#
+sandbox_domain_template(sandbox)
+
+########################################
+#
+# sandbox local policy
+#
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_domain self:process execmem;
+')
+
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+# sandbox_file_t was moved to sandboxX.te
+optional_policy(`
+ sandbox_exec_file(sandbox_domain)
+ sandbox_manage_content(sandbox_domain)
+ sandbox_dontaudit_mounton(sandbox_domain)
+ sandbox_manage_tmpfs_files(sandbox_domain)
+')
+
+gen_require(`
+ type usr_t, lib_t, locale_t, device_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
+ attribute exec_type, configfile;
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+kernel_dontaudit_getattr_core_if(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
+dev_dontaudit_getattr_all(sandbox_domain)
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+corecmd_entrypoint_all_executables(sandbox_domain)
+files_entrypoint_all_mountpoint(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_read_all_mountpoint_symlinks(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+fs_dontaudit_getattr_all_fs(sandbox_domain)
+
+userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 000000000..6caef6326
--- /dev/null
+++ b/sandboxX.fc
@@ -0,0 +1,2 @@
+
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
index 000000000..98dc14ef6
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,401 @@
+
+## <summary>policy for sandboxX </summary>
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_x_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
+ type sandbox_file_t;
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ allow $1 sandbox_x_domain:process dyntransition;
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:key { link read search view };
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+ can_exec($1, sandbox_file_t)
+ allow $1 sandbox_file_t:filesystem getattr;
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ attribute sandbox_web_type;
+ ')
+
+ type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
+ application_type($1_t)
+ mcs_constrained($1_t)
+
+ kernel_read_system_state($1_t)
+ selinux_get_fs_mount($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
+ kernel_read_system_state($1_client_t)
+
+ mcs_constrained($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, sandbox_exec_t)
+ allow $1_client_t $1_t:shm { unix_read unix_write };
+
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
+
+ #optional_policy(`
+ # unconfined_typebounds($1_t)
+ # unconfined_typebounds($1_client_t)
+ #')
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+ gen_require(`
+ type sandbox_xserver_tmpfs_t;
+ ')
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to read
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to manage
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_manage_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Manage sandbox content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_manage_content',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:filesystem getattr;
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+')
+
+########################################
+## <summary>
+## Delete sandbox symbolic links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_lnk_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Delete sandbox fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_pipes',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the sandbox directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Delete sandbox directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_list',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write a sandbox domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sandbox_use_ptys',`
+ gen_require(`
+ type sandbox_devpts_t;
+ ')
+
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to execute sandbox_file_t in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sandbox_exec_file',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ can_exec($1, sandbox_file_t)
+')
+
+######################################
+## <summary>
+## Allow domain to execute sandbox_file_t in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sandbox_dontaudit_mounton',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ dontaudit $1 sandbox_file_t:dir mounton;
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 000000000..22e956fe3
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,512 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
+attribute sandbox_x_domain;
+attribute sandbox_web_type;
+attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
+type sandbox_file_t, sandbox_file_type;
+userdom_user_home_content(sandbox_file_t)
+
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
+
+########################################
+#
+# Declarations
+#
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { signal_perms execstack };
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
+')
+
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_read_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
+dev_read_urand(sandbox_xserver_t)
+
+domain_use_interactive_fds(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
+xserver_read_xkb_libs(sandbox_xserver_t)
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
+
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
+can_exec(sandbox_x_domain, sandbox_file_t)
+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+allow sandbox_x_domain sandbox_file_t:file execmod;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+corecmd_entrypoint_all_executables(sandbox_x_domain)
+files_entrypoint_all_mountpoint(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+fs_get_xattr_fs_quotas(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
+
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
+
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
+selinux_compute_create_context(sandbox_x_domain)
+selinux_compute_relabel_context(sandbox_x_domain)
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
+
+application_dontaudit_signal(sandbox_x_domain)
+application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+ bluetooth_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+ colord_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
+')
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+ gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
+ gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+ udev_read_db(sandbox_x_domain)
+')
+
+userdom_use_inherited_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+fs_read_hugetlbfs_files(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
+ fs_search_nfs(sandbox_xserver_t)
+ fs_read_nfs_files(sandbox_xserver_t)
+ fs_manage_nfs_dirs(sandbox_x_domain)
+ fs_manage_nfs_files(sandbox_x_domain)
+ fs_exec_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(sandbox_xserver_t)
+ fs_read_cifs_files(sandbox_xserver_t)
+ fs_manage_cifs_dirs(sandbox_x_domain)
+ fs_manage_cifs_files(sandbox_x_domain)
+ fs_exec_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(sandbox_xserver_t)
+ fs_read_fusefs_files(sandbox_xserver_t)
+ fs_manage_fusefs_dirs(sandbox_x_domain)
+ fs_manage_fusefs_files(sandbox_x_domain)
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
+optional_policy(`
+ networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
+')
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain)
+userdom_connectto_stream(sandbox_x_domain)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+logging_send_syslog_msg(sandbox_x_client_t)
+
+optional_policy(`
+ avahi_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ colord_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+selinux_get_fs_mount(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+logging_send_syslog_msg(sandbox_web_client_t)
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
+corenet_raw_sendrecv_generic_if(sandbox_web_type)
+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
+corenet_raw_sendrecv_generic_node(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_aol_port(sandbox_web_type)
+corenet_tcp_connect_asterisk_port(sandbox_web_type)
+corenet_tcp_connect_commplex_link_port(sandbox_web_type)
+corenet_tcp_connect_couchdb_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_gatekeeper_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_ipsecnat_port(sandbox_web_type)
+corenet_tcp_connect_ircd_port(sandbox_web_type)
+corenet_tcp_connect_jabber_client_port(sandbox_web_type)
+corenet_tcp_connect_jboss_management_port(sandbox_web_type)
+corenet_tcp_connect_mmcc_port(sandbox_web_type)
+corenet_tcp_connect_monopd_port(sandbox_web_type)
+corenet_tcp_connect_msnp_port(sandbox_web_type)
+corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_tor_port(sandbox_web_type)
+corenet_tcp_connect_transproxy_port(sandbox_web_type)
+corenet_tcp_connect_vnc_port(sandbox_web_type)
+corenet_tcp_connect_whois_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmp_files(sandbox_web_type)
+userdom_delete_user_tmp_files(sandbox_web_type)
+
+optional_policy(`
+ alsa_read_rw_config(sandbox_web_type)
+')
+
+optional_policy(`
+ avahi_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ chrome_domtrans_sandbox(sandbox_web_type)
+')
+
+optional_policy(`
+ mozilla_plugin_rw_sem(sandbox_web_type)
+')
+
+optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sandbox_web_type)
+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ # needed by pulseaudio
+ systemd_read_logind_sessions_files(sandbox_web_type)
+ systemd_login_read_pid_files(sandbox_web_type)
+')
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+selinux_get_fs_mount(sandbox_net_client_t)
+
+auth_use_nsswitch(sandbox_net_client_t)
+
+logging_send_syslog_msg(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+ mozilla_plugin_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
+
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f14..7264d8ae1 100644
--- a/sanlock.fc
+++ b/sanlock.fc
@@ -1,7 +1,18 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
+
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/run/sanlk-resetd(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
+
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+
+/usr/sbin/sanlk-resetd -- gen_context(system_u:object_r:sanlk_resetd_exec_t,s0)
-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
index cd6c213d2..6d3cdc4d9 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,4 +1,6 @@
-## <summary>shared storage lock manager.</summary>
+
+## <summary>Sanlock - lock manager built on shared storage.</summary>
+
########################################
## <summary>
@@ -15,18 +17,17 @@ interface(`sanlock_domtrans',`
type sanlock_t, sanlock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, sanlock_exec_t, sanlock_t)
')
+
########################################
## <summary>
-## Execute sanlock init scripts in
-## the initrc domain.
+## Execute sanlock server in the sanlock domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## The type of the process performing this action.
## </summary>
## </param>
#
@@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',`
######################################
## <summary>
-## Create, read, write, and delete
-## sanlock pid files.
+## Create, read, write, and delete sanlock PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
-## Connect to sanlock with a unix
-## domain stream socket.
+## Connect to sanlock over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_stream_connect',`
+ gen_require(`
+ type sanlock_t, sanlock_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+')
+
+########################################
+## <summary>
+## Execute virt server in the virt domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`sanlock_stream_connect',`
+interface(`sanlock_systemctl',`
gen_require(`
- type sanlock_t, sanlock_var_run_t;
+ type sanlock_unit_file_t;
+ type sanlock_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 sanlock_unit_file_t:file read_file_perms;
+ allow $1 sanlock_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sanlock_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an sanlock environment.
+## All of the rules required to administrate
+## an sanlock environment
## </summary>
## <param name="domain">
## <summary>
@@ -97,21 +120,121 @@ interface(`sanlock_stream_connect',`
#
interface(`sanlock_admin',`
gen_require(`
- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t;
- type sanlock_log_t;
+ type sanlock_t;
+ type sanlock_initrc_exec_t;
+ type sanlock_unit_file_t;
')
- allow $1 sanlock_t:process { ptrace signal_perms };
+ allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sanlock_t:process ptrace;
+ ')
sanlock_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
+ virt_systemctl($1)
+ admin_pattern($1, sanlock_unit_file_t)
+ allow $1 sanlock_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sanlock_domtrans_sanlk_resetd',`
+ gen_require(`
+ type sanlk_resetd_t, sanlk_resetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t)
+')
+
+######################################
+## <summary>
+## Execute sanlk_resetd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_exec_sanlk_resetd',`
+ gen_require(`
+ type sanlk_resetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, sanlk_resetd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute sanlk_resetd server in the sanlk_resetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sanlock_systemctl_sanlk_resetd',`
+ gen_require(`
+ type sanlk_resetd_t;
+ type sanlk_resetd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 sanlk_resetd_unit_file_t:file read_file_perms;
+ allow $1 sanlk_resetd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sanlk_resetd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sanlk_resetd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_admin_sanlk_resetd',`
+ gen_require(`
+ type sanlk_resetd_t;
+ type sanlk_resetd_unit_file_t;
+ type sanlk_resetd_unit_file_t;
+ ')
+
+ allow $1 sanlk_resetd_t:process { signal_perms };
+ ps_process_pattern($1, sanlk_resetd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sanlk_resetd_t:process ptrace;
+ ')
+
files_search_pids($1)
- admin_pattern($1, sanlock_var_run_t)
- logging_search_logs($1)
- admin_pattern($1, sanlock_log_t)
+ sanlock_systemctl_sanlk_resetd($1)
+ admin_pattern($1, sanlk_resetd_unit_file_t)
+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/sanlock.te b/sanlock.te
index 0045465a0..8bd1398d1 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0)
#
## <desc>
-## <p>
-## Determine whether sanlock can use
-## nfs file systems.
-## </p>
+## <p>
+## Allow sanlock to manage nfs files
+## </p>
## </desc>
gen_tunable(sanlock_use_nfs, false)
## <desc>
+## <p>
+## Allow sanlock to manage cifs files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
+## <desc>
+## <p>
+## Allow sanlock to read/write fuse files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_fusefs, false)
+
+## <desc>
## <p>
-## Determine whether sanlock can use
-## cifs file systems.
+## Allow sanlock to read/write user home directories.
## </p>
## </desc>
-gen_tunable(sanlock_use_samba, false)
+gen_tunable(sanlock_enable_home_dirs, false)
type sanlock_t;
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)
+type sanlk_resetd_t;
+type sanlk_resetd_exec_t;
+init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t)
+
+type sanlock_conf_t;
+files_config_file(sanlock_conf_t)
+
type sanlock_var_run_t;
files_pid_file(sanlock_var_run_t)
@@ -34,6 +53,12 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
+type sanlock_unit_file_t;
+systemd_unit_file(sanlock_unit_file_t)
+
+type sanlk_resetd_unit_file_t;
+systemd_unit_file(sanlk_resetd_unit_file_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
@@ -44,17 +69,18 @@ ifdef(`enable_mls',`
########################################
#
-# Local policy
+# sanlock local policy
#
-
-allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
+allow sanlock_t self:capability { chown dac_read_search ipc_lock kill setgid setuid sys_nice sys_resource };
allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -65,13 +91,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
-dev_read_rand(sanlock_t)
-dev_read_urand(sanlock_t)
-
domain_use_interactive_fds(sanlock_t)
+files_read_mnt_symlinks(sanlock_t)
+
+fs_rw_cephfs_files(sanlock_t)
+
storage_raw_rw_fixed_disk(sanlock_t)
+dev_read_rand(sanlock_t)
+dev_read_urand(sanlock_t)
+dev_read_sysfs(sanlock_t)
+
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
@@ -79,20 +110,35 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
-miscfiles_read_localization(sanlock_t)
+tunable_policy(`sanlock_use_fusefs',`
+ fs_manage_fusefs_dirs(sanlock_t)
+ fs_manage_fusefs_files(sanlock_t)
+ fs_read_fusefs_symlinks(sanlock_t)
+ fs_getattr_fusefs(sanlock_t)
+')
tunable_policy(`sanlock_use_nfs',`
- fs_manage_nfs_dirs(sanlock_t)
- fs_manage_nfs_files(sanlock_t)
- fs_manage_nfs_named_sockets(sanlock_t)
- fs_read_nfs_symlinks(sanlock_t)
+ fs_manage_nfs_dirs(sanlock_t)
+ fs_manage_nfs_files(sanlock_t)
+ fs_manage_nfs_named_sockets(sanlock_t)
+ fs_read_nfs_symlinks(sanlock_t)
')
tunable_policy(`sanlock_use_samba',`
- fs_manage_cifs_dirs(sanlock_t)
- fs_manage_cifs_files(sanlock_t)
- fs_manage_cifs_named_sockets(sanlock_t)
- fs_read_cifs_symlinks(sanlock_t)
+ fs_manage_cifs_dirs(sanlock_t)
+ fs_manage_cifs_files(sanlock_t)
+ fs_manage_cifs_named_sockets(sanlock_t)
+ fs_read_cifs_symlinks(sanlock_t)
+')
+
+tunable_policy(`sanlock_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(sanlock_t)
+ userdom_manage_user_home_content_files(sanlock_t)
+ userdom_manage_user_home_content_symlinks(sanlock_t)
+')
+
+optional_policy(`
+ rhcs_domtrans_fenced(sanlock_t)
')
optional_policy(`
@@ -100,7 +146,34 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
+ virt_signal(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
+ virt_read_pid_files(sanlock_t)
+')
+
+########################################
+#
+# sanlk_resetd local policy
+#
+
+allow sanlk_resetd_t self:capability { dac_read_search };
+allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
+allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_sock_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlk_resetd_t, sanlock_var_run_t, dir)
+
+kernel_dgram_send(sanlk_resetd_t)
+
+domain_use_interactive_fds(sanlk_resetd_t)
+
+logging_send_syslog_msg(sanlk_resetd_t)
+
+optional_policy(`
+ wdmd_stream_connect(sanlk_resetd_t)
')
diff --git a/sasl.fc b/sasl.fc
index 54f41c2b7..7e5867968 100644
--- a/sasl.fc
+++ b/sasl.fc
@@ -1,7 +1,12 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+#
+# /usr
+#
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
-
+#
+# /var
+#
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
index 8c3c151cb..93b722789 100644
--- a/sasl.if
+++ b/sasl.if
@@ -1,4 +1,4 @@
-## <summary>SASL authentication server.</summary>
+## <summary>SASL authentication server</summary>
########################################
## <summary>
@@ -21,8 +21,8 @@ interface(`sasl_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sasl environment.
+## All of the rules required to administrate
+## an sasl environment
## </summary>
## <param name="domain">
## <summary>
@@ -42,9 +42,13 @@ interface(`sasl_admin',`
type saslauthd_keytab_t;
')
- allow $1 saslauthd_t:process { ptrace signal_perms };
+ allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 saslauthd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
diff --git a/sasl.te b/sasl.te
index 6c3bc2059..accb664a4 100644
--- a/sasl.te
+++ b/sasl.te
@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
#
## <desc>
-## <p>
-## Determine whether sasl can
-## read shadow files.
-## </p>
+## <p>
+## Allow sasl to read shadow
+## </p>
## </desc>
-gen_tunable(allow_saslauthd_read_shadow, false)
+gen_tunable(saslauthd_read_shadow, false)
type saslauthd_t;
type saslauthd_exec_t;
@@ -35,7 +34,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process { setsched signal_perms };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
-allow saslauthd_t self:unix_stream_socket { accept listen };
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
@@ -48,29 +49,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
kernel_rw_afs_state(saslauthd_t)
-corenet_all_recvfrom_unlabeled(saslauthd_t)
+#577519
+corecmd_exec_bin(saslauthd_t)
+
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
corenet_tcp_sendrecv_generic_node(saslauthd_t)
-
-corenet_sendrecv_pop_client_packets(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_ldap_port(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
-corenet_tcp_sendrecv_pop_port(saslauthd_t)
-
-corenet_sendrecv_zarafa_client_packets(saslauthd_t)
corenet_tcp_connect_zarafa_port(saslauthd_t)
-corenet_tcp_sendrecv_zarafa_port(saslauthd_t)
-
-corecmd_exec_bin(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
dev_read_urand(saslauthd_t)
-domain_use_interactive_fds(saslauthd_t)
-
-files_dontaudit_read_etc_runtime_files(saslauthd_t)
-files_dontaudit_getattr_home_dir(saslauthd_t)
-files_dontaudit_getattr_tmp_dirs(saslauthd_t)
-
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -78,34 +70,39 @@ selinux_compute_access_vector(saslauthd_t)
auth_use_pam(saslauthd_t)
+domain_use_interactive_fds(saslauthd_t)
+
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
init_dontaudit_stream_connect_script(saslauthd_t)
logging_send_syslog_msg(saslauthd_t)
-miscfiles_read_localization(saslauthd_t)
miscfiles_read_generic_certs(saslauthd_t)
-seutil_dontaudit_read_config(saslauthd_t)
-
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
-tunable_policy(`allow_saslauthd_read_shadow',`
- allow saslauthd_t self:capability dac_override;
+tunable_policy(`saslauthd_read_shadow',`
+ allow saslauthd_t self:capability { dac_read_search };
auth_tunable_read_shadow(saslauthd_t)
')
optional_policy(`
kerberos_read_keytab(saslauthd_t)
kerberos_manage_host_rcache(saslauthd_t)
- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
kerberos_use(saslauthd_t)
')
optional_policy(`
+ mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
- mysql_tcp_connect(saslauthd_t)
')
optional_policy(`
diff --git a/sbd.fc b/sbd.fc
new file mode 100644
index 000000000..41768eed0
--- /dev/null
+++ b/sbd.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/sbd.service -- gen_context(system_u:object_r:sbd_unit_file_t,s0)
+
+/usr/lib/systemd/system/sbd_remote.service -- gen_context(system_u:object_r:sbd_unit_file_t,s0)
+
+/usr/sbin/sbd -- gen_context(system_u:object_r:sbd_exec_t,s0)
+
+/var/run/sbd.* -- gen_context(system_u:object_r:sbd_var_run_t,s0)
diff --git a/sbd.if b/sbd.if
new file mode 100644
index 000000000..7a058a82a
--- /dev/null
+++ b/sbd.if
@@ -0,0 +1,126 @@
+
+## <summary>policy for sbd</summary>
+
+########################################
+## <summary>
+## Execute sbd_exec_t in the sbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sbd_domtrans',`
+ gen_require(`
+ type sbd_t, sbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sbd_exec_t, sbd_t)
+')
+
+######################################
+## <summary>
+## Execute sbd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sbd_exec',`
+ gen_require(`
+ type sbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, sbd_exec_t)
+')
+########################################
+## <summary>
+## Read sbd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sbd_read_pid_files',`
+ gen_require(`
+ type sbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, sbd_var_run_t, sbd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute sbd server in the sbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sbd_systemctl',`
+ gen_require(`
+ type sbd_t;
+ type sbd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 sbd_unit_file_t:file read_file_perms;
+ allow $1 sbd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sbd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sbd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sbd_admin',`
+ gen_require(`
+ type sbd_t;
+ type sbd_var_run_t;
+ type sbd_unit_file_t;
+ ')
+
+ allow $1 sbd_t:process { signal_perms };
+ ps_process_pattern($1, sbd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sbd_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, sbd_var_run_t)
+
+ sbd_systemctl($1)
+ admin_pattern($1, sbd_unit_file_t)
+ allow $1 sbd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
index 000000000..763349da1
--- /dev/null
+++ b/sbd.te
@@ -0,0 +1,62 @@
+policy_module(sbd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sbd_t;
+type sbd_exec_t;
+init_daemon_domain(sbd_t, sbd_exec_t)
+
+type sbd_var_run_t;
+files_pid_file(sbd_var_run_t)
+
+type sbd_unit_file_t;
+systemd_unit_file(sbd_unit_file_t)
+
+type sbd_tmpfs_t;
+userdom_user_tmpfs_file(sbd_tmpfs_t)
+
+########################################
+#
+# sbd local policy
+#
+allow sbd_t self:capability { dac_read_search ipc_lock sys_boot sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
+allow sbd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir })
+
+kernel_read_system_state(sbd_t)
+kernel_dgram_send(sbd_t)
+kernel_rw_kernel_sysctl(sbd_t)
+kernel_create_rpc_sysctls(sbd_t)
+
+dev_read_rand(sbd_t)
+dev_write_watchdog(sbd_t)
+
+domain_read_all_domains_state(sbd_t)
+
+files_read_etc_files(sbd_t)
+
+miscfiles_read_localization(sbd_t)
+
+logging_send_syslog_msg(sbd_t)
+
+storage_raw_rw_fixed_disk(sbd_t)
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(sbd_t)
+ rhcs_stream_connect_cluster(sbd_t)
+
+')
diff --git a/sblim.fc b/sblim.fc
index 68a550d54..e976fc62e 100644
--- a/sblim.fc
+++ b/sblim.fc
@@ -1,6 +1,10 @@
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
+
+/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0)
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
index 98c9e0a88..562666e06 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
-## <summary>Standards Based Linux Instrumentation for Manageability.</summary>
+## <summary> Standards Based Linux Instrumentation for Manageability. </summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## sblim daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sblim_domain_template',`
+ gen_require(`
+ attribute sblim_domain;
+ ')
+
+ type sblim_$1_t, sblim_domain;
+ type sblim_$1_exec_t;
+ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
+
+ kernel_read_system_state(sblim_$1_t)
+
+ corenet_all_recvfrom_unlabeled(sblim_$1_t)
+ corenet_all_recvfrom_netlabel(sblim_$1_t)
+
+ logging_send_syslog_msg(sblim_$1_t)
+')
########################################
## <summary>
-## Execute gatherd in the gatherd domain.
+## Transition to gatherd.
## </summary>
## <param name="domain">
## <summary>
@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',`
########################################
## <summary>
-## Read gatherd pid files.
+## Read gatherd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sblim environment.
+## Transition to sblim named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_filetrans_named_content',`
+ gen_require(`
+ type sblim_var_run_t;
+ ')
+
+ files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
+')
+
+########################################
+## <summary>
+## Connect to sblim_sfcb over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`sblim_stream_connect_sfcbd',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ type sblim_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+## Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_exec_t;
+ ')
+
+ allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+## Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+## Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_t;
+ ')
+
+ allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gatherd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sblim_admin',`
gen_require(`
- attribute sblim_domain;
- type sblim_initrc_exec_t, sblim_var_run_t;
+ type sblim_gatherd_t;
+ type sblim_reposd_t;
+ type sblim_var_run_t;
')
- allow $1 sblim_domain:process { ptrace signal_perms };
- ps_process_pattern($1, sblim_domain)
+ allow $1 sblim_gatherd_t:process signal_perms;
+ ps_process_pattern($1, sblim_gatherd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sblim_gatherd_t:process ptrace;
+ allow $1 sblim_reposd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ allow $1 sblim_reposd_t:process signal_perms;
+ ps_process_pattern($1, sblim_reposd_t)
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 299756bc8..936d9c0dd 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
attribute sblim_domain;
-type sblim_gatherd_t, sblim_domain;
-type sblim_gatherd_exec_t;
-init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
+sblim_domain_template(gatherd)
-type sblim_reposd_t, sblim_domain;
-type sblim_reposd_exec_t;
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+sblim_domain_template(reposd)
+
+sblim_domain_template(sfcbd)
type sblim_initrc_exec_t;
init_script_file(sblim_initrc_exec_t)
@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t)
type sblim_var_run_t;
files_pid_file(sblim_var_run_t)
+type sblim_var_lib_t;
+files_type(sblim_var_lib_t)
+
+type sblim_tmp_t;
+files_tmp_file(sblim_tmp_t)
+
+type sblim_sfcb_tmpfs_t;
+files_tmpfs_file(sblim_sfcb_tmpfs_t)
+
######################################
#
# Common sblim domain local policy
@@ -31,32 +38,39 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
+
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
+kernel_read_sysctl(sblim_domain)
-corenet_all_recvfrom_unlabeled(sblim_domain)
-corenet_all_recvfrom_netlabel(sblim_domain)
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
+dev_read_rand(sblim_domain)
+dev_read_urand(sblim_domain)
-logging_send_syslog_msg(sblim_domain)
-
-files_read_etc_files(sblim_domain)
-
-miscfiles_read_localization(sblim_domain)
+auth_read_passwd(sblim_domain)
########################################
#
# Gatherd local policy
#
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_read_search sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -82,8 +96,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
storage_raw_read_fixed_disk(sblim_gatherd_t)
storage_raw_read_removable_device(sblim_gatherd_t)
+auth_use_nsswitch(sblim_gatherd_t)
+
init_read_utmp(sblim_gatherd_t)
+logging_send_syslog_msg(sblim_gatherd_t)
+
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
@@ -103,8 +121,9 @@ optional_policy(`
')
optional_policy(`
- virt_getattr_virtd_exec_files(sblim_gatherd_t)
+ virt_read_config(sblim_gatherd_t)
virt_stream_connect(sblim_gatherd_t)
+ virt_getattr_exec(sblim_gatherd_t)
')
optional_policy(`
@@ -117,6 +136,61 @@ optional_policy(`
# Reposd local policy
#
+corenet_tcp_bind_generic_node(sblim_reposd_t)
+
corenet_sendrecv_repository_server_packets(sblim_reposd_t)
corenet_tcp_bind_repository_port(sblim_reposd_t)
-corenet_tcp_bind_generic_node(sblim_domain)
+
+logging_send_syslog_msg(sblim_reposd_t)
+
+miscfiles_read_certs(sblim_reposd_t)
+
+#######################################
+#
+# Sfcbd local policy
+#
+
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid setuid };
+allow sblim_sfcbd_t self:process signal;
+allow sblim_sfcbd_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
+manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
+
+auth_use_nsswitch(sblim_sfcbd_t)
+auth_domtrans_chkpwd(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+corenet_tcp_connect_http_port(sblim_sfcbd_t)
+
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
+logging_send_audit_msgs(sblim_sfcbd_t)
+
+optional_policy(`
+ setroubleshoot_signull(sblim_sfcbd_t)
+')
+
+optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
+
+optional_policy(`
+ virt_manage_config(sblim_sfcbd_t)
+ virt_stream_connect(sblim_sfcbd_t)
+ virt_search_images(sblim_sfcbd_t)
+ virt_getattr_images(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
index e7c2cf74f..435aaa61c 100644
--- a/screen.fc
+++ b/screen.fc
@@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
index be5cce2d3..b81f5dfef 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
-## <summary>GNU terminal multiplexer.</summary>
+## <summary>GNU terminal multiplexer</summary>
#######################################
## <summary>
@@ -23,10 +23,9 @@
#
template(`screen_role_template',`
gen_require(`
- attribute screen_domain;
- attribute_role screen_roles;
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
+ attribute screen_domain;
')
########################################
@@ -35,50 +34,53 @@ template(`screen_role_template',`
#
type $1_screen_t, screen_domain;
- userdom_user_application_domain($1_screen_t, screen_exec_t)
+ application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
- role screen_roles types $1_screen_t;
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
- roleattribute $2 screen_roles;
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_screen_t:process ptrace;
+ ')
- ########################################
- #
- # Local policy
- #
+ userdom_list_user_home_dirs($1_screen_t)
+ userdom_home_reader($1_screen_t)
domtrans_pattern($3, screen_exec_t, $1_screen_t)
-
- ps_process_pattern($3, $1_screen_t)
- allow $3 $1_screen_t:process { ptrace signal_perms };
-
+ allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+ allow $1_screen_t $3:unix_stream_socket { connectto };
allow $1_screen_t $3:process signal;
+ ps_process_pattern($1_screen_t, $3)
- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+ relabel_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
- corecmd_bin_domtrans($1_screen_t, $3)
+ kernel_read_system_state($1_screen_t)
+
+ # Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
auth_domtrans_chk_passwd($1_screen_t)
auth_use_nsswitch($1_screen_t)
+ logging_send_syslog_msg($1_screen_t)
+
userdom_user_home_domtrans($1_screen_t, $3)
+ userdom_manage_tmp_role($2, $1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
@@ -88,3 +90,41 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
')
')
+
+#######################################
+## <summary>
+## Execute the rssh program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`screen_exec',`
+ gen_require(`
+ type screen_exec_t;
+ ')
+
+ can_exec($1, screen_exec_t)
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the screen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`screen_sigchld',`
+ gen_require(`
+ attribute screen_domain;
+ ')
+
+ allow $1 screen_domain:process sigchld;
+')
+
diff --git a/screen.te b/screen.te
index 5466a7327..0ae2eef60 100644
--- a/screen.te
+++ b/screen.te
@@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
# Declarations
#
-attribute screen_domain;
-
-attribute_role screen_roles;
+attribute screen_domain;
type screen_exec_t;
application_executable_file(screen_exec_t)
@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
userdom_user_home_content(screen_home_t)
-type screen_tmp_t;
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-userdom_user_tmp_file(screen_tmp_t)
-
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
########################################
#
-# Common screen domain local policy
+# Local policy
#
-allow screen_domain self:capability { setuid setgid fsetid };
+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
+dontaudit screen_domain self:capability { dac_read_search };
allow screen_domain self:process signal_perms;
-allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
-allow screen_domain self:tcp_socket { accept listen };
-allow screen_domain self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
+allow screen_domain self:fd use;
+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
+allow screen_domain self:unix_dgram_socket create_socket_perms;
+# Create fifo
manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
files_pid_filetrans(screen_domain, screen_var_run_t, dir)
+allow screen_domain screen_home_t:dir list_dir_perms;
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen")
-kernel_read_system_state(screen_domain)
kernel_read_kernel_sysctls(screen_domain)
corecmd_list_bin(screen_domain)
@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
corecmd_read_bin_pipes(screen_domain)
corecmd_read_bin_sockets(screen_domain)
-corenet_all_recvfrom_unlabeled(screen_domain)
-corenet_all_recvfrom_netlabel(screen_domain)
corenet_tcp_sendrecv_generic_if(screen_domain)
+corenet_udp_sendrecv_generic_if(screen_domain)
corenet_tcp_sendrecv_generic_node(screen_domain)
+corenet_udp_sendrecv_generic_node(screen_domain)
corenet_tcp_sendrecv_all_ports(screen_domain)
-
-corenet_sendrecv_all_client_packets(screen_domain)
+corenet_udp_sendrecv_all_ports(screen_domain)
corenet_tcp_connect_all_ports(screen_domain)
dev_dontaudit_getattr_all_chr_files(screen_domain)
dev_dontaudit_getattr_all_blk_files(screen_domain)
+# for SSP
dev_read_urand(screen_domain)
-domain_use_interactive_fds(screen_domain)
domain_sigchld_interactive_fds(screen_domain)
+domain_use_interactive_fds(screen_domain)
domain_read_all_domains_state(screen_domain)
+files_search_tmp(screen_domain)
+files_search_home(screen_domain)
files_list_home(screen_domain)
-files_read_usr_files(screen_domain)
fs_search_auto_mountpoints(screen_domain)
-fs_getattr_all_fs(screen_domain)
+fs_getattr_xattr_fs(screen_domain)
auth_dontaudit_read_shadow(screen_domain)
auth_dontaudit_exec_utempter(screen_domain)
+# Write to utmp.
init_rw_utmp(screen_domain)
-logging_send_syslog_msg(screen_domain)
-
-miscfiles_read_localization(screen_domain)
-
seutil_read_config(screen_domain)
userdom_use_user_terminals(screen_domain)
userdom_create_user_pty(screen_domain)
userdom_setattr_user_ptys(screen_domain)
userdom_setattr_user_ttys(screen_domain)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(screen_domain)
- fs_read_cifs_files(screen_domain)
- fs_manage_cifs_named_pipes(screen_domain)
- fs_read_cifs_symlinks(screen_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(screen_domain)
- fs_read_nfs_files(screen_domain)
- fs_manage_nfs_named_pipes(screen_domain)
- fs_read_nfs_symlinks(screen_domain)
-')
diff --git a/sectoolm.fc b/sectoolm.fc
index 64a239453..3f1dac59a 100644
--- a/sectoolm.fc
+++ b/sectoolm.fc
@@ -1,5 +1,4 @@
/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
-/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
-
-/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/sectoolm.if b/sectoolm.if
index c78a569c3..900745118 100644
--- a/sectoolm.if
+++ b/sectoolm.if
@@ -1,24 +1,2 @@
-## <summary>Sectool security audit tool.</summary>
+## <summary>Sectool security audit tool</summary>
-########################################
-## <summary>
-## Role access for sectoolm.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`sectoolm_role',`
- gen_require(`
- type sectoolm_t;
- ')
-
- allow sectoolm_t $2:unix_dgram_socket sendto;
-')
diff --git a/sectoolm.te b/sectoolm.te
index 4bc8c13ea..c30b36dbc 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
type sectoolm_t;
type sectoolm_exec_t;
-init_system_domain(sectoolm_t, sectoolm_exec_t)
+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t)
########################################
#
-# Local policy
+# sectool local policy
#
-allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+allow sectoolm_t self:capability { dac_read_search net_admin sys_nice sys_ptrace };
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-allow sectoolm_t self:unix_dgram_socket sendto;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
kernel_read_net_sysctls(sectoolm_t)
@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t)
selinux_validate_context(sectoolm_t)
+# tcp_wrappers test
application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
+# tests related to network
sysnet_domtrans_ifconfig(sectoolm_t)
-userdom_write_user_tmp_sockets(sectoolm_t)
+userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
optional_policy(`
- mount_exec(sectoolm_t)
+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
')
optional_policy(`
- dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+ # tests related to network
+ hostname_exec(sectoolm_t)
+')
- optional_policy(`
- policykit_dbus_chat(sectoolm_t)
- ')
+optional_policy(`
+ # tests related to network
+ iptables_domtrans(sectoolm_t)
')
optional_policy(`
- hostname_exec(sectoolm_t)
+ mount_exec(sectoolm_t)
')
optional_policy(`
- iptables_domtrans(sectoolm_t)
+ policykit_dbus_chat(sectoolm_t)
')
+# suid test using
+# rpm -Vf option
optional_policy(`
prelink_domtrans(sectoolm_t)
')
diff --git a/sendmail.fc b/sendmail.fc
index d14b6bfc7..da5d41d5c 100644
--- a/sendmail.fc
+++ b/sendmail.fc
@@ -1,7 +1,8 @@
-/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
index 35ad2a733..afdc7da29 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
-## <summary>Internetwork email routing facility.</summary>
+## <summary>Policy for sendmail.</summary>
########################################
## <summary>
@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
########################################
## <summary>
-## Read and write sendmail unnamed pipes.
+## Allow attempts to read and write to
+## sendmail unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',`
########################################
## <summary>
-## Execute a domain transition to run sendmail.
+## Domain transition to sendmail.
## </summary>
## <param name="domain">
## <summary>
@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',`
type sendmail_t;
')
- corecmd_search_bin($1)
mta_sendmail_domtrans($1, sendmail_t)
+')
- allow sendmail_t $1:fd use;
- allow sendmail_t $1:fifo_file rw_fifo_file_perms;
- allow sendmail_t $1:process sigchld;
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_initrc_domtrans',`
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
########################################
## <summary>
-## Execute the sendmail program in the
-## sendmail domain, and allow the
-## specified role the sendmail domain.
+## Execute the sendmail program in the sendmail domain.
## </summary>
## <param name="domain">
## <summary>
@@ -70,7 +82,7 @@ interface(`sendmail_domtrans',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to allow the sendmail domain.
## </summary>
## </param>
## <rolecap/>
@@ -81,7 +93,7 @@ interface(`sendmail_run',`
')
sendmail_domtrans($1)
- roleattribute $2 sendmail_roles;
+ roleattribute $2 sendmail_roles;
')
########################################
@@ -104,6 +116,53 @@ interface(`sendmail_signal',`
########################################
## <summary>
+## Execute sendmail in the sendmail_unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t, sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
+#######################################
+## <summary>
+## Execute sendmail in the unconfined
+## sendmail domain, and allow the
+## specified role the unconfined
+## sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ attribute_role sendmail_unconfined_roles;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ roleattribute $2 sendmail_unconfined_roles;
+')
+
+########################################
+## <summary>
## Read and write sendmail TCP sockets.
## </summary>
## <param name="domain">
@@ -141,8 +200,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
-## Read and write sendmail unix
-## domain stream sockets.
+## Read and write sendmail unix_stream_sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -179,7 +237,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
-## Read sendmail log files.
+## Read sendmail logs.
## </summary>
## <param name="domain">
## <summary>
@@ -199,8 +257,7 @@ interface(`sendmail_read_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## sendmail log files.
+## Create, read, write, and delete sendmail logs.
## </summary>
## <param name="domain">
## <summary>
@@ -220,8 +277,7 @@ interface(`sendmail_manage_log',`
########################################
## <summary>
-## Create specified objects in generic
-## log directories sendmail log file type.
+## Create sendmail logs with the correct type.
## </summary>
## <param name="domain">
## <summary>
@@ -231,7 +287,6 @@ interface(`sendmail_manage_log',`
#
interface(`sendmail_create_log',`
refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
- sendmail_log_filetrans_sendmail_log($1, $2, $3)
')
########################################
@@ -265,8 +320,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## sendmail tmp files.
+## Manage sendmail tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -285,58 +339,27 @@ interface(`sendmail_manage_tmp_files',`
########################################
## <summary>
-## Execute sendmail in the unconfined sendmail domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`sendmail_domtrans_unconfined',`
- gen_require(`
- type unconfined_sendmail_t;
- ')
-
- mta_sendmail_domtrans($1, unconfined_sendmail_t)
-
- allow unconfined_sendmail_t $1:fd use;
- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
- allow unconfined_sendmail_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute sendmail in the unconfined
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
+## Set the attributes of sendmail pid files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`sendmail_run_unconfined',`
+interface(`sendmail_setattr_pid_files',`
gen_require(`
- attribute_role sendmail_unconfined_roles;
+ type sendmail_var_run_t;
')
- sendmail_domtrans_unconfined($1)
- roleattribute $2 sendmail_unconfined_roles;
+ allow $1 sendmail_var_run_t:file setattr_file_perms;
+ files_search_pids($1)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an sendmail environment.
+## All of the rules required to administrate
+## an sendmail environment
## </summary>
## <param name="domain">
## <summary>
@@ -355,12 +378,17 @@ interface(`sendmail_admin',`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
type sendmail_keytab_t;
+ type mail_spool_t;
')
- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
+ allow $1 sendmail_t:process signal_perms;
+ ps_process_pattern($1, sendmail_t)
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sendmail_t:process ptrace;
+ ')
+
+ sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
@@ -376,6 +404,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
- sendmail_run($1, $2)
- sendmail_run_unconfined($1, $2)
+ files_list_spool($1)
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
index 12700b413..debacc88b 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
########################################
#
-# Local policy
+# Sendmail local policy
#
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { dac_read_search setuid setgid net_bind_service sys_nice chown sys_tty_config };
+dontaudit sendmail_t self:capability net_admin;
+dontaudit sendmail_t self:capability2 block_suspend;
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
-allow sendmail_t self:unix_stream_socket { accept listen };
-allow sendmail_t self:tcp_socket { accept listen };
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
+allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
allow sendmail_t sendmail_keytab_t:file read_file_perms;
-allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
@@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_search_network_sysctl(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
+kernel_read_net_sysctls(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_generic_if(sendmail_t)
corenet_tcp_sendrecv_generic_node(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
corenet_tcp_bind_generic_node(sendmail_t)
-
-corenet_sendrecv_smtp_server_packets(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
-
-corenet_sendrecv_all_client_packets(sendmail_t)
corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
-corecmd_exec_bin(sendmail_t)
-corecmd_exec_shell(sendmail_t)
-
-dev_read_sysfs(sendmail_t)
dev_read_urand(sendmail_t)
-
-domain_use_interactive_fds(sendmail_t)
-
-files_read_all_tmp_files(sendmail_t)
-files_read_etc_runtime_files(sendmail_t)
-files_read_usr_files(sendmail_t)
-files_search_spool(sendmail_t)
+dev_read_sysfs(sendmail_t)
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
@@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
+
init_use_fds(sendmail_t)
init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
init_rw_script_tmp_files(sendmail_t)
auth_use_nsswitch(sendmail_t)
+# Read /usr/lib/sasl2/.*
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_generic_certs(sendmail_t)
-miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
+userdom_dontaudit_list_user_home_dirs(sendmail_t)
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp")
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
mta_manage_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-mta_read_config(sendmail_t)
mta_sendmail_exec(sendmail_t)
optional_policy(`
- cfengine_dontaudit_write_log_files(sendmail_t)
+ cfengine_dontaudit_write_log(sendmail_t)
')
optional_policy(`
@@ -134,8 +141,8 @@ optional_policy(`
')
optional_policy(`
- clamav_search_lib(sendmail_t)
- clamav_stream_connect(sendmail_t)
+ antivirus_search_db(sendmail_t)
+ antivirus_stream_connect(sendmail_t)
')
optional_policy(`
@@ -164,6 +171,10 @@ optional_policy(`
')
optional_policy(`
+ inn_write_inherited_news_lib(sendmail_t)
+')
+
+optional_policy(`
milter_stream_connect_all(sendmail_t)
')
@@ -172,6 +183,11 @@ optional_policy(`
')
optional_policy(`
+ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
+ openshift_rw_inherited_content(sendmail_t)
+')
+
+optional_policy(`
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
@@ -193,6 +209,10 @@ optional_policy(`
')
optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
udev_read_db(sendmail_t)
')
@@ -206,8 +226,6 @@ optional_policy(`
#
optional_policy(`
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
+ mta_filetrans_named_content(unconfined_sendmail_t)
unconfined_domain(unconfined_sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
index 8185d5a6b..9be989a08 100644
--- a/sensord.fc
+++ b/sensord.fc
@@ -1,5 +1,9 @@
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0)
+
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
index d204752b3..85631b346 100644
--- a/sensord.if
+++ b/sensord.if
@@ -1,35 +1,81 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an sensord environment.
+## Execute sensord in the sensord domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sensord_domtrans',`
+ gen_require(`
+ type sensord_t, sensord_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sensord_exec_t, sensord_t)
+')
+########################################
+## <summary>
+## Execute sensord server in the sensord domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`sensord_systemctl',`
+ gen_require(`
+ type sensord_t;
+ type sensord_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 sensord_unit_file_t:file read_file_perms;
+ allow $1 sensord_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sensord_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sensord environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sensord_admin',`
gen_require(`
- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+ type sensord_t;
+ type sensord_unit_file_t;
+ type sensord_log_t;
+ type sensord_var_run_t;
')
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ sensord_systemctl($1)
+ admin_pattern($1, sensord_unit_file_t)
+ allow $1 sensord_unit_file_t:service all_service_perms;
- files_search_pids($1)
+ admin_pattern($1, sensord_log_t)
admin_pattern($1, sensord_var_run_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/sensord.te b/sensord.te
index 5e82fd616..ddb249dfb 100644
--- a/sensord.te
+++ b/sensord.te
@@ -9,27 +9,38 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
+type sensord_unit_file_t;
+systemd_unit_file(sensord_unit_file_t)
+
type sensord_initrc_exec_t;
init_script_file(sensord_initrc_exec_t)
type sensord_var_run_t;
files_pid_file(sensord_var_run_t)
+type sensord_log_t;
+logging_log_file(sensord_log_t)
+
########################################
#
# Local policy
#
+allow sensord_t self:process { signal execmem };
+
allow sensord_t self:fifo_file rw_fifo_file_perms;
allow sensord_t self:unix_stream_socket create_stream_socket_perms;
+manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
+logging_log_filetrans(sensord_t, sensord_log_t, file)
+
manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
files_pid_filetrans(sensord_t, sensord_var_run_t, file)
-dev_read_sysfs(sensord_t)
+kernel_read_system_state(sensord_t)
-files_read_etc_files(sensord_t)
+dev_read_sysfs(sensord_t)
+dev_getattr_sysfs_fs(sensord_t)
logging_send_syslog_msg(sensord_t)
-miscfiles_read_localization(sensord_t)
diff --git a/setroubleshoot.fc b/setroubleshoot.fc
index 0b3a971f4..397a5225b 100644
--- a/setroubleshoot.fc
+++ b/setroubleshoot.fc
@@ -1,9 +1,9 @@
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
-/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
index 3a9a70bef..903109c98 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -1,9 +1,8 @@
-## <summary>SELinux troubleshooting service.</summary>
+## <summary>SELinux troubleshooting service</summary>
########################################
## <summary>
-## Connect to setroubleshootd with a
-## unix domain stream socket.
+## Connect to setroubleshootd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',`
########################################
## <summary>
-## Do not audit attempts to connect to
-## setroubleshootd with a unix
-## domain stream socket.
+## Dontaudit attempts to connect to setroubleshootd
+## over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
')
+#######################################
+## <summary>
+## Send null signals to setroubleshoot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_signull',`
+ gen_require(`
+ type setroubleshootd_t;
+ ')
+
+ allow $1 setroubleshootd_t:process signull;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
-## All of the rules required to
-## administrate an setroubleshoot environment.
+## Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ ')
+
+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an setroubleshoot environment
## </summary>
## <param name="domain">
## <summary>
@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t;
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+ type setroubleshoot_var_lib_t;
')
- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t })
+ allow $1 setroubleshootd_t:process signal_perms;
+ ps_process_pattern($1, setroubleshootd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 setroubleshootd_t:process ptrace;
+ ')
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
index ce6793506..4985c026f 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,68 +7,111 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
type setroubleshoot_fixit_t;
type setroubleshoot_fixit_exec_t;
-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
type setroubleshoot_var_lib_t;
files_type(setroubleshoot_var_lib_t)
+# log files
type setroubleshoot_var_log_t;
logging_log_file(setroubleshoot_var_log_t)
+# pid files
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
+type setroubleshoot_tmp_t;
+files_tmp_file(setroubleshoot_tmp_t)
+
+type setroubleshoot_tmpfs_t;
+files_tmpfs_file(setroubleshoot_tmpfs_t)
+
+type setroubleshoot_fixit_tmp_t;
+files_tmp_file(setroubleshoot_fixit_tmp_t)
+
+type setroubleshoot_fixit_tmpfs_t;
+files_tmpfs_file(setroubleshoot_fixit_tmpfs_t)
+
########################################
#
-# Local policy
+# setroubleshootd local policy
#
-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
+allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config };
+dontaudit setroubleshootd_t self:capability net_admin;
+
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
-allow setroubleshootd_t self:tcp_socket { accept listen };
-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen };
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
+
+manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
+allow setroubleshootd_t setroubleshoot_tmp_t:file mmap_file_perms;
+
+manage_files_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
+fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
+allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
+
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+files_tmp_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmp_t:file mmap_file_perms;
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+fs_tmpfs_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmpfs_t:file mmap_file_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms;
-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+# pid file
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
+
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
kernel_dontaudit_list_all_proc(setroubleshootd_t)
kernel_read_irq_sysctls(setroubleshootd_t)
+kernel_read_rpc_sysctls(setroubleshootd_t)
kernel_read_unlabeled_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corecmd_read_all_executables(setroubleshootd_t)
-corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-
-corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_generic_node(setroubleshootd_t)
corenet_tcp_connect_smtp_port(setroubleshootd_t)
-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -76,10 +119,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
-domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_read_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
-files_read_usr_files(setroubleshootd_t)
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
@@ -109,27 +151,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
+libs_exec_ldconfig(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
+logging_stream_connect_syslog(setroubleshootd_t)
-miscfiles_read_localization(setroubleshootd_t)
-
+seutil_read_bin_policy(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
+seutil_read_default_contexts(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
-
- optional_policy(`
- abrt_dbus_chat(setroubleshootd_t)
- ')
+ abrt_dbus_chat(setroubleshootd_t)
')
optional_policy(`
@@ -137,10 +176,18 @@ optional_policy(`
')
optional_policy(`
+ mock_getattr_lib(setroubleshootd_t)
+')
+
+optional_policy(`
modutils_read_module_config(setroubleshootd_t)
')
optional_policy(`
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
+optional_policy(`
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
@@ -150,26 +197,36 @@ optional_policy(`
########################################
#
-# Fixit local policy
+# setroubleshoot_fixit local policy
#
allow setroubleshoot_fixit_t self:capability sys_nice;
allow setroubleshoot_fixit_t self:process { setsched getsched };
+dontaudit setroubleshoot_fixit_t self:process execmem;
allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
+kernel_read_network_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
+
+selinux_read_policy(setroubleshoot_fixit_t)
+
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
-files_read_usr_files(setroubleshoot_fixit_t)
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -177,23 +234,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
-miscfiles_read_localization(setroubleshoot_fixit_t)
-
-userdom_read_all_users_state(setroubleshoot_fixit_t)
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
userdom_signull_unpriv_users(setroubleshoot_fixit_t)
optional_policy(`
dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
- setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+')
- optional_policy(`
- policykit_dbus_chat(setroubleshoot_fixit_t)
- ')
+optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
')
optional_policy(`
+ rpm_exec(setroubleshoot_fixit_t)
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
rpm_use_script_fds(setroubleshoot_fixit_t)
')
+
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --git a/sge.fc b/sge.fc
new file mode 100644
index 000000000..160ddc2b8
--- /dev/null
+++ b/sge.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0)
+/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
+
+/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0)
+
diff --git a/sge.if b/sge.if
new file mode 100644
index 000000000..c9d2d9c42
--- /dev/null
+++ b/sge.if
@@ -0,0 +1,24 @@
+## <summary>Policy for gridengine MPI jobs</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## sge domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sge_basic_types_template',`
+ gen_require(`
+ attribute sge_domain;
+ ')
+
+ type $1_t, sge_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
+
diff --git a/sge.te b/sge.te
new file mode 100644
index 000000000..0b167701a
--- /dev/null
+++ b/sge.te
@@ -0,0 +1,196 @@
+policy_module(sge, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sge to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(sge_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow sge to connect to the network using any TCP port
+## </p>
+## </desc>
+gen_tunable(sge_domain_can_network_connect, false)
+
+attribute sge_domain;
+
+sge_basic_types_template(sge_execd)
+init_daemon_domain(sge_execd_t, sge_execd_exec_t)
+
+type sge_spool_t;
+files_type(sge_spool_t)
+
+type sge_tmp_t;
+files_tmp_file(sge_tmp_t)
+
+sge_basic_types_template(sge_shepherd)
+application_domain(sge_shepherd_t, sge_shepherd_exec_t)
+role system_r types sge_shepherd_t;
+
+sge_basic_types_template(sge_job)
+application_domain(sge_job_t, sge_job_exec_t)
+corecmd_shell_entry_type(sge_job_t)
+role system_r types sge_job_t;
+
+#######################################
+#
+# sge_execd local policy
+#
+
+allow sge_execd_t self:capability { dac_read_search kill setuid chown setgid };
+allow sge_execd_t self:process { setsched signal setpgid };
+
+allow sge_execd_t sge_shepherd_t:process signal;
+
+kernel_read_kernel_sysctls(sge_execd_t)
+
+corenet_tcp_bind_sge_port(sge_execd_t)
+corenet_tcp_connect_sge_port(sge_execd_t)
+
+dev_read_sysfs(sge_execd_t)
+
+files_exec_usr_files(sge_execd_t)
+files_search_spool(sge_execd_t)
+
+fs_getattr_xattr_fs(sge_execd_t)
+fs_read_cgroup_files(sge_execd_t)
+
+auth_use_nsswitch(sge_execd_t)
+
+logging_send_syslog_msg(sge_execd_t)
+
+init_read_utmp(sge_execd_t)
+
+optional_policy(`
+ sendmail_domtrans(sge_execd_t)
+')
+
+######################################
+#
+# sge_shepherd local policy
+#
+
+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search };
+allow sge_shepherd_t self:process { setsched setrlimit setpgid };
+allow sge_shepherd_t self:process signal_perms;
+
+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
+
+kernel_read_sysctl(sge_shepherd_t)
+kernel_read_kernel_sysctls(sge_shepherd_t)
+
+dev_read_sysfs(sge_shepherd_t)
+
+fs_getattr_all_fs(sge_shepherd_t)
+
+logging_send_syslog_msg(sge_shepherd_t)
+
+optional_policy(`
+ mta_send_mail(sge_shepherd_t)
+')
+
+optional_policy(`
+ ssh_domtrans(sge_shepherd_t)
+')
+
+optional_policy(`
+ unconfined_domain(sge_shepherd_t)
+')
+
+#####################################
+#
+# sge_job local policy
+#
+
+allow sge_shepherd_t sge_job_t:process signal_perms;
+
+corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
+
+kernel_read_kernel_sysctls(sge_job_t)
+
+term_use_all_terms(sge_job_t)
+
+logging_send_syslog_msg(sge_job_t)
+
+optional_policy(`
+ ssh_basic_client_template(sge_job, sge_job_t, system_r)
+ ssh_domtrans(sge_job_t)
+
+ allow sge_job_t sge_job_ssh_t:process sigkill;
+ allow sge_shepherd_t sge_job_ssh_t:process sigkill;
+
+ xserver_exec_xauth(sge_job_ssh_t)
+
+ tunable_policy(`sge_use_nfs',`
+ fs_list_auto_mountpoints(sge_job_ssh_t)
+ fs_manage_nfs_dirs(sge_job_ssh_t)
+ fs_manage_nfs_files(sge_job_ssh_t)
+ fs_read_nfs_symlinks(sge_job_ssh_t)
+ ')
+ ')
+
+optional_policy(`
+ xserver_domtrans_xauth(sge_job_t)
+')
+
+optional_policy(`
+ unconfined_domain(sge_job_t)
+')
+
+#####################################
+#
+# sge_domain local policy
+#
+
+allow sge_domain self:fifo_file rw_fifo_file_perms;
+allow sge_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
+manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
+
+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
+
+kernel_read_network_state(sge_domain)
+
+corecmd_exec_bin(sge_domain)
+corecmd_exec_shell(sge_domain)
+
+domain_read_all_domains_state(sge_domain)
+
+
+dev_read_urand(sge_domain)
+
+tunable_policy(`sge_domain_can_network_connect',`
+ corenet_tcp_connect_all_ports(sge_domain)
+')
+
+tunable_policy(`sge_use_nfs',`
+ fs_list_auto_mountpoints(sge_domain)
+ fs_manage_nfs_dirs(sge_domain)
+ fs_manage_nfs_files(sge_domain)
+ fs_read_nfs_symlinks(sge_domain)
+ fs_exec_nfs_files(sge_domain)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(sge_domain)
+')
+
+optional_policy(`
+ hostname_exec(sge_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(sge_domain)
+')
diff --git a/shorewall.if b/shorewall.if
index 1aeef8ac3..d5ce40a96 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -1,4 +1,4 @@
-## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
########################################
## <summary>
@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',`
type shorewall_t, shorewall_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',`
type shorewall_t, shorewall_var_lib_t;
')
- files_search_var_lib($1)
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
')
#######################################
## <summary>
-## Read shorewall configuration files.
+## Read shorewall etc configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -57,47 +55,9 @@ interface(`shorewall_read_config',`
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
')
-#######################################
-## <summary>
-## Read shorewall pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
-## <summary>
-## Read and write shorewall pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
######################################
## <summary>
-## Read shorewall lib files.
+## Read shorewall /var/lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',`
## </param>
#
interface(`shorewall_read_lib_files',`
- gen_require(`
+ gen_require(`
type shorewall_var_lib_t;
- ')
+ ')
- files_search_var_lib($1)
- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
## <summary>
-## Read and write shorewall lib files.
+## Read and write shorewall /var/lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`shorewall_rw_lib_files',`
- gen_require(`
- type shorewall_var_lib_t;
- ')
+ gen_require(`
+ type shorewall_var_lib_t;
+ ')
- files_search_var_lib($1)
- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
## <summary>
-## Read shorewall temporary files.
+## Read shorewall tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',`
#######################################
## <summary>
-## All of the rules required to
-## administrate an shorewall environment.
+## All of the rules required to administrate
+## an shorewall environment
## </summary>
## <param name="domain">
## <summary>
@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the syslog domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`shorewall_admin',`
gen_require(`
- type shorewall_t, shorewall_lock_t, shorewall_log_t;
- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_t, shorewall_lock_t;
+ type shorewall_log_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
- allow $1 shorewall_t:process { ptrace signal_perms };
+ allow $1 shorewall_t:process signal_perms;
ps_process_pattern($1, shorewall_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 shorewall_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 shorewall_initrc_exec_t system_r;
allow $2 system_r;
- can_exec($1, shorewall_exec_t)
-
files_list_etc($1)
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
index 7710b9f76..fbf1ac1a0 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t)
# Local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+allow shorewall_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_nice sys_admin };
dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal_perms;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
allow shorewall_t self:netlink_socket create_socket_perms;
@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
-files_read_usr_files(shorewall_t)
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
-miscfiles_read_localization(shorewall_t)
-
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
-userdom_use_user_terminals(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+userdom_use_inherited_user_ttys(shorewall_t)
+userdom_use_inherited_user_ptys(shorewall_t)
optional_policy(`
brctl_domtrans(shorewall_t)
@@ -110,5 +110,9 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans(shorewall_t)
+')
+
+optional_policy(`
ulogd_search_log(shorewall_t)
')
diff --git a/shutdown.fc b/shutdown.fc
index a91f33b0f..631dbc1dc 100644
--- a/shutdown.fc
+++ b/shutdown.fc
@@ -8,4 +8,4 @@
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
index d1706bf87..3aa7c9fd1 100644
--- a/shutdown.if
+++ b/shutdown.if
@@ -1,30 +1,4 @@
-## <summary>System shutdown command.</summary>
-
-########################################
-## <summary>
-## Role access for shutdown.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`shutdown_role',`
- gen_require(`
- type shutdown_t;
- ')
-
- shutdown_run($2, $1)
-
- allow $2 shutdown_t:process { ptrace signal_perms };
- ps_process_pattern($2, shutdown_t)
-')
+## <summary>System shutdown command</summary>
########################################
## <summary>
@@ -43,13 +17,27 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+ init_reboot($1)
+ init_halt($1)
+
+ optional_policy(`
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ init_stream_connect($1)
+ systemd_login_reboot($1)
+ systemd_login_halt($1)
+ ')
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
')
########################################
## <summary>
-## Execute shutdown in the shutdown
-## domain, and allow the specified role
-## the shutdown domain.
+## Execute shutdown in the shutdown domain, and
+## allow the specified role the shutdown domain.
## </summary>
## <param name="domain">
## <summary>
@@ -64,16 +52,62 @@ interface(`shutdown_domtrans',`
#
interface(`shutdown_run',`
gen_require(`
+ type shutdown_t;
attribute_role shutdown_roles;
')
- shutdown_domtrans($1)
- roleattribute $2 shutdown_roles;
+ shutdown_domtrans($1)
+ roleattribute $2 shutdown_roles;
')
########################################
## <summary>
-## Send generic signals to shutdown.
+## Role access for shutdown
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`shutdown_role',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ shutdown_run($2, $1)
+
+ allow $2 shutdown_t:process { ptrace signal_perms };
+ ps_process_pattern($2, shutdown_t)
+')
+
+########################################
+## <summary>
+## Recieve sigchld from shutdown
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`shutdown_send_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow shutdown_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## shutdown over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -81,17 +115,19 @@ interface(`shutdown_run',`
## </summary>
## </param>
#
-interface(`shutdown_signal',`
+interface(`shutdown_dbus_chat',`
gen_require(`
type shutdown_t;
+ class dbus send_msg;
')
- allow shutdown_t $1:process signal;
+ allow $1 shutdown_t:dbus send_msg;
+ allow shutdown_t $1:dbus send_msg;
')
########################################
## <summary>
-## Get attributes of shutdown executable files.
+## Get attributes of shutdown executable.
## </summary>
## <param name="domain">
## <summary>
diff --git a/shutdown.te b/shutdown.te
index e2544e147..4f0e2a974 100644
--- a/shutdown.te
+++ b/shutdown.te
@@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t)
# Local policy
#
-allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
+allow shutdown_t self:capability { dac_read_search kill setuid sys_nice sys_tty_config };
allow shutdown_t self:process { setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
mls_file_write_to_clearance(shutdown_t)
-term_use_all_terms(shutdown_t)
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
@@ -56,8 +56,6 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
-miscfiles_read_localization(shutdown_t)
-
optional_policy(`
cron_system_entry(shutdown_t, shutdown_exec_t)
')
@@ -68,10 +66,15 @@ optional_policy(`
')
optional_policy(`
- oddjob_dontaudit_rw_fifo_files(shutdown_t)
- oddjob_sigchld(shutdown_t)
+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
+ oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+ rhev_sigchld_agentd(shutdown_t)
')
optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
index 7292dc064..bd269f1f2 100644
--- a/slocate.te
+++ b/slocate.te
@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t)
# Local policy
#
-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:capability { chown dac_read_search fowner fsetid };
allow locate_t self:process { execmem execheap execstack signal setsched };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
+files_getattr_isid_type(locate_t)
files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_chr_files(locate_t)
+files_getattr_all_blk_files(locate_t)
files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
@@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
-miscfiles_read_localization(locate_t)
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
@@ -71,3 +74,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
+
+optional_policy(`
+ mock_getattr_lib(locate_t)
+')
+
diff --git a/slpd.if b/slpd.if
index ca32e8946..98278dd2c 100644
--- a/slpd.if
+++ b/slpd.if
@@ -2,6 +2,43 @@
########################################
## <summary>
+## Transition to slpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`slpd_domtrans',`
+ gen_require(`
+ type slpd_t, slpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, slpd_exec_t, slpd_t)
+')
+
+########################################
+## <summary>
+## Execute slpd server in the slpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`slpd_initrc_domtrans',`
+ gen_require(`
+ type slpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an slpd environment.
## </summary>
@@ -26,7 +63,7 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+ slpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 slpd_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +73,10 @@ interface(`slpd_admin',`
files_search_pids($1)
admin_pattern($1, slpd_var_run_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
')
diff --git a/slpd.te b/slpd.te
index 731512a66..4ce76cd9c 100644
--- a/slpd.te
+++ b/slpd.te
@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
# Local policy
#
-allow slpd_t self:capability { kill setgid setuid };
+allow slpd_t self:capability { kill net_admin setgid setuid };
allow slpd_t self:process signal;
allow slpd_t self:fifo_file rw_fifo_file_perms;
allow slpd_t self:tcp_socket { accept listen };
@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file)
manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
files_pid_filetrans(slpd_t, slpd_var_run_t, file)
+kernel_read_system_state(slpd_t)
+kernel_read_network_state(slpd_t)
+
corenet_all_recvfrom_unlabeled(slpd_t)
corenet_all_recvfrom_netlabel(slpd_t)
corenet_tcp_sendrecv_generic_if(slpd_t)
@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
corenet_tcp_bind_svrloc_port(slpd_t)
corenet_udp_bind_svrloc_port(slpd_t)
+corenet_udp_bind_dhcpc_port(slpd_t)
+
+dev_read_urand(slpd_t)
+
auth_use_nsswitch(slpd_t)
-miscfiles_read_localization(slpd_t)
+logging_send_syslog_msg(slpd_t)
+
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
index 59eb07fa9..4626942ae 100644
--- a/slrnpull.te
+++ b/slrnpull.te
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
files_pid_file(slrnpull_var_run_t)
type slrnpull_spool_t;
-files_type(slrnpull_spool_t)
+files_spool_file(slrnpull_spool_t)
type slrnpull_log_t;
logging_log_file(slrnpull_log_t)
@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t)
domain_use_interactive_fds(slrnpull_t)
-files_read_etc_files(slrnpull_t)
files_search_spool(slrnpull_t)
fs_getattr_all_fs(slrnpull_t)
@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t)
logging_send_syslog_msg(slrnpull_t)
-miscfiles_read_localization(slrnpull_t)
-
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
diff --git a/smartmon.if b/smartmon.if
index e0644b5cf..ea347ccd5 100644
--- a/smartmon.if
+++ b/smartmon.if
@@ -42,9 +42,13 @@ interface(`smartmon_admin',`
type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
')
- allow $1 fsdaemon_t:process { ptrace signal_perms };
+ allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fsdaemon_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
index 9cf6582d2..d0be162c8 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_read_search kill setpcap setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t)
kernel_read_software_raid_state(fsdaemon_t)
kernel_read_system_state(fsdaemon_t)
+auth_use_nsswitch(fsdaemon_t)
+
corecmd_exec_all_executables(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
dev_read_sysfs(fsdaemon_t)
dev_read_urand(fsdaemon_t)
domain_use_interactive_fds(fsdaemon_t)
files_exec_etc_files(fsdaemon_t)
-files_read_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
-files_read_usr_files(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
mls_file_read_all_levels(fsdaemon_t)
+storage_create_fixed_disk_dev(fsdaemon_t)
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
@@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
-application_signull(fsdaemon_t)
+domain_signull_all_domains(fsdaemon_t)
+
+auth_read_passwd(fsdaemon_t)
init_read_utmp(fsdaemon_t)
@@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
-miscfiles_read_localization(fsdaemon_t)
+seutil_sigchld_newrole(fsdaemon_t)
sysnet_dns_name_resolve(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+userdom_use_user_terminals(fsdaemon_t)
tunable_policy(`smartmon_3ware',`
allow fsdaemon_t self:process setfscreate;
@@ -116,9 +127,9 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(fsdaemon_t)
+ udev_read_db(fsdaemon_t)
')
optional_policy(`
- udev_read_db(fsdaemon_t)
+ virt_read_images(fsdaemon_t)
')
diff --git a/smokeping.fc b/smokeping.fc
index 335981945..a231ecb56 100644
--- a/smokeping.fc
+++ b/smokeping.fc
@@ -2,7 +2,7 @@
/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
-/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
diff --git a/smokeping.if b/smokeping.if
index 1fa51c11f..82e111c80 100644
--- a/smokeping.if
+++ b/smokeping.if
@@ -158,8 +158,11 @@ interface(`smokeping_admin',`
type smokeping_var_run_t;
')
- allow $1 smokeping_t:process { ptrace signal_perms };
+ allow $1 smokeping_t:process signal_perms;
ps_process_pattern($1, smokeping_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smokeping_t:process ptrace;
+ ')
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
index ec031a031..26325cbda 100644
--- a/smokeping.te
+++ b/smokeping.te
@@ -23,7 +23,8 @@ files_type(smokeping_var_lib_t)
# Local policy
#
-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_read_search };
+allow smokeping_t self:process signal_perms;
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:unix_stream_socket { accept listen };
@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t)
dev_read_urand(smokeping_t)
-files_read_usr_files(smokeping_t)
files_search_tmp(smokeping_t)
auth_use_nsswitch(smokeping_t)
@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
logging_send_syslog_msg(smokeping_t)
-miscfiles_read_localization(smokeping_t)
-
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
@@ -60,17 +58,22 @@ netutils_domtrans_ping(smokeping_t)
optional_policy(`
apache_content_template(smokeping_cgi)
+ apache_content_alias_template(smokeping_cgi, smokeping_cgi)
+
+ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ files_read_etc_files(smokeping_cgi_script_t)
+ files_search_tmp(smokeping_cgi_script_t)
+ files_search_var_lib(smokeping_cgi_script_t)
- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+ auth_read_passwd(smokeping_cgi_script_t)
- files_read_etc_files(httpd_smokeping_cgi_script_t)
- files_search_tmp(httpd_smokeping_cgi_script_t)
- files_search_var_lib(httpd_smokeping_cgi_script_t)
+ logging_send_syslog_msg(smokeping_cgi_script_t)
- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+ sysnet_dns_name_resolve(smokeping_cgi_script_t)
- netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
+ netutils_domtrans_ping(smokeping_cgi_script_t)
')
diff --git a/smoltclient.te b/smoltclient.te
index b3f2c6f26..4e629a10b 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
corenet_sendrecv_http_client_packets(smoltclient_t)
corenet_tcp_connect_http_port(smoltclient_t)
+corenet_tcp_connect_http_cache_port(smoltclient_t)
corenet_tcp_sendrecv_http_port(smoltclient_t)
dev_read_sysfs(smoltclient_t)
@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_runtime_files(smoltclient_t)
-files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
logging_send_syslog_msg(smoltclient_t)
miscfiles_read_hwdata(smoltclient_t)
-miscfiles_read_localization(smoltclient_t)
optional_policy(`
abrt_stream_connect(smoltclient_t)
@@ -77,6 +76,10 @@ optional_policy(`
')
optional_policy(`
+ libs_exec_ldconfig(smoltclient_t)
+')
+
+optional_policy(`
rpm_exec(smoltclient_t)
rpm_read_db(smoltclient_t)
')
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 000000000..4c3fcec7d
--- /dev/null
+++ b/smsd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+
+/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
+/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
+
+/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0)
+
+/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0)
+
+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
diff --git a/smsd.if b/smsd.if
new file mode 100644
index 000000000..52450c700
--- /dev/null
+++ b/smsd.if
@@ -0,0 +1,240 @@
+## <summary>The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.</summary>
+
+########################################
+## <summary>
+## Execute smsd in the smsd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`smsd_domtrans',`
+ gen_require(`
+ type smsd_t, smsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smsd_exec_t, smsd_t)
+')
+
+########################################
+## <summary>
+## Execute smsd server in the smsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_initrc_domtrans',`
+ gen_require(`
+ type smsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read smsd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_read_log',`
+ gen_require(`
+ type smsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+
+########################################
+## <summary>
+## Append to smsd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_append_log',`
+ gen_require(`
+ type smsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+
+########################################
+## <summary>
+## Manage smsd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_manage_log',`
+ gen_require(`
+ type smsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
+ manage_files_pattern($1, smsd_log_t, smsd_log_t)
+ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+########################################
+## <summary>
+## Read smsd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_read_pid_files',`
+ gen_require(`
+ type smsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
+')
+
+########################################
+## <summary>
+## Search smsd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_search_spool',`
+ gen_require(`
+ type smsd_spool_t;
+ ')
+
+ allow $1 smsd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read smsd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_read_spool_files',`
+ gen_require(`
+ type smsd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+## Manage smsd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_manage_spool_files',`
+ gen_require(`
+ type smsd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+## Manage smsd spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_manage_spool_dirs',`
+ gen_require(`
+ type smsd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an smsd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`smsd_admin',`
+ gen_require(`
+ type smsd_t;
+ type smsd_initrc_exec_t;
+ type smsd_log_t;
+ type smsd_var_run_t;
+ type smsd_spool_t;
+ ')
+
+ allow $1 smsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smsd_t)
+
+ smsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 smsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, smsd_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, smsd_var_run_t)
+
+ files_search_spool($1)
+ admin_pattern($1, smsd_spool_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
index 000000000..d971935b4
--- /dev/null
+++ b/smsd.te
@@ -0,0 +1,75 @@
+policy_module(smsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smsd_t;
+type smsd_exec_t;
+init_daemon_domain(smsd_t, smsd_exec_t)
+
+type smsd_initrc_exec_t;
+init_script_file(smsd_initrc_exec_t)
+
+type smsd_log_t;
+logging_log_file(smsd_log_t)
+
+type smsd_var_lib_t;
+files_type(smsd_var_lib_t)
+
+type smsd_var_run_t;
+files_pid_file(smsd_var_run_t)
+
+type smsd_spool_t;
+files_type(smsd_spool_t)
+
+type smsd_tmp_t;
+files_tmp_file(smsd_tmp_t)
+
+########################################
+#
+# smsd local policy
+#
+
+allow smsd_t self:capability { kill setgid setuid };
+allow smsd_t self:process { fork signal };
+allow smsd_t self:fifo_file rw_fifo_file_perms;
+allow smsd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+logging_log_filetrans(smsd_t, smsd_log_t, { dir })
+
+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+
+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir })
+
+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
+can_exec(smsd_t, smsd_spool_t)
+
+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir })
+
+kernel_read_system_state(smsd_t)
+kernel_read_kernel_sysctls(smsd_t)
+
+corecmd_exec_shell(smsd_t)
+
+auth_use_nsswitch(smsd_t)
+
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
+
+term_use_usb_ttys(smsd_t)
diff --git a/smstools.if b/smstools.if
index cbfe369a6..6594af373 100644
--- a/smstools.if
+++ b/smstools.if
@@ -1,5 +1,81 @@
## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
+#######################################
+## <summary>
+## Search smsd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_search_lib',`
+ gen_require(`
+ type smsd_var_lib_t;
+ ')
+
+ allow $1 smsd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Read smsd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_read_lib_files',`
+ gen_require(`
+ type smsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Manage smsd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_manage_lib_files',`
+ gen_require(`
+ type smsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Manage smsd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smsd_manage_lib_dirs',`
+ gen_require(`
+ type smsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -32,7 +108,7 @@ interface(`smstools_admin',`
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_config($1)
+ files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
index 000000000..b4e0699bc
--- /dev/null
+++ b/snapper.fc
@@ -0,0 +1,15 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
+/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
+
+/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 000000000..88490d5c6
--- /dev/null
+++ b/snapper.if
@@ -0,0 +1,99 @@
+
+## <summary>policy for snapperd</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the snapperd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snapper_domtrans',`
+ gen_require(`
+ type snapperd_t, snapperd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, snapperd_exec_t, snapperd_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## snapperd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_dbus_chat',`
+ gen_require(`
+ type snapperd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 snapperd_t:dbus send_msg;
+ allow snapperd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow a domain to read inherited snapper pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_read_inherited_pipe',`
+ gen_require(`
+ type snapperd_t;
+ ')
+
+ allow $1 snapperd_t:fifo_file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Allow a domain to relabel snapshots to snapperd_data_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_relabel_snapshots',`
+ gen_require(`
+ type snapperd_data_t;
+ ')
+
+ kernel_relabelfrom_unlabeled_dirs($1)
+ allow $1 snapperd_data_t:dir relabelto;
+')
+
+#######################################
+## <summary>
+## Allow domain to create .smapshot
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_filetrans_named_content',`
+
+ gen_require(`
+ type snapperd_data_t;
+ ')
+
+ files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
+')
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
index 000000000..6631a6500
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,85 @@
+policy_module(snapper, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type snapperd_t;
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
+type snapperd_log_t;
+logging_log_file(snapperd_log_t)
+
+type snapperd_conf_t;
+files_config_file(snapperd_conf_t)
+
+type snapperd_data_t;
+files_type(snapperd_data_t)
+
+########################################
+#
+# snapperd local policy
+#
+
+allow snapperd_t self:capability { dac_read_search sys_admin };
+allow snapperd_t self:process setsched;
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
+logging_log_filetrans(snapperd_t, snapperd_log_t, file)
+
+manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+allow snapperd_t snapperd_data_t:dir mounton;
+allow snapperd_t snapperd_data_t:file relabelfrom;
+snapper_filetrans_named_content(snapperd_t)
+
+domain_read_all_domains_state(snapperd_t)
+
+corecmd_exec_shell(snapperd_t)
+corecmd_exec_bin(snapperd_t)
+
+files_write_all_dirs(snapperd_t)
+files_setattr_all_mountpoints(snapperd_t)
+files_relabelto_all_mountpoints(snapperd_t)
+files_relabelfrom_isid_type(snapperd_t)
+files_read_all_files(snapperd_t)
+files_list_all(snapperd_t)
+files_rmdir_all_dirs(snapperd_t)
+
+fs_getattr_all_fs(snapperd_t)
+
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
+optional_policy(`
+ cron_system_entry(snapperd_t, snapperd_exec_t)
+')
+
+optional_policy(`
+ dbus_system_domain(snapperd_t, snapperd_exec_t)
+ dbus_system_bus_client(snapperd_t)
+ dbus_connect_system_bus(snapperd_t)
+')
+
+optional_policy(`
+ mount_domtrans(snapperd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(snapperd_t)
+')
+
+optional_policy(`
+ snapper_relabel_snapshots(snapperd_t)
+')
diff --git a/snmp.fc b/snmp.fc
index 2f0a2f205..1569e3369 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -10,9 +10,12 @@
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
-/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
index 7a9cc9df7..6085a4160 100644
--- a/snmp.if
+++ b/snmp.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Send null signals to snmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_signull',`
+ gen_require(`
+ type snmpd_t;
+ ')
+
+ allow $1 snmpd_t:process signull;
+')
+
+########################################
+## <summary>
## Connect to snmpd with a unix
## domain stream socket.
## </summary>
@@ -57,8 +75,7 @@ interface(`snmp_udp_chat',`
########################################
## <summary>
-## Create, read, write, and delete
-## snmp lib directories.
+## Read snmpd lib content.
## </summary>
## <param name="domain">
## <summary>
@@ -66,19 +83,57 @@ interface(`snmp_udp_chat',`
## </summary>
## </param>
#
-interface(`snmp_manage_var_lib_dirs',`
+interface(`snmp_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read snmpd libraries directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_dirs',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage snmpd libraries directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_manage_var_lib_dirs',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
allow $1 snmpd_var_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## snmp lib files.
+## Manage snmpd libraries.
## </summary>
## <param name="domain">
## <summary>
@@ -98,7 +153,7 @@ interface(`snmp_manage_var_lib_files',`
########################################
## <summary>
-## Read snmpd lib content.
+## Manage snmpd libraries.
## </summary>
## <param name="domain">
## <summary>
@@ -106,14 +161,35 @@ interface(`snmp_manage_var_lib_files',`
## </summary>
## </param>
#
-interface(`snmp_read_snmp_var_lib_files',`
+interface(`snmp_manage_var_lib_sock_files',`
gen_require(`
type snmpd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to manage
+## snmpd lib content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`snmp_dontaudit_manage_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ dontaudit $1 snmpd_var_lib_t:dir manage_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file manage_file_perms;
+ dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
@@ -179,8 +255,12 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
')
- allow $1 snmpd_t:process { ptrace signal_perms };
+ allow $1 snmpd_t:process signal_perms;
+
ps_process_pattern($1, snmpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 snmpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
index 9dcaeb875..9cc669708 100644
--- a/snmp.te
+++ b/snmp.te
@@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t)
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+allow snmpd_t self:capability { chown dac_read_search kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
-allow snmpd_t self:unix_stream_socket { accept connectto listen };
-allow snmpd_t self:tcp_socket { accept listen };
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t)
logging_log_filetrans(snmpd_t, snmpd_log_t, file)
manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_network_state(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
kernel_read_system_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-corenet_all_recvfrom_unlabeled(snmpd_t)
corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_generic_if(snmpd_t)
corenet_udp_sendrecv_generic_if(snmpd_t)
@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
corenet_tcp_sendrecv_snmp_port(snmpd_t)
corenet_udp_sendrecv_snmp_port(snmpd_t)
-corenet_sendrecv_snmp_client_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
-corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)
corenet_tcp_sendrecv_agentx_port(snmpd_t)
@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
domain_exec_all_entry_files(snmpd_t)
-files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
storage_dontaudit_write_removable_device(snmpd_t)
+storage_getattr_fixed_disk_dev(snmpd_t)
+storage_getattr_removable_dev(snmpd_t)
auth_use_nsswitch(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
+# need write to /var/run/systemd/notify
+init_write_pid_socket(snmpd_t)
logging_send_syslog_msg(snmpd_t)
-miscfiles_read_localization(snmpd_t)
+sysnet_read_config(snmpd_t)
seutil_dontaudit_search_config(snmpd_t)
@@ -131,7 +135,11 @@ optional_policy(`
')
optional_policy(`
- corosync_stream_connect(snmpd_t)
+ fstools_domtrans(snmpd_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(snmpd_t)
')
optional_policy(`
@@ -140,6 +148,7 @@ optional_policy(`
optional_policy(`
mta_read_config(snmpd_t)
+ mta_read_aliases(snmpd_t)
mta_search_queue(snmpd_t)
')
diff --git a/snort.if b/snort.if
index 7d86b3485..5f581804e 100644
--- a/snort.if
+++ b/snort.if
@@ -42,8 +42,11 @@ interface(`snort_admin',`
type snort_etc_t, snort_initrc_exec_t;
')
- allow $1 snort_t:process { ptrace signal_perms };
+ allow $1 snort_t:process signal_perms;
ps_process_pattern($1, snort_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 snort_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
@@ -51,11 +54,11 @@ interface(`snort_admin',`
allow $2 system_r;
admin_pattern($1, snort_etc_t)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, snort_log_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, snort_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
index 1af72df55..dc8379039 100644
--- a/snort.te
+++ b/snort.te
@@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t)
# Local policy
#
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
allow snort_t self:netlink_socket create_socket_perms;
-allow snort_t self:tcp_socket { accept listen };
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
+# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
-create_files_pattern(snort_t, snort_log_t, snort_log_t)
-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
logging_log_filetrans(snort_t, snort_log_t, { file dir })
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
kernel_read_network_state(snort_t)
-corenet_all_recvfrom_unlabeled(snort_t)
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
@@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
-files_read_etc_files(snort_t)
files_dontaudit_read_etc_runtime_files(snort_t)
fs_getattr_all_fs(snort_t)
fs_search_auto_mountpoints(snort_t)
+auth_read_passwd(snort_t)
+
+auth_use_nsswitch(snort_t)
+
init_read_utmp(snort_t)
logging_send_syslog_msg(snort_t)
-miscfiles_read_localization(snort_t)
-
sysnet_dns_name_resolve(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
diff --git a/sosreport.if b/sosreport.if
index 634c6b4fa..f6db7a796 100644
--- a/sosreport.if
+++ b/sosreport.if
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
')
sosreport_domtrans($1)
- roleattribute $2 sospreport_roles;
+ roleattribute $2 sosreport_roles;
')
########################################
@@ -127,3 +127,22 @@ interface(`sosreport_delete_tmp_files',`
files_delete_tmp_dir_entry($1)
delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
')
+
+########################################
+## <summary>
+## Send a null signal to sosreport.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_signull',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ allow $1 sosreport_t:process signull;
+')
+
diff --git a/sosreport.te b/sosreport.te
index f2f507dae..7429d39a0 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
application_domain(sosreport_t, sosreport_exec_t)
role sosreport_roles types sosreport_t;
-type sosreport_var_run_t;
-files_pid_file(sosreport_var_run_t)
-
type sosreport_tmp_t;
files_tmp_file(sosreport_tmp_t)
type sosreport_tmpfs_t;
files_tmpfs_file(sosreport_tmpfs_t)
+type sosreport_var_run_t;
+files_pid_file(sosreport_var_run_t)
+
optional_policy(`
pulseaudio_tmpfs_content(sosreport_tmpfs_t)
')
@@ -31,12 +31,14 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search };
dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:process { setpgid setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
+allow sosreport_t self:rawip_socket create_socket_perms;
+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
@@ -44,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
+
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
@@ -58,6 +66,18 @@ kernel_read_all_sysctls(sosreport_t)
kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
+kernel_request_load_module(sosreport_t)
+
+corenet_all_recvfrom_netlabel(sosreport_t)
+corenet_tcp_sendrecv_generic_if(sosreport_t)
+corenet_tcp_sendrecv_generic_node(sosreport_t)
+corenet_tcp_sendrecv_generic_port(sosreport_t)
+corenet_tcp_bind_generic_node(sosreport_t)
+corenet_tcp_bind_all_rpc_ports(sosreport_t)
+corenet_udp_bind_all_rpc_ports(sosreport_t)
+corenet_tcp_connect_http_port(sosreport_t)
+corenet_tcp_connect_all_ports(sosreport_t)
+corenet_sendrecv_http_client_packets(sosreport_t)
corecmd_exec_all_executables(sosreport_t)
@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
dev_rw_generic_usb_dev(sosreport_t)
+dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
@@ -83,7 +106,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
-files_read_usr_files(sosreport_t)
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
+fs_getattr_all_dirs(sosreport_t)
fs_list_inotifyfs(sosreport_t)
storage_dontaudit_read_fixed_disk(sosreport_t)
storage_dontaudit_read_removable_device(sosreport_t)
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
term_use_generic_ptys(sosreport_t)
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
+
auth_use_nsswitch(sosreport_t)
+auth_dontaudit_read_shadow(sosreport_t)
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
+init_status(sosreport_t)
+init_stream_connect(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
+libs_use_ld_so(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
-miscfiles_read_localization(sosreport_t)
-
-modutils_read_module_deps(sosreport_t)
+sysnet_read_config(sosreport_t)
optional_policy(`
abrt_manage_pid_files(sosreport_t)
@@ -119,6 +151,14 @@ optional_policy(`
')
optional_policy(`
+ bootloader_exec(sosreport_t)
+')
+
+optional_policy(`
+ brctl_domtrans(sosreport_t)
+')
+
+optional_policy(`
cups_stream_connect(sosreport_t)
')
@@ -127,6 +167,20 @@ optional_policy(`
')
optional_policy(`
+ iptables_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ lvm_read_config(sosreport_t)
+ lvm_dontaudit_access_check_lock(sosreport_t)
+')
+
+optional_policy(`
+ # needed by modinfo
+ modutils_read_module_deps(sosreport_t)
+')
+
+optional_policy(`
fstools_domtrans(sosreport_t)
')
@@ -136,6 +190,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
+
+ optional_policy(`
+ rpm_dbus_chat(sosreport_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(sosreport_t)
+ ')
')
optional_policy(`
@@ -147,13 +209,35 @@ optional_policy(`
')
optional_policy(`
+ prelink_domtrans(sosreport_t)
+')
+
+optional_policy(`
pulseaudio_run(sosreport_t, sosreport_roles)
')
optional_policy(`
- rpm_exec(sosreport_t)
- rpm_dontaudit_manage_db(sosreport_t)
- rpm_read_db(sosreport_t)
+ rhsmcertd_manage_lib_files(sosreport_t)
+ rhsmcertd_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
+ rpm_manage_pid_files(sosreport_t)
+ rpm_named_filetrans(sosreport_t)
+ rpm_read_db(sosreport_t)
+ rpm_signull(sosreport_t)
+')
+
+optional_policy(`
+ setroubleshoot_signull(sosreport_t)
+')
+
+optional_policy(`
+ unconfined_signull(sosreport_t)
+ unconfined_domain(sosreport_t)
')
optional_policy(`
diff --git a/soundserver.if b/soundserver.if
index a5abc5a8d..b9eff74cb 100644
--- a/soundserver.if
+++ b/soundserver.if
@@ -38,9 +38,13 @@ interface(`soundserver_admin',`
type soundd_state_t;
')
- allow $1 soundd_t:process { ptrace signal_perms };
+ allow $1 soundd_t:process signal_perms;
ps_process_pattern($1, soundd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 soundd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
index 0919e0c86..afe83dbf7 100644
--- a/soundserver.te
+++ b/soundserver.te
@@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t)
# Declarations
#
-allow soundd_t self:capability dac_override;
+allow soundd_t self:capability { dac_read_search };
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
allow soundd_t self:shm create_shm_perms;
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-corenet_all_recvfrom_unlabeled(soundd_t)
corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_tcp_sendrecv_generic_node(soundd_t)
@@ -81,7 +80,6 @@ dev_write_sound(soundd_t)
domain_use_interactive_fds(soundd_t)
-files_read_etc_files(soundd_t)
files_read_etc_runtime_files(soundd_t)
fs_getattr_all_fs(soundd_t)
@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t)
logging_send_syslog_msg(soundd_t)
-miscfiles_read_localization(soundd_t)
-
sysnet_read_config(soundd_t)
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
index e9bd097b7..5724bcf0f 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
@@ -1,20 +1,27 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/libexec/mimedefang-wrapper -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
+
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+
+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
index 1499b0bbf..e695a62f3 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -2,39 +2,45 @@
########################################
## <summary>
-## Role access for spamassassin.
+## Role access for spamassassin
## </summary>
## <param name="role">
## <summary>
-## Role allowed access.
+## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
type spamc_t, spamc_exec_t, spamc_tmp_t;
- type spamassassin_t, spamassassin_exec_t, spamd_home_t;
+ type spamassassin_t, spamassassin_exec_t;
type spamassassin_home_t, spamassassin_tmp_t;
')
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+ allow $2 spamassassin_t:process signal_perms;
+ ps_process_pattern($2, spamassassin_t)
+
domtrans_pattern($2, spamc_exec_t, spamc_t)
- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
- ps_process_pattern($2, { spamc_t spamassassin_t })
+ allow $2 spamc_t:process signal_perms;
+ ps_process_pattern($2, spamc_t)
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
')
########################################
@@ -53,13 +59,12 @@ interface(`spamassassin_exec',`
type spamassassin_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, spamassassin_exec_t)
')
########################################
## <summary>
-## Send generic signals to spamd.
+## Singnal the spam assassin daemon
## </summary>
## <param name="domain">
## <summary>
@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',`
########################################
## <summary>
-## Execute spamd in the caller domain.
+## Execute the spamassassin daemon
+## program in the caller directory.
## </summary>
## <param name="domain">
## <summary>
@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',`
type spamd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, spamd_exec_t)
')
########################################
## <summary>
-## Execute spamc in the spamc domain.
+## Execute spamassassin client in the spamassassin client domain.
## </summary>
## <param name="domain">
## <summary>
@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',`
type spamc_t, spamc_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
')
########################################
## <summary>
-## Execute spamc in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`spamassassin_exec_client',`
- gen_require(`
- type spamc_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, spamc_exec_t)
-')
-
-########################################
-## <summary>
-## Send kill signals to spamc.
+## Send kill signal to spamassassin client
## </summary>
## <param name="domain">
## <summary>
@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',`
########################################
## <summary>
-## Execute spamassassin standalone client
-## in the user spamassassin domain.
+## Manage spamc home files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`spamassassin_domtrans_local_client',`
+interface(`spamassassin_manage_home_client',`
gen_require(`
- type spamassassin_t, spamassassin_exec_t;
+ type spamc_home_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## spamd home content.
+## Read spamc home files.
## </summary>
## <param name="domain">
## <summary>
@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',`
## </summary>
## </param>
#
-interface(`spamassassin_manage_spamd_home_content',`
+interface(`spamassassin_read_home_client',`
gen_require(`
- type spamd_home_t;
+ type spamc_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 spamd_home_t:dir manage_dir_perms;
- allow $1 spamd_home_t:file manage_file_perms;
- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
+ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ read_files_pattern($1, spamc_home_t, spamc_home_t)
+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
## <summary>
-## Relabel spamd home content.
+## Execute the spamassassin client
+## program in the caller directory.
## </summary>
## <param name="domain">
## <summary>
@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',`
## </summary>
## </param>
#
-interface(`spamassassin_relabel_spamd_home_content',`
+interface(`spamassassin_exec_client',`
gen_require(`
- type spamd_home_t;
+ type spamc_exec_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 spamd_home_t:dir relabel_dir_perms;
- allow $1 spamd_home_t:file relabel_file_perms;
- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
+ can_exec($1, spamc_exec_t)
')
########################################
## <summary>
-## Create objects in user home
-## directories with the spamd home type.
+## Execute spamassassin standalone client in the user spamassassin domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`spamassassin_home_filetrans_spamd_home',`
+interface(`spamassassin_domtrans_local_client',`
gen_require(`
- type spamd_home_t;
+ type spamassassin_t, spamassassin_exec_t;
')
- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
')
########################################
## <summary>
-## Read spamd lib files.
+## read spamd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
')
files_search_var_lib($1)
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
')
########################################
@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',`
########################################
## <summary>
-## Read spamd pid files.
+## Read temporary spamd file.
## </summary>
## <param name="domain">
## <summary>
@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',`
## </summary>
## </param>
#
-interface(`spamassassin_read_spamd_pid_files',`
+interface(`spamassassin_read_spamd_tmp_files',`
gen_require(`
- type spamd_var_run_t;
+ type spamd_tmp_t;
')
- files_search_pids($1)
- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
+ files_search_tmp($1)
+ allow $1 spamd_tmp_t:file read_file_perms;
')
########################################
## <summary>
-## Read temporary spamd files.
+## Do not audit attempts to get attributes of temporary
+## spamd sockets/
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`spamassassin_read_spamd_tmp_files',`
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
gen_require(`
type spamd_tmp_t;
')
- allow $1 spamd_tmp_t:file read_file_perms;
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to get
-## attributes of temporary spamd sockets.
+## Connect to run spamd.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed to connect.
## </summary>
## </param>
#
-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+interface(`spamd_stream_connect',`
gen_require(`
- type spamd_tmp_t;
+ type spamd_t, spamd_var_run_t;
')
- dontaudit $1 spamd_tmp_t:sock_file getattr;
+ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
########################################
## <summary>
-## Connect to spamd with a unix
-## domain stream socket.
+## Read spamd pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
## </summary>
## </param>
#
-interface(`spamassassin_stream_connect_spamd',`
+interface(`spamassassin_read_pid_files',`
gen_require(`
- type spamd_t, spamd_var_run_t;
+ type spamd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
')
+######################################
+## <summary>
+## Transition to spamassassin named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_filetrans_home_content',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+######################################
+## <summary>
+## Transition to spamassassin named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_filetrans_admin_home_content',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+
########################################
## <summary>
-## All of the rules required to
-## administrate an spamassassin environment.
+## All of the rules required to administrate
+## an spamassassin environment
## </summary>
## <param name="domain">
## <summary>
@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the spamassassin domain.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`spamassassin_admin',`
+interface(`spamassassin_spamd_admin',`
gen_require(`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
type spamd_initrc_exec_t;
')
- allow $1 spamd_t:process { ptrace signal_perms };
+ allow $1 spamd_t:process signal_perms;
ps_process_pattern($1, spamd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 spamd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -403,6 +423,4 @@ interface(`spamassassin_admin',`
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
-
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
index cc58e3578..0c421b171 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
## <desc>
## <p>
-## Determine whether spamassassin
-## clients can use the network.
+## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network, false)
## <desc>
## <p>
-## Determine whether spamd can manage
-## generic user home content.
+## Allow spamd to read/write user home directories.
## </p>
## </desc>
-gen_tunable(spamd_enable_home_dirs, false)
+gen_tunable(spamd_enable_home_dirs, true)
+
+## <desc>
+## <p>
+## Allow spamd_update to connect to all ports.
+## </p>
+## </desc>
+gen_tunable(spamd_update_can_network, false)
+
type spamd_update_t;
type spamd_update_exec_t;
-init_system_domain(spamd_update_t, spamd_update_exec_t)
-
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
-
-type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-userdom_user_home_content(spamassassin_home_t)
-
-type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-userdom_user_tmp_file(spamassassin_tmp_t)
-
-type spamc_t;
-type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-userdom_user_application_domain(spamc_t, spamc_exec_t)
-
-type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-userdom_user_tmp_file(spamc_tmp_t)
+application_domain(spamd_update_t, spamd_update_exec_t)
+role system_r types spamd_update_t;
type spamd_t;
type spamd_exec_t;
@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
type spamd_compiled_t;
files_type(spamd_compiled_t)
-type spamd_etc_t;
-files_config_file(spamd_etc_t)
-
-type spamd_home_t;
-userdom_user_home_content(spamd_home_t)
-
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
@@ -72,87 +46,197 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
-files_type(spamd_spool_t)
+files_spool_file(spamd_spool_t)
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
+# var/lib files
type spamd_var_lib_t;
files_type(spamd_var_lib_t)
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
-########################################
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
+ type spamc_exec_t;
+ application_domain(spamc_t, spamc_exec_t)
+ role system_r types spamc_t;
+
+ type spamd_etc_t;
+ files_config_file(spamd_etc_t)
+
+ typealias spamc_exec_t alias spamassassin_exec_t;
+ typealias spamc_t alias spamassassin_t;
+
+ type spamc_home_t;
+ userdom_user_home_content(spamc_home_t)
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+ type spamc_tmp_t;
+ files_tmp_file(spamc_tmp_t)
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+ application_domain(spamassassin_t, spamassassin_exec_t)
+ ubac_constrained(spamassassin_t)
+
+ type spamassassin_home_t;
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ userdom_user_home_content(spamassassin_home_t)
+
+ type spamassassin_tmp_t;
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ files_tmp_file(spamassassin_tmp_t)
+ ubac_constrained(spamassassin_tmp_t)
+
+ type spamc_t;
+ type spamc_exec_t;
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+ application_domain(spamc_t, spamc_exec_t)
+ ubac_constrained(spamc_t)
+
+ type spamc_tmp_t;
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
+')
+
+##############################
#
-# Standalone local policy
+# Standalone program local policy
#
allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamassassin_t self:fd use;
allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
allow spamassassin_t self:unix_dgram_socket sendto;
-allow spamassassin_t self:unix_stream_socket { accept connectto listen };
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_home_manager(spamassassin_t)
+
kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
-fs_getattr_all_fs(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
domain_use_interactive_fds(spamassassin_t)
-files_read_etc_files(spamassassin_t)
files_read_etc_runtime_files(spamassassin_t)
files_list_home(spamassassin_t)
-files_read_usr_files(spamassassin_t)
files_dontaudit_search_var(spamassassin_t)
logging_send_syslog_msg(spamassassin_t)
-miscfiles_read_localization(spamassassin_t)
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
sysnet_dns_name_resolve(spamassassin_t)
+# set tunable if you have spamassassin do DNS lookups
tunable_policy(`spamassassin_can_network',`
- allow spamassassin_t self:tcp_socket { accept listen };
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled(spamassassin_t)
- corenet_all_recvfrom_netlabel(spamassassin_t)
corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
corenet_tcp_sendrecv_generic_node(spamassassin_t)
+ corenet_udp_sendrecv_generic_node(spamassassin_t)
corenet_tcp_sendrecv_all_ports(spamassassin_t)
-
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
+ corenet_udp_bind_generic_port(spamassassin_t)
+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamassassin_t)
- fs_manage_nfs_files(spamassassin_t)
- fs_manage_nfs_symlinks(spamassassin_t)
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
+ userdom_exec_user_bin_files(spamd_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamassassin_t)
- fs_manage_cifs_files(spamassassin_t)
- fs_manage_cifs_symlinks(spamassassin_t)
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
')
optional_policy(`
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ tunable_policy(`spamassassin_can_network && nis_enabled',`
nis_use_ypbind_uncond(spamassassin_t)
')
')
@@ -160,6 +244,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
')
########################################
@@ -167,72 +253,95 @@ optional_policy(`
# Client local policy
#
-allow spamc_t self:capability dac_override;
allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamc_t self:fd use;
allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
allow spamc_t self:unix_dgram_socket sendto;
-allow spamc_t self:unix_stream_socket { accept connectto listen };
-allow spamc_t self:tcp_socket { accept listen };
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+can_exec(spamc_t, spamc_exec_t)
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_append_user_home_content_files(spamc_t)
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability { dac_read_search };
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+
+allow spamc_t spamd_etc_t:dir list_dir_perms;
+allow spamc_t spamd_etc_t:file read_file_perms;
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
+allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
kernel_read_kernel_sysctls(spamc_t)
kernel_read_system_state(spamc_t)
-corenet_all_recvfrom_unlabeled(spamc_t)
+corecmd_exec_bin(spamc_t)
+
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_sendrecv_generic_node(spamc_t)
corenet_tcp_sendrecv_all_ports(spamc_t)
-
-corenet_sendrecv_all_client_packets(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
-corecmd_exec_bin(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
-domain_use_interactive_fds(spamc_t)
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
-fs_getattr_all_fs(spamc_t)
-fs_search_auto_mountpoints(spamc_t)
+domain_use_interactive_fds(spamc_t)
files_read_etc_runtime_files(spamc_t)
-files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
files_list_home(spamc_t)
files_list_var_lib(spamc_t)
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
-logging_send_syslog_msg(spamc_t)
+libs_exec_ldconfig(spamc_t)
-miscfiles_read_localization(spamc_t)
+logging_send_syslog_msg(spamc_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
+auth_use_nsswitch(spamc_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
- fs_manage_cifs_symlinks(spamc_t)
-')
+userdom_home_manager(spamc_t)
optional_policy(`
abrt_stream_connect(spamc_t)
@@ -243,19 +352,32 @@ optional_policy(`
')
optional_policy(`
+ # Allow connection to spamd socket above
evolution_stream_connect(spamc_t)
')
optional_policy(`
+ cyrus_stream_connect(spamc_t)
+')
+
+optional_policy(`
milter_manage_spamass_state(spamc_t)
')
optional_policy(`
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
+ postfix_rw_inherited_master_pipes(spamc_t)
+')
+
+optional_policy(`
mta_send_mail(spamc_t)
mta_read_config(spamc_t)
mta_read_queue(spamc_t)
- sendmail_rw_pipes(spamc_t)
sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ mta_read_home_rw(spamc_t)
')
optional_policy(`
@@ -267,48 +389,54 @@ optional_policy(`
########################################
#
-# Daemon local policy
+# Server local policy
#
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { kill setuid setgid dac_read_search sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+# needed by razor
+list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+read_lnk_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+can_exec(spamd_t, spamd_compiled_t)
manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+manage_lnk_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+files_spool_filetrans(spamd_t, spamd_spool_t, { file dir lnk_file })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+# var/lib files for spamd
+manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -317,12 +445,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+
+can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
+kernel_read_network_state(spamd_t)
-corenet_all_recvfrom_unlabeled(spamd_t)
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
@@ -331,78 +461,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
-corenet_udp_bind_generic_node(spamd_t)
-
-corenet_sendrecv_spamd_server_packets(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
-
-corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_tcp_connect_all_unreserved_ports(spamd_t)
+corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
-
-corenet_sendrecv_smtp_client_packets(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)
-
-corenet_sendrecv_generic_server_packets(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_node(spamd_t)
corenet_udp_bind_generic_port(spamd_t)
-
-corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_udp_bind_imaze_port(spamd_t)
-
corenet_dontaudit_udp_bind_all_ports(spamd_t)
-
-corecmd_exec_bin(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t)
-domain_use_interactive_fds(spamd_t)
-
-files_read_usr_files(spamd_t)
-files_read_etc_runtime_files(spamd_t)
-
fs_getattr_all_fs(spamd_t)
fs_search_auto_mountpoints(spamd_t)
-auth_use_nsswitch(spamd_t)
auth_dontaudit_read_shadow(spamd_t)
+corecmd_exec_bin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_etc_runtime_files(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
+
init_dontaudit_rw_utmp(spamd_t)
+auth_use_nsswitch(spamd_t)
+
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
logging_send_syslog_msg(spamd_t)
-miscfiles_read_localization(spamd_t)
-
-sysnet_use_ldap(spamd_t)
-
userdom_use_unpriv_users_fds(spamd_t)
-
-tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(spamd_t)
- userdom_manage_user_home_content_files(spamd_t)
- userdom_manage_user_home_content_symlinks(spamd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamd_t)
- fs_manage_nfs_files(spamd_t)
- fs_manage_nfs_symlinks(spamd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamd_t)
- fs_manage_cifs_files(spamd_t)
- fs_manage_cifs_symlinks(spamd_t)
-')
+userdom_search_user_home_dirs(spamd_t)
+userdom_home_manager(spamd_t)
optional_policy(`
- amavis_manage_lib_files(spamd_t)
+ antivirus_stream_connect(spamd_t)
+ antivirus_manage_db(spamd_t)
')
optional_policy(`
- clamav_stream_connect(spamd_t)
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
')
optional_policy(`
@@ -421,21 +533,13 @@ optional_policy(`
')
optional_policy(`
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
-')
-
-optional_policy(`
- exim_manage_spool_dirs(spamd_t)
- exim_manage_spool_files(spamd_t)
-')
-
-optional_policy(`
milter_manage_spamass_state(spamd_t)
')
optional_policy(`
- mysql_stream_connect(spamd_t)
mysql_tcp_connect(spamd_t)
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
')
optional_policy(`
@@ -443,8 +547,8 @@ optional_policy(`
')
optional_policy(`
- postgresql_stream_connect(spamd_t)
postgresql_tcp_connect(spamd_t)
+ postgresql_stream_connect(spamd_t)
')
optional_policy(`
@@ -455,7 +559,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
- razor_manage_home_content(spamd_t)
+')
+
+optional_policy(`
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
+')
+
+optional_policy(`
+ spamassassin_filetrans_home_content(spamd_t)
+ spamassassin_filetrans_admin_home_content(spamd_t)
')
optional_policy(`
@@ -463,9 +577,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(spamd_t)
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
- mta_send_mail(spamd_t)
+ mta_manage_spool(spamd_t)
')
optional_policy(`
@@ -474,32 +589,31 @@ optional_policy(`
########################################
#
-# Update local policy
+# spamd_update local policy
#
-allow spamd_update_t self:capability dac_override;
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_update_t self:capability dac_read_search;
manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
+
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
-corenet_all_recvfrom_unlabeled(spamd_update_t)
-corenet_all_recvfrom_netlabel(spamd_update_t)
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
+kernel_read_system_state(spamd_update_t)
-corenet_sendrecv_http_client_packets(spamd_update_t)
+# for updating rules
corenet_tcp_connect_http_port(spamd_update_t)
-corenet_tcp_sendrecv_http_port(spamd_update_t)
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
@@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
-files_read_usr_files(spamd_update_t)
auth_use_nsswitch(spamd_update_t)
auth_dontaudit_read_shadow(spamd_update_t)
-miscfiles_read_localization(spamd_update_t)
+mta_read_config(spamd_update_t)
-userdom_use_user_terminals(spamd_update_t)
+userdom_search_admin_dir(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
optional_policy(`
cron_system_entry(spamd_update_t, spamd_update_exec_t)
')
-# probably want a solution same as httpd_use_gpg since this will
-# give spamd_update a path to users gpg keys
-# optional_policy(`
-# gpg_domtrans(spamd_update_t)
-# ')
-
optional_policy(`
- mta_read_config(spamd_update_t)
+ gpg_domtrans(spamd_update_t)
+ gpg_manage_home_content(spamd_update_t)
+')
+
+tunable_policy(`spamd_update_can_network',`
+ corenet_sendrecv_all_client_packets(spamd_update_t)
+ corenet_tcp_connect_all_ports(spamd_update_t)
+ corenet_tcp_sendrecv_all_ports(spamd_update_t)
')
diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
new file mode 100644
index 000000000..545f68233
--- /dev/null
+++ b/speech-dispatcher.fc
@@ -0,0 +1,5 @@
+/usr/bin/speech-dispatcher -- gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
+
+/usr/lib/systemd/system/speech-dispatcherd.service -- gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
+
+/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
diff --git a/speech-dispatcher.if b/speech-dispatcher.if
new file mode 100644
index 000000000..4cb910462
--- /dev/null
+++ b/speech-dispatcher.if
@@ -0,0 +1,143 @@
+
+## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
+
+########################################
+## <summary>
+## Execute speech-dispatcher in the speech-dispatcher domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`speech-dispatcher_domtrans',`
+ gen_require(`
+ type speech-dispatcher_t, speech-dispatcher_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
+')
+########################################
+## <summary>
+## Read speech-dispatcher's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`speech-dispatcher_read_log',`
+ gen_require(`
+ type speech-dispatcher_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+
+########################################
+## <summary>
+## Append to speech-dispatcher log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`speech-dispatcher_append_log',`
+ gen_require(`
+ type speech-dispatcher_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+
+########################################
+## <summary>
+## Manage speech-dispatcher log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`speech-dispatcher_manage_log',`
+ gen_require(`
+ type speech-dispatcher_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+ manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+ manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+########################################
+## <summary>
+## Execute speech-dispatcher server in the speech-dispatcher domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`speech-dispatcher_systemctl',`
+ gen_require(`
+ type speech-dispatcher_t;
+ type speech-dispatcher_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
+ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, speech-dispatcher_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an speech-dispatcher environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`speech-dispatcher_admin',`
+ gen_require(`
+ type speech-dispatcher_t;
+ type speech-dispatcher_log_t;
+ type speech-dispatcher_unit_file_t;
+ ')
+
+ allow $1 speech-dispatcher_t:process { signal_perms };
+ ps_process_pattern($1, speech-dispatcher_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 speech-dispatcher_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, speech-dispatcher_log_t)
+
+ speech-dispatcher_systemctl($1)
+ admin_pattern($1, speech-dispatcher_unit_file_t)
+ allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/speech-dispatcher.te b/speech-dispatcher.te
new file mode 100644
index 000000000..473947312
--- /dev/null
+++ b/speech-dispatcher.te
@@ -0,0 +1,61 @@
+policy_module(speech-dispatcher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type speech-dispatcher_t;
+type speech-dispatcher_exec_t;
+init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
+application_executable_file(speech-dispatcher_exec_t)
+
+type speech-dispatcher_home_t;
+userdom_user_home_content(speech-dispatcher_home_t)
+
+type speech-dispatcher_log_t;
+logging_log_file(speech-dispatcher_log_t)
+
+type speech-dispatcher_unit_file_t;
+systemd_unit_file(speech-dispatcher_unit_file_t)
+
+type speech-dispatcher_tmp_t;
+files_tmp_file(speech-dispatcher_tmp_t)
+
+type speech-dispatcher_tmpfs_t;
+files_tmpfs_file(speech-dispatcher_tmpfs_t)
+
+########################################
+#
+# speech-dispatcher local policy
+#
+
+allow speech-dispatcher_t self:process signal_perms;
+
+allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
+allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
+allow speech-dispatcher_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
+logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
+files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
+fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+manage_fifo_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+userdom_filetrans_home_content(speech-dispatcher_t,speech-dispatcher_home_t, dir, ".speech-dispatcher")
+
+kernel_read_system_state(speech-dispatcher_t)
+
+auth_read_passwd(speech-dispatcher_t)
+
+corenet_tcp_connect_pdps_port(speech-dispatcher_t)
+
+dev_read_urand(speech-dispatcher_t)
+
diff --git a/speedtouch.te b/speedtouch.te
index b38b8b180..eb36653b8 100644
--- a/speedtouch.te
+++ b/speedtouch.te
@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
domain_use_interactive_fds(speedmgmt_t)
-files_read_etc_files(speedmgmt_t)
-files_read_usr_files(speedmgmt_t)
fs_getattr_all_fs(speedmgmt_t)
fs_search_auto_mountpoints(speedmgmt_t)
logging_send_syslog_msg(speedmgmt_t)
-miscfiles_read_localization(speedmgmt_t)
-
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
diff --git a/squid.fc b/squid.fc
index 0a8b0f7c0..80c1d5756 100644
--- a/squid.fc
+++ b/squid.fc
@@ -1,20 +1,31 @@
-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/dev/shm/squid-* -- gen_context(system_u:object_r:squid_tmpfs_t,s0)
-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/etc/squid/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/libexec/squid/cache_swap\.sh -- gen_context(system_u:object_r:squid_exec_t,s0)
+
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0)
+
+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/run/squid.* gen_context(system_u:object_r:squid_var_run_t,s0)
+
+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/lib/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/squid.if b/squid.if
index 5e1f0534c..e7820bce3 100644
--- a/squid.if
+++ b/squid.if
@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
- allow $1 squid_t:unix_stream_socket { getattr read write };
+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
@@ -213,9 +212,13 @@ interface(`squid_admin',`
type squid_initrc_exec_t, squid_tmp_t;
')
- allow $1 squid_t:process { ptrace signal_perms };
+ allow $1 squid_t:process signal_perms;
ps_process_pattern($1, squid_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 squid_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
index 03472ed9b..87af88795 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
files_type(squid_cache_t)
type squid_conf_t;
-files_type(squid_conf_t)
+files_config_file(squid_conf_t)
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
@@ -37,21 +37,28 @@ init_script_file(squid_initrc_exec_t)
type squid_log_t;
logging_log_file(squid_log_t)
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
+
type squid_tmp_t;
files_tmp_file(squid_tmp_t)
-type squid_tmpfs_t;
-files_tmpfs_file(squid_tmpfs_t)
type squid_var_run_t;
files_pid_file(squid_var_run_t)
+type squid_cron_t;
+type squid_cron_exec_t;
+init_daemon_domain(squid_cron_t, squid_cron_exec_t)
+application_domain(squid_cron_t, squid_cron_exec_t)
+role system_r types squid_cron_t;
+
########################################
#
# Local policy
#
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_read_search sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db")
allow squid_t squid_conf_t:dir list_dir_perms;
allow squid_t squid_conf_t:file read_file_perms;
@@ -78,15 +86,19 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file })
+allow squid_t squid_tmpfs_t:file map;
+
manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
-
+manage_dirs_pattern(squid_t, squid_var_run_t, squid_var_run_t)
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
-files_pid_filetrans(squid_t, squid_var_run_t, file)
+manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, { dir file sock_file })
can_exec(squid_t, squid_exec_t)
@@ -94,7 +106,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
-corenet_all_recvfrom_unlabeled(squid_t)
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
@@ -132,6 +143,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
corenet_udp_sendrecv_gopher_port(squid_t)
corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
corenet_tcp_sendrecv_squid_port(squid_t)
@@ -154,7 +166,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
-files_read_usr_files(squid_t)
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
@@ -176,7 +187,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
-miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
@@ -197,28 +207,31 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
+ apache_content_alias_template(squid, squid)
- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
+ allow squid_script_t self:tcp_socket create_socket_perms;
- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
+ corenet_all_recvfrom_unlabeled(squid_script_t)
+ corenet_all_recvfrom_netlabel(squid_script_t)
+ corenet_tcp_sendrecv_generic_if(squid_script_t)
+ corenet_tcp_sendrecv_generic_node(squid_script_t)
- sysnet_dns_name_resolve(httpd_squid_script_t)
+ corenet_sendrecv_http_cache_client_packets(squid_script_t)
+ corenet_tcp_connect_http_cache_port(squid_script_t)
+ corenet_tcp_sendrecv_http_cache_port(squid_script_t)
- squid_read_config(httpd_squid_script_t)
-')
+ corenet_tcp_connect_squid_port(squid_script_t)
-optional_policy(`
- cron_system_entry(squid_t, squid_exec_t)
+ sysnet_dns_name_resolve(squid_script_t)
+
+ optional_policy(`
+ squid_read_config(squid_script_t)
+ ')
')
optional_policy(`
- kerberos_manage_host_rcache(squid_t)
- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+ kerberos_manage_host_rcache(squid_t)
')
optional_policy(`
@@ -236,3 +249,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
+########################################
+#
+# squid cron Local policy
+#
+manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
+
+read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
+
+read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
+
+corecmd_exec_bin(squid_cron_t)
+
+dev_read_urand(squid_cron_t)
+
+optional_policy(`
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sslh.fc b/sslh.fc
new file mode 100644
index 000000000..1a217f5ed
--- /dev/null
+++ b/sslh.fc
@@ -0,0 +1,9 @@
+
+/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+/usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0)
+/etc/rc\.d/init\.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+/etc/sslh(/.*)? gen_context(system_u:object_r:sslh_config_t,s0)
+/etc/sslh\.cfg -- gen_context(system_u:object_r:sslh_config_t,s0)
+/etc/sysconfig/sslh -- gen_context(system_u:object_r:sslh_config_t,s0)
+/usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
+/var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0)
diff --git a/sslh.if b/sslh.if
new file mode 100644
index 000000000..218360da8
--- /dev/null
+++ b/sslh.if
@@ -0,0 +1,127 @@
+## <summary>policy for sslh</summary>
+
+########################################
+## <summary>
+## Execute sslh in the sslh domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sslh_domtrans',`
+ gen_require(`
+ type sslh_t, sslh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sslh_exec_t, sslh_t)
+')
+
+#######################################
+## <summary>
+## Execute tor server in the tor domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sslh_systemctl',`
+ gen_require(`
+ type sslh_t;
+ type sslh_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 sslh_unit_file_t:file read_file_perms;
+ allow $1 sslh_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sslh_t)
+')
+
+
+########################################
+## <summary>
+## Permit the reading of sslh config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to access.
+## </summary>
+## </param>
+#
+interface(`sslh_read_config',`
+ gen_require(`
+ type sslh_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 sslh_config_t:dir list_dir_perms;
+ allow $1 sslh_config_t:file read_file_perms;
+ allow $1 sslh_config_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Permit the creation and writing of sslh config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to configure.
+## </summary>
+## </param>
+#
+interface(`sslh_write_config',`
+ gen_require(`
+ type sslh_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 sslh_config_t:dir rw_dir_perms;
+ allow $1 sslh_config_t:file { rw_file_perms create };
+ allow $1 sslh_config_t:lnk_file read_lnk_file_perms;
+')
+
+
+#######################################
+## <summary>
+## All of the rules required to
+## administrate an sslh environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sslh_admin',`
+ gen_require(`
+ type sslh_t, sslh_config_t;
+ type sslh_var_run_t;
+ type sslh_initrc_exec_t;
+ ')
+
+ allow $1 sslh_t:process signal_perms;
+
+ ps_process_pattern($1, sslh_t)
+
+ init_labeled_script_domtrans($1, sslh_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 sslh_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, sslh_config_t)
+
+ files_list_pids($1)
+ admin_pattern($1, sslh_var_run_t)
+')
diff --git a/sslh.te b/sslh.te
new file mode 100644
index 000000000..821e158a5
--- /dev/null
+++ b/sslh.te
@@ -0,0 +1,100 @@
+
+policy_module(sslh,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether sslh can connect
+## to any tcp port or if it is restricted
+## to the standard http, openvpn and jabber ports.
+## </p>
+## </desc>
+gen_tunable(sslh_can_connect_any_port, false)
+
+## <desc>
+## <p>
+## Determine whether sslh can listen
+## on any tcp port or if it is restricted
+## to the standard http.
+## </p>
+## </desc>
+gen_tunable(sslh_can_bind_any_port, false)
+
+
+type sslh_t;
+type sslh_exec_t;
+init_daemon_domain(sslh_t, sslh_exec_t)
+
+type sslh_config_t;
+files_config_file(sslh_config_t)
+
+type sslh_initrc_exec_t;
+init_script_file(sslh_initrc_exec_t)
+
+type sslh_var_run_t;
+files_pid_file(sslh_var_run_t)
+
+type sslh_unit_file_t;
+systemd_unit_file(sslh_unit_file_t)
+
+########################################
+#
+# sslh local policy
+#
+
+read_files_pattern(sslh_t, sslh_config_t, sslh_config_t)
+
+auth_read_passwd(sslh_t)
+miscfiles_read_localization(sslh_t)
+
+manage_files_pattern(sslh_t, sslh_var_run_t, sslh_var_run_t)
+
+logging_send_syslog_msg(sslh_t);
+
+allow sslh_t self:capability { setuid setgid };
+allow sslh_t self:process { setcap getcap signal };
+
+allow sslh_t self:tcp_socket create_stream_socket_perms;
+
+sysnet_dns_name_resolve(sslh_t)
+
+corenet_all_recvfrom_unlabeled(sslh_t)
+corenet_all_recvfrom_netlabel(sslh_t)
+corenet_tcp_sendrecv_generic_if(sslh_t)
+corenet_udp_sendrecv_generic_if(sslh_t)
+corenet_tcp_sendrecv_generic_node(sslh_t)
+corenet_udp_sendrecv_generic_node(sslh_t)
+corenet_tcp_bind_generic_node(sslh_t)
+corenet_udp_bind_generic_node(sslh_t)
+
+corenet_tcp_bind_http_port(sslh_t)
+
+corenet_tcp_sendrecv_http_port(sslh_t)
+corenet_tcp_connect_http_port(sslh_t)
+
+corenet_tcp_connect_ssh_port(sslh_t)
+corenet_tcp_sendrecv_ssh_port(sslh_t)
+
+corenet_tcp_connect_openvpn_port(sslh_t)
+corenet_tcp_sendrecv_openvpn_port(sslh_t)
+
+corenet_tcp_connect_jabber_client_port(sslh_t)
+corenet_tcp_sendrecv_jabber_client_port(sslh_t)
+
+
+tunable_policy(`sslh_can_connect_any_port',`
+ # allow sslh to connect to any port
+ corenet_tcp_sendrecv_all_ports(sslh_t)
+ corenet_tcp_connect_all_ports(sslh_t)
+')
+
+tunable_policy(`sslh_can_bind_any_port',`
+ # allow sslh to bind to any port
+ corenet_tcp_sendrecv_all_ports(sslh_t)
+ corenet_tcp_bind_all_ports(sslh_t)
+')
+
diff --git a/sssd.fc b/sssd.fc
index dbb005aca..2655c75ab 100644
--- a/sssd.fc
+++ b/sssd.fc
@@ -1,15 +1,30 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_kcm -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_pac -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_pam -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_ssh -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_sudo -- gen_context(system_u:object_r:sssd_exec_t,s0)
-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+/usr/libexec/sssd/selinux_child -- gen_context(system_u:object_r:sssd_selinux_manager_exec_t,s0)
+
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
index a24045518..47530e258 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
-## <summary>System Security Services Daemon.</summary>
+## <summary>System Security Services Daemon</summary>
#######################################
## <summary>
-## Get attributes of sssd executable files.
+## Allow a domain to getattr on sssd binary.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`sssd_getattr_exec',`
- gen_require(`
- type sssd_exec_t;
- ')
+ gen_require(`
+ type sssd_t, sssd_exec_t;
+ ')
- allow $1 sssd_exec_t:file getattr_file_perms;
+ allow $1 sssd_exec_t:file getattr;
')
########################################
@@ -33,14 +33,12 @@ interface(`sssd_domtrans',`
type sssd_t, sssd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, sssd_exec_t, sssd_t)
')
########################################
## <summary>
-## Execute sssd init scripts in
-## the initrc domain.
+## Execute sssd server in the sssd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -56,49 +54,91 @@ interface(`sssd_initrc_domtrans',`
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
+########################################
+## <summary>
+## Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sssd_systemctl',`
+ gen_require(`
+ type sssd_t;
+ type sssd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 sssd_unit_file_t:file read_file_perms;
+ allow $1 sssd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sssd_t)
+')
+
#######################################
## <summary>
-## Read sssd configuration content.
+## Read sssd configuration.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`sssd_read_config',`
- gen_require(`
- type sssd_conf_t;
- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
- files_search_etc($1)
- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
- read_files_pattern($1, sssd_conf_t, sssd_conf_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
+ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
######################################
## <summary>
-## Write sssd configuration files.
+## Write sssd configuration.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`sssd_write_config',`
- gen_require(`
- type sssd_conf_t;
- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+')
- files_search_etc($1)
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+#####################################
+## <summary>
+## Write sssd configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_create_config',`
+ gen_require(`
+ type sssd_conf_t;
+ ')
+
+ files_search_etc($1)
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
####################################
## <summary>
-## Create, read, write, and delete
-## sssd configuration files.
+## Manage sssd configuration.
## </summary>
## <param name="domain">
## <summary>
@@ -107,12 +147,12 @@ interface(`sssd_write_config',`
## </param>
#
interface(`sssd_manage_config',`
- gen_require(`
- type sssd_conf_t;
- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
- files_search_etc($1)
- manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
+ files_search_etc($1)
+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
########################################
@@ -131,14 +171,14 @@ interface(`sssd_read_public_files',`
')
sssd_search_lib($1)
- allow $1 sssd_public_t:dir list_dir_perms;
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
read_files_pattern($1, sssd_public_t, sssd_public_t)
+ allow $1 sssd_public_t:file map;
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete
-## sssd public files.
+## Delete sssd public files.
## </summary>
## <param name="domain">
## <summary>
@@ -146,18 +186,55 @@ interface(`sssd_read_public_files',`
## </summary>
## </param>
#
-interface(`sssd_manage_public_files',`
+interface(`sssd_delete_public_files',`
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
- manage_files_pattern($1, sssd_public_t, sssd_public_t)
+ allow $1 sssd_public_t:file unlink;
')
########################################
## <summary>
-## Read sssd pid files.
+## Dontaudit read sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ dontaudit $1 sssd_public_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Manage sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ manage_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
+## Read sssd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',`
########################################
## <summary>
-## Create, read, write, and delete
-## sssd pid content.
+## Manage sssd var_run files.
## </summary>
## <param name="domain">
## <summary>
@@ -216,8 +292,7 @@ interface(`sssd_search_lib',`
########################################
## <summary>
-## Do not audit attempts to search
-## sssd lib directories.
+## Do not audit attempts to search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -235,6 +310,24 @@ interface(`sssd_dontaudit_search_lib',`
########################################
## <summary>
+## Do not audit attempts to read sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_read_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read sssd lib files.
## </summary>
## <param name="domain">
@@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
-## Connect to sssd with a unix
-## domain stream socket.
+## Connect to sssd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -317,8 +409,130 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sssd environment.
+## Dontaudit attempts to connect to sssd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_stream_connect',`
+ gen_require(`
+ type sssd_t, sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
+')
+
+########################################
+## <summary>
+## Connect to sssd over a unix stream socket in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_run_stream_connect',`
+ gen_require(`
+ type sssd_t, sssd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t)
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_run_stream_connect',`
+ gen_require(`
+ type sssd_t, sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
+ dontaudit $1 sssd_var_run_t:sock_file { read write };
+')
+
+#######################################
+## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_keys',`
+ gen_require(`
+ type sssd_t;
+ ')
+
+ allow $1 sssd_t:key manage_key_perms;
+ allow sssd_t $1:key manage_key_perms;
+')
+
+#######################################
+## <summary>
+## Allow attempts to read and write to
+## sssd pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_rw_inherited_pipes',`
+ gen_require(`
+ type sssd_t;
+ ')
+
+ allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Transition to sssd named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_filetrans_named_content',`
+ gen_require(`
+ type sssd_var_run_t;
+ type sssd_var_log_t;
+ type sssd_var_lib_t;
+ type sssd_public_t;
+ type sssd_conf_t;
+ ')
+
+ files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
+ logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
+ files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
+ filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
+ filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
+ files_etc_filetrans($1, sssd_conf_t, dir, "sssd")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sssd environment
## </summary>
## <param name="domain">
## <summary>
@@ -327,7 +541,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
## <rolecap/>
@@ -335,27 +549,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
- type sssd_log_t;
+ type sssd_unit_file_t;
')
- allow $1 sssd_t:process { ptrace signal_perms };
+ allow $1 sssd_t:process signal_perms;
ps_process_pattern($1, sssd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sssd_t:process ptrace;
+ ')
+ # Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sssd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, sssd_conf_t)
+ sssd_manage_pids($1)
- files_search_var_lib($1)
- admin_pattern($1, { sssd_var_lib_t sssd_public_t })
+ sssd_manage_lib_files($1)
- files_search_pids($1)
- admin_pattern($1, sssd_var_run_t)
+ admin_pattern($1, sssd_public_t)
+
+ sssd_systemctl($1)
+ admin_pattern($1, sssd_unit_file_t)
+ allow $1 sssd_unit_file_t:service all_service_perms;
- logging_search_logs($1)
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
index 2d8db1fa3..3bf241d0c 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
+type sssd_unit_file_t;
+systemd_unit_file(sssd_unit_file_t)
+
+type sssd_selinux_manager_t;
+type sssd_selinux_manager_exec_t;
+application_domain(sssd_selinux_manager_t, sssd_selinux_manager_exec_t)
+role system_r types sssd_selinux_manager_t;
+
########################################
#
-# Local policy
+# sssd local policy
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:capability2 block_suspend;
-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
-allow sssd_t self:unix_stream_socket { accept connectto listen };
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Allow sssd_t to execute responders; which has different context now
+allow sssd_t sssd_exec_t:file execute_no_trans;
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
+list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+allow sssd_t sssd_public_t:file map;
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+allow sssd_t sssd_var_lib_t:file map;
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+# Allow systemd to create sockets for socket activated responders
+create_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
+delete_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
+
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
+kernel_request_load_module(sssd_t)
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
-corenet_udp_sendrecv_generic_if(sssd_t)
-corenet_udp_sendrecv_generic_node(sssd_t)
-corenet_udp_sendrecv_all_ports(sssd_t)
-corenet_udp_bind_generic_node(sssd_t)
-
-corenet_sendrecv_generic_server_packets(sssd_t)
corenet_udp_bind_generic_port(sssd_t)
corenet_dontaudit_udp_bind_all_ports(sssd_t)
+corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
+corenet_tcp_connect_http_port(sssd_t)
+corenet_tcp_connect_http_cache_port(sssd_t)
corecmd_exec_bin(sssd_t)
@@ -83,28 +97,36 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
-files_read_etc_files(sssd_t)
files_read_etc_runtime_files(sssd_t)
-files_read_usr_files(sssd_t)
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
+fs_getattr_xattr_fs(sssd_t)
selinux_validate_context(sssd_t)
+seutil_read_config(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
-# seutil_rw_login_config_dirs(sssd_t)
-# seutil_manage_login_config_files(sssd_t)
+seutil_rw_login_config_dirs(sssd_t)
+seutil_manage_login_config_files(sssd_t)
+
+seutil_dontaudit_access_check_load_policy(sssd_t)
+seutil_dontaudit_access_check_setfiles(sssd_t)
+seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
+seutil_dontaudit_access_check_semanage_module_store(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
mls_socket_write_to_clearance(sssd_t)
mls_trusted_object(sssd_t)
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
+# Bogus allow because we don't handle keyring properly in code.
+auth_login_manage_key(sssd_t)
init_read_utmp(sssd_t)
@@ -112,18 +134,71 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
-miscfiles_read_localization(sssd_t)
+miscfiles_dontaudit_access_check_cert(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
+userdom_manage_all_users_keys(sssd_t)
+userdom_dbus_send_all_users(sssd_t)
+userdom_home_reader(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
')
optional_policy(`
- kerberos_read_config(sssd_t)
kerberos_manage_host_rcache(sssd_t)
- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
+ kerberos_rw_config(sssd_t)
+ kerberos_rw_keytab(sssd_t)
')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ldap_read_certs(sssd_t)
+')
+
+optional_policy(`
+ samba_manage_var_dirs(sssd_t)
+ samba_manage_var_files(sssd_t)
+')
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
+')
+
+optional_policy(`
+ realmd_read_var_lib(sssd_t)
+')
+
+########################################
+#
+# sssd SELinux manager local policy
+#
+
+allow sssd_selinux_manager_t self:capability { setgid setuid };
+dontaudit sssd_selinux_manager_t self:capability net_admin;
+
+domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
+
+init_ioctl_stream_sockets(sssd_selinux_manager_t)
+
+logging_send_audit_msgs(sssd_selinux_manager_t)
+
+seutil_semanage_policy(sssd_selinux_manager_t)
+seutil_manage_file_contexts(sssd_selinux_manager_t)
+seutil_manage_config(sssd_selinux_manager_t)
+seutil_manage_login_config(sssd_selinux_manager_t)
+seutil_manage_default_contexts(sssd_selinux_manager_t)
+
+seutil_exec_setfiles(sssd_selinux_manager_t)
+logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
+
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 000000000..0ccce5918
--- /dev/null
+++ b/stapserver.fc
@@ -0,0 +1,7 @@
+/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
+
+/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
+
+/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
+
+/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
diff --git a/stapserver.if b/stapserver.if
new file mode 100644
index 000000000..80c648055
--- /dev/null
+++ b/stapserver.if
@@ -0,0 +1,151 @@
+
+## <summary> Instrumentation System Server </summary>
+
+########################################
+## <summary>
+## Execute stapserver in the stapserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`stapserver_domtrans',`
+ gen_require(`
+ type stapserver_t, stapserver_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
+')
+########################################
+## <summary>
+## Read stapserver's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`stapserver_read_log',`
+ gen_require(`
+ type stapserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+
+########################################
+## <summary>
+## Append to stapserver log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stapserver_append_log',`
+ gen_require(`
+ type stapserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+
+########################################
+## <summary>
+## Manage stapserver log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stapserver_manage_log',`
+ gen_require(`
+ type stapserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
+ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
+ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+########################################
+## <summary>
+## Read stapserver PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stapserver_read_pid_files',`
+ gen_require(`
+ type stapserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 stapserver_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Manage stapserver lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stapserver_manage_lib',`
+ gen_require(`
+ type stapserver_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
+ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an stapserver environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`stapserver_admin',`
+ gen_require(`
+ type stapserver_t;
+ type stapserver_log_t;
+ type stapserver_var_run_t;
+ ')
+
+ allow $1 stapserver_t:process { ptrace signal_perms };
+ ps_process_pattern($1, stapserver_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, stapserver_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, stapserver_var_run_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/systemtap.te b/stapserver.te
similarity index 63%
rename from systemtap.te
rename to stapserver.te
index ffde36864..e2f0d931f 100644
--- a/systemtap.te
+++ b/stapserver.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.1)
########################################
#
@@ -9,12 +9,6 @@ type stapserver_t;
type stapserver_exec_t;
init_daemon_domain(stapserver_t, stapserver_exec_t)
-type stapserver_initrc_exec_t;
-init_script_file(stapserver_initrc_exec_t)
-
-type stapserver_conf_t;
-files_config_file(stapserver_conf_t)
-
type stapserver_var_lib_t;
files_type(stapserver_var_lib_t)
@@ -24,50 +18,63 @@ logging_log_file(stapserver_log_t)
type stapserver_var_run_t;
files_pid_file(stapserver_var_run_t)
+type stapserver_tmp_t;
+files_tmp_file(stapserver_tmp_t)
+
########################################
#
-# Local policy
+# stapserver local policy
#
-allow stapserver_t self:capability { dac_override kill setuid setgid };
-allow stapserver_t self:process { setrlimit setsched signal };
+#runuser
+allow stapserver_t self:capability { setuid setgid };
+allow stapserver_t self:process setsched;
+
+allow stapserver_t self:capability { dac_read_search kill sys_ptrace};
+allow stapserver_t self:process { setrlimit signal };
+
allow stapserver_t self:fifo_file rw_fifo_file_perms;
allow stapserver_t self:key write;
-allow stapserver_t self:unix_stream_socket { accept listen };
-allow stapserver_t self:tcp_socket create_stream_socket_perms;
-
-allow stapserver_t stapserver_conf_t:file read_file_perms;
+allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
+allow stapserver_t self:tcp_socket { accept listen };
manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
+manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
+
manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
-kernel_read_kernel_sysctls(stapserver_t)
kernel_read_system_state(stapserver_t)
+kernel_read_kernel_sysctls(stapserver_t)
+files_list_kernel_modules(stapserver_t)
corecmd_exec_bin(stapserver_t)
corecmd_exec_shell(stapserver_t)
domain_read_all_domains_state(stapserver_t)
+domain_use_interactive_fds(stapserver_t)
-dev_read_rand(stapserver_t)
dev_read_sysfs(stapserver_t)
+dev_read_rand(stapserver_t)
dev_read_urand(stapserver_t)
files_list_tmp(stapserver_t)
-files_read_usr_files(stapserver_t)
files_search_kernel_modules(stapserver_t)
+fs_search_cgroup_dirs(stapserver_t)
+fs_getattr_all_fs(stapserver_t)
+
auth_use_nsswitch(stapserver_t)
init_read_utmp(stapserver_t)
@@ -75,12 +82,18 @@ init_read_utmp(stapserver_t)
logging_send_audit_msgs(stapserver_t)
logging_send_syslog_msg(stapserver_t)
-miscfiles_read_localization(stapserver_t)
+#lspci
miscfiles_read_hwdata(stapserver_t)
+systemd_dbus_chat_logind(stapserver_t)
+
userdom_use_user_terminals(stapserver_t)
optional_policy(`
+ avahi_dbus_chat(stapserver_t)
+')
+
+optional_policy(`
consoletype_exec(stapserver_t)
')
@@ -99,3 +112,4 @@ optional_policy(`
optional_policy(`
rpm_exec(stapserver_t)
')
+
diff --git a/stunnel.fc b/stunnel.fc
index 49dd63ca1..ae2e798f5 100644
--- a/stunnel.fc
+++ b/stunnel.fc
@@ -5,3 +5,5 @@
/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
+
+/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0)
diff --git a/stunnel.te b/stunnel.te
index 27a8480bc..fc3fca520 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
type stunnel_etc_t;
files_config_file(stunnel_etc_t)
+type stunnel_log_t;
+logging_log_file(stunnel_log_t)
+
type stunnel_tmp_t;
files_tmp_file(stunnel_tmp_t)
@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t)
# Local policy
#
-allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice };
dontaudit stunnel_t self:capability sys_tty_config;
-allow stunnel_t self:process signal_perms;
+allow stunnel_t self:process { setsched signal_perms };
allow stunnel_t self:fifo_file rw_fifo_file_perms;
allow stunnel_t self:tcp_socket { accept listen };
allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
+allow stunnel_t stunnel_log_t:file manage_file_perms;
+logging_log_filetrans(stunnel_t, stunnel_log_t, file)
+
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
@@ -48,7 +54,6 @@ kernel_read_network_state(stunnel_t)
corecmd_exec_bin(stunnel_t)
-corenet_all_recvfrom_unlabeled(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_generic_if(stunnel_t)
corenet_tcp_sendrecv_generic_node(stunnel_t)
@@ -75,7 +80,6 @@ auth_use_nsswitch(stunnel_t)
logging_send_syslog_msg(stunnel_t)
miscfiles_read_generic_certs(stunnel_t)
-miscfiles_read_localization(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_user_home_dirs(stunnel_t)
@@ -105,4 +109,5 @@ optional_policy(`
gen_require(`
type stunnel_port_t;
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
index effffd028..0d5c275de 100644
--- a/svnserve.fc
+++ b/svnserve.fc
@@ -1,8 +1,15 @@
-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
-/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
-/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
+/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
-/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
-/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+
+/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+
+/var/log/svnserve(/.*)? gen_context(system_u:object_r:svnserve_log_t,s0)
diff --git a/svnserve.if b/svnserve.if
index 2ac91b6e0..a97033d2b 100644
--- a/svnserve.if
+++ b/svnserve.if
@@ -1,35 +1,119 @@
-## <summary>Server for the svn repository access method.</summary>
+
+## <summary>policy for svnserve</summary>
+
+
+########################################
+## <summary>
+## Transition to svnserve.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`svnserve_domtrans',`
+ gen_require(`
+ type svnserve_t, svnserve_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
+')
+
+
+########################################
+## <summary>
+## Execute svnserve server in the svnserve domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`svnserve_initrc_domtrans',`
+ gen_require(`
+ type svnserve_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Execute svnserve server in the svnserve domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`svnserve_systemctl',`
+ gen_require(`
+ type svnserve_t;
+ type svnserve_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 svnserve_unit_file_t:file read_file_perms;
+ allow $1 svnserve_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, svnserve_t)
+')
########################################
## <summary>
-## All of the rules required to
-## administrate an svnserve environment.
+## Read svnserve PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`svnserve_read_pid_files',`
+ gen_require(`
+ type svnserve_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 svnserve_var_run_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an svnserve environment
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`svnserve_admin',`
gen_require(`
- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t;
+ type svnserve_t;
+ type svnserve_var_run_t;
+ type svnserve_unit_file_t;
')
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
-
files_search_pids($1)
- admin_pattern($1, httpd_var_run_t)
+ admin_pattern($1, svnserve_var_run_t)
+
+ svnserve_systemctl($1)
+ admin_pattern($1, svnserve_unit_file_t)
+ allow $1 svnserve_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
+
diff --git a/svnserve.te b/svnserve.te
index 49d688d66..f7e23fe71 100644
--- a/svnserve.te
+++ b/svnserve.te
@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
type svnserve_initrc_exec_t;
init_script_file(svnserve_initrc_exec_t)
+type svnserve_unit_file_t;
+systemd_unit_file(svnserve_unit_file_t)
+
type svnserve_content_t;
files_type(svnserve_content_t)
type svnserve_var_run_t;
files_pid_file(svnserve_var_run_t)
+type svnserve_tmp_t;
+files_tmp_file(svnserve_tmp_t)
+
+type svnserve_log_t;
+logging_log_file(svnserve_log_t)
+
########################################
#
# Local policy
@@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
allow svnserve_t self:tcp_socket create_stream_socket_perms;
allow svnserve_t self:unix_stream_socket { listen accept };
+manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
+
manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
@@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
-files_read_etc_files(svnserve_t)
-files_read_usr_files(svnserve_t)
+manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file })
corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t)
@@ -52,8 +67,13 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
corenet_udp_bind_svn_port(svnserve_t)
corenet_udp_sendrecv_svn_port(svnserve_t)
-logging_send_syslog_msg(svnserve_t)
+dev_read_rand(svnserve_t)
+dev_read_urand(svnserve_t)
-miscfiles_read_localization(svnserve_t)
+logging_send_syslog_msg(svnserve_t)
sysnet_dns_name_resolve(svnserve_t)
+
+optional_policy(`
+ kerberos_use(svnserve_t)
+')
diff --git a/swift.fc b/swift.fc
new file mode 100644
index 000000000..6d897bc25
--- /dev/null
+++ b/swift.fc
@@ -0,0 +1,36 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-reconciler -- gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-expirer -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
+/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
+/var/lib/swift(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
+
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
+
+# This is specific to RHOS's packstack utility
+ifdef(`distro_redhat', `
+/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
+')
diff --git a/swift.if b/swift.if
new file mode 100644
index 000000000..af26807a7
--- /dev/null
+++ b/swift.if
@@ -0,0 +1,156 @@
+
+## <summary>policy for swift</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the swift domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`swift_domtrans',`
+ gen_require(`
+ type swift_t, swift_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, swift_exec_t, swift_t)
+')
+
+########################################
+## <summary>
+## Read swift PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_read_pid_files',`
+ gen_require(`
+ type swift_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, swift_var_run_t, swift_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage swift data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_manage_data_files',`
+ gen_require(`
+ type swift_data_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, swift_data_t, swift_data_t)
+ manage_dirs_pattern($1, swift_data_t, swift_data_t)
+')
+
+#####################################
+## <summary>
+## Read and write swift lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
+########################################
+## <summary>
+## Execute swift server in the swift domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`swift_systemctl',`
+ gen_require(`
+ type swift_t;
+ type swift_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 swift_unit_file_t:file read_file_perms;
+ allow $1 swift_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, swift_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an swift environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`swift_admin',`
+ gen_require(`
+ type swift_t;
+ type swift_var_run_t;
+ type swift_unit_file_t;
+ ')
+
+ allow $1 swift_t:process { ptrace signal_perms };
+ ps_process_pattern($1, swift_t)
+
+ files_search_pids($1)
+ admin_pattern($1, swift_var_run_t)
+
+ swift_systemctl($1)
+ admin_pattern($1, swift_unit_file_t)
+ allow $1 swift_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/swift.te b/swift.te
new file mode 100644
index 000000000..c2f086fe7
--- /dev/null
+++ b/swift.te
@@ -0,0 +1,129 @@
+policy_module(swift, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether swift can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(swift_can_network, false)
+
+
+type swift_t;
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_lock_t;
+files_lock_file(swift_lock_t)
+
+type swift_tmp_t;
+files_tmp_file(swift_tmp_t)
+
+type swift_tmpfs_t;
+files_tmpfs_file(swift_tmpfs_t)
+
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
+
+type swift_var_run_t;
+files_pid_file(swift_var_run_t)
+
+type swift_unit_file_t;
+systemd_unit_file(swift_unit_file_t)
+
+type swift_data_t;
+files_type(swift_data_t)
+
+########################################
+#
+# swift local policy
+#
+
+allow swift_t self:process signal;
+
+allow swift_t self:fifo_file rw_fifo_file_perms;
+allow swift_t self:tcp_socket create_stream_socket_perms;
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
+
+# swift makes use of rsync, so we need to give rsync permissions
+# to edit swift_data_t files as well as swift_t those permissions
+manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
+manage_files_pattern(swift_t, swift_data_t, swift_data_t)
+
+kernel_dgram_send(swift_t)
+kernel_read_system_state(swift_t)
+kernel_read_network_state(swift_t)
+
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
+
+corenet_tcp_bind_swift_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
+corenet_tcp_connect_xserver_port(swift_t)
+corenet_tcp_connect_swift_port(swift_t)
+corenet_tcp_connect_keystone_port(swift_t)
+corenet_tcp_connect_memcache_port(swift_t)
+corenet_tcp_connect_all_ephemeral_ports(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
+
+dev_read_urand(swift_t)
+
+domain_use_interactive_fds(swift_t)
+
+files_dontaudit_search_home(swift_t)
+
+fs_getattr_all_fs(swift_t)
+
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
+
+userdom_dontaudit_search_user_home_dirs(swift_t)
+
+tunable_policy(`swift_can_network',`
+ corenet_sendrecv_all_client_packets(swift_t)
+ corenet_tcp_connect_all_ports(swift_t)
+ corenet_tcp_sendrecv_all_ports(swift_t)
+')
+
+optional_policy(`
+ apache_search_config(swift_t)
+')
+
+optional_policy(`
+ rpm_exec(swift_t)
+ rpm_dontaudit_manage_db(swift_t)
+')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 000000000..b7db25411
--- /dev/null
+++ b/swift_alias.fc
@@ -0,0 +1 @@
+# Empty
diff --git a/swift_alias.if b/swift_alias.if
new file mode 100644
index 000000000..3fed1a374
--- /dev/null
+++ b/swift_alias.if
@@ -0,0 +1,2 @@
+
+## <summary>swift_alias policy module</summary>
diff --git a/swift_alias.te b/swift_alias.te
new file mode 100644
index 000000000..6e39c4fff
--- /dev/null
+++ b/swift_alias.te
@@ -0,0 +1,26 @@
+policy_module(swift_alias, 1.0.0)
+
+#
+# swift_alias.pp policy replaces swift.pp policy
+# which is a part of openstack-selinux.rpm package
+#
+
+########################################
+#
+# Declarations
+#
+
+#call stub interfaces for basic types
+init_stub_initrc()
+corecmd_stub_bin()
+files_stub_var_run()
+files_stub_var()
+systemd_stub_unit_file()
+
+typealias initrc_t alias swift_t;
+typealias bin_t alias swift_exec_t;
+typealias var_run_t alias swift_var_run_t;
+typealias systemd_unit_file_t alias swift_unit_file_t;
+typealias var_t alias swift_data_t;
+
+
diff --git a/sxid.te b/sxid.te
index 01a9d0acd..4a6834400 100644
--- a/sxid.te
+++ b/sxid.te
@@ -20,7 +20,7 @@ files_tmp_file(sxid_tmp_t)
# Local policy
#
-allow sxid_t self:capability { dac_override dac_read_search fsetid };
+allow sxid_t self:capability { dac_read_search fsetid };
dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
-corenet_all_recvfrom_unlabeled(sxid_t)
corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
@@ -66,7 +65,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-files_read_non_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t)
logging_send_syslog_msg(sxid_t)
-miscfiles_read_localization(sxid_t)
-
sysnet_read_config(sxid_t)
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
index b92f6775a..46c689d97 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t)
# Local policy
#
-allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
+allow sysstat_t self:capability { dac_read_search sys_admin sys_resource sys_tty_config };
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
+corecmd_exec_shell(sysstat_t)
corecmd_exec_bin(sysstat_t)
dev_read_sysfs(sysstat_t)
@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
-fs_getattr_xattr_fs(sysstat_t)
+fs_getattr_all_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
+storage_getattr_fixed_disk_dev(sysstat_t)
+
term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
auth_use_nsswitch(sysstat_t)
@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
logging_send_syslog_msg(sysstat_t)
-miscfiles_read_localization(sysstat_t)
-
userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
diff --git a/systemtap.fc b/systemtap.fc
deleted file mode 100644
index 1710cbbe8..000000000
--- a/systemtap.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0)
-
-/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0)
-
-/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
-
-/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
-
-/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
-
-/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
diff --git a/systemtap.if b/systemtap.if
deleted file mode 100644
index c755e2d93..000000000
--- a/systemtap.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>instrumentation system for Linux.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an stapserver environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`stapserver_admin',`
- gen_require(`
- type stapserver_t, stapserver_conf_t, stapserver_log_t;
- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
- ')
-
- allow $1 stapserver_t:process { ptrace signal_perms };
- ps_process_pattern($1, stapserver_t)
-
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, stapserver_conf_t)
-
- files_search_var_lib($1)
- admin_pattern($1, stapserver_var_lib_t)
-
- logging_search_logs($1)
- admin_pattern($1, stapserver_log_t)
-
- files_search_pids($1)
- admin_pattern($1, stapserver_var_run_t)
-')
diff --git a/targetd.fc b/targetd.fc
new file mode 100644
index 000000000..c1ef0535f
--- /dev/null
+++ b/targetd.fc
@@ -0,0 +1,5 @@
+/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0)
+
+/usr/bin/targetd -- gen_context(system_u:object_r:targetd_exec_t,s0)
+
+/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0)
diff --git a/targetd.if b/targetd.if
new file mode 100644
index 000000000..a6e216c73
--- /dev/null
+++ b/targetd.if
@@ -0,0 +1,167 @@
+
+## <summary> Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools </summary>
+
+########################################
+## <summary>
+## Execute targetd_exec_t in the targetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`targetd_domtrans',`
+ gen_require(`
+ type targetd_t, targetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, targetd_exec_t, targetd_t)
+')
+
+######################################
+## <summary>
+## Execute targetd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_exec',`
+ gen_require(`
+ type targetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, targetd_exec_t)
+')
+
+########################################
+## <summary>
+## Search targetd conf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_search_conf',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ allow $1 targetd_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read targetd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_read_conf_files',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ allow $1 targetd_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage targetd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_manage_conf_files',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Execute targetd server in the targetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`targetd_systemctl',`
+ gen_require(`
+ type targetd_t;
+ type targetd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 targetd_unit_file_t:file read_file_perms;
+ allow $1 targetd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, targetd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an targetd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`targetd_admin',`
+ gen_require(`
+ type targetd_t;
+ type targetd_etc_rw_t;
+ type targetd_unit_file_t;
+ ')
+
+ allow $1 targetd_t:process { signal_perms };
+ ps_process_pattern($1, targetd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 targetd_t:process ptrace;
+ ')
+
+ files_search_etc($1)
+ admin_pattern($1, targetd_etc_rw_t)
+
+ targetd_systemctl($1)
+ admin_pattern($1, targetd_unit_file_t)
+ allow $1 targetd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
index 000000000..acdccbb18
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,109 @@
+policy_module(targetd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type targetd_t;
+type targetd_exec_t;
+init_daemon_domain(targetd_t, targetd_exec_t)
+
+type targetd_etc_rw_t;
+files_type(targetd_etc_rw_t)
+
+type targetd_unit_file_t;
+systemd_unit_file(targetd_unit_file_t)
+
+type targetd_tmp_t;
+files_tmp_file(targetd_tmp_t)
+
+########################################
+#
+# targetd local policy
+#
+
+allow targetd_t self:capability { ipc_lock sys_admin sys_nice };
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
+allow targetd_t self:unix_dgram_socket create_socket_perms;
+allow targetd_t self:tcp_socket { accept listen };
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process { setfscreate setsched };
+
+manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
+manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
+
+files_rw_isid_type_dirs(targetd_t)
+
+fs_getattr_xattr_fs(targetd_t)
+fs_manage_configfs_files(targetd_t)
+fs_manage_configfs_lnk_files(targetd_t)
+fs_manage_configfs_dirs(targetd_t)
+fs_read_nfsd_files(targetd_t)
+
+kernel_rw_rpc_sysctls(targetd_t)
+kernel_get_sysvipc_info(targetd_t)
+kernel_read_system_state(targetd_t)
+kernel_read_network_state(targetd_t)
+kernel_load_module(targetd_t)
+kernel_request_load_module(targetd_t)
+kernel_dgram_send(targetd_t)
+
+rpc_read_exports(targetd_t)
+
+storage_raw_rw_fixed_disk(targetd_t)
+
+auth_use_nsswitch(targetd_t)
+
+corecmd_exec_shell(targetd_t)
+corecmd_exec_bin(targetd_t)
+
+corenet_tcp_bind_generic_node(targetd_t)
+corenet_tcp_bind_lsm_plugin_port(targetd_t)
+
+dev_rw_sysfs(targetd_t)
+dev_read_urand(targetd_t)
+dev_rw_lvm_control(targetd_t)
+dev_getattr_loop_control(targetd_t)
+
+libs_exec_ldconfig(targetd_t)
+
+seutil_dontaudit_read_module_store(targetd_t)
+
+storage_raw_read_fixed_disk(targetd_t)
+storage_raw_read_removable_device(targetd_t)
+
+sysnet_read_config(targetd_t)
+
+optional_policy(`
+ lvm_read_config(targetd_t)
+ lvm_write_metadata(targetd_t)
+ lvm_manage_metadata(targetd_t)
+ lvm_manage_lock(targetd_t)
+ lvm_rw_pipes(targetd_t)
+ lvm_stream_connect(targetd_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(targetd_t)
+')
+
+optional_policy(`
+ rpc_manage_nfs_state_data(targetd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(targetd_t)
+ rpm_dontaudit_exec(targetd_t)
+')
+
+optional_policy(`
+ udev_read_pid_files(targetd_t)
+')
+
diff --git a/tcpd.te b/tcpd.te
index 2d6d2c23d..db18a804b 100644
--- a/tcpd.te
+++ b/tcpd.te
@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-corenet_all_recvfrom_unlabeled(tcpd_t)
corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_generic_if(tcpd_t)
corenet_tcp_sendrecv_generic_node(tcpd_t)
@@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t)
fs_getattr_xattr_fs(tcpd_t)
-corecmd_search_bin(tcpd_t)
+corecmd_exec_bin(tcpd_t)
-files_read_etc_files(tcpd_t)
files_dontaudit_search_var(tcpd_t)
logging_send_syslog_msg(tcpd_t)
-miscfiles_read_localization(tcpd_t)
-
sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t)
diff --git a/tcsd.if b/tcsd.if
index b42ec1d83..91b8f71dc 100644
--- a/tcsd.if
+++ b/tcsd.if
@@ -138,8 +138,11 @@ interface(`tcsd_admin',`
type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t;
')
- allow $1 tcsd_t:process { ptrace signal_perms };
+ allow $1 tcsd_t:process signal_perms;
ps_process_pattern($1, tcsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tcsd_t:process ptrace;
+ ')
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
index b26d44a8c..3d950454a 100644
--- a/tcsd.te
+++ b/tcsd.te
@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t)
# Local policy
#
-allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:capability { dac_read_search setuid };
allow tcsd_t self:process { signal sigkill };
allow tcsd_t self:tcp_socket { accept listen };
@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
dev_read_urand(tcsd_t)
dev_rw_tpm(tcsd_t)
-files_read_usr_files(tcsd_t)
-
auth_use_nsswitch(tcsd_t)
init_read_utmp(tcsd_t)
logging_send_syslog_msg(tcsd_t)
-
-miscfiles_read_localization(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
index 6c7f8f8a3..03fc88079 100644
--- a/telepathy.fc
+++ b/telepathy.fc
@@ -1,35 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
-HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
-/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
-/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
-/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
-/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
-/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0)
-/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
-/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
-
-/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
-/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
-/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
-/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
-/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
-/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
-/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
index 42946bc10..9f70e4cf1 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
#######################################
## <summary>
-## The template to define a telepathy domain.
+## Creates basic types for telepathy
+## domain
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
template(`telepathy_domain_template',`
gen_require(`
- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
+ attribute telepathy_domain;
+ attribute telepathy_executable;
')
type telepathy_$1_t, telepathy_domain;
type telepathy_$1_exec_t, telepathy_executable;
- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
- type telepathy_$1_tmp_t, telepathy_tmp_content;
+ type telepathy_$1_tmp_t;
userdom_user_tmp_file(telepathy_$1_tmp_t)
+ kernel_read_system_state(telepathy_$1_t)
+
auth_use_nsswitch(telepathy_$1_t)
')
#######################################
## <summary>
-## The role template for the telepathy module.
+## Role access for telepathy domains
+## that executes via dbus-session
## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for window manager applications.
-## </p>
-## </desc>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
@@ -51,10 +45,15 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
+## <param name="domain_prefix">
+## <summary>
+## User domain prefix to be used.
+## </summary>
+## </param>
#
-template(`telepathy_role_template',`
+template(`telepathy_role',`
gen_require(`
- attribute telepathy_domain, telepathy_tmp_content;
+ attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
-
- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
')
- role $2 types telepathy_domain;
-
- allow $3 telepathy_domain:process { ptrace signal_perms };
- ps_process_pattern($3, telepathy_domain)
+ role $1 types telepathy_domain;
- telepathy_gabble_stream_connect($3)
- telepathy_msn_stream_connect($3)
- telepathy_salut_stream_connect($3)
+ allow $2 telepathy_domain:process signal_perms;
+ ps_process_pattern($2, telepathy_domain)
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
+ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
-
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
-
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
-
- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
-
- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
-
- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
-
- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ telepathy_dbus_chat($2)
')
########################################
## <summary>
-## Connect to gabble with a unix
-## domain stream socket.
+## Stream connect to Telepathy Gabble
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`telepathy_gabble_stream_connect',`
+interface(`telepathy_gabble_stream_connect', `
gen_require(`
type telepathy_gabble_t, telepathy_gabble_tmp_t;
')
- files_search_tmp($1)
stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+ files_search_tmp($1)
')
########################################
## <summary>
-## Send dbus messages to and from
-## gabble.
+## Allow Telepathy Gabble to stream connect to a domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect_to', `
+ gen_require(`
+ type telepathy_gabble_t;
+ ')
+
+ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
+')
+
+########################################
+## <summary>
+## Send DBus messages to and from
+## Telepathy Gabble.
+## </summary>
+## <param name="domain">
+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`telepathy_gabble_dbus_chat',`
+interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
-## Read mission control process state files.
+## Read telepathy mission control state.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
')
kernel_search_proc($1)
- allow $1 telepathy_mission_control_t:dir list_dir_perms;
- allow $1 telepathy_mission_control_t:file read_file_perms;
- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, telepathy_mission_control_t)
')
#######################################
## <summary>
-## Connect to msn with a unix
-## domain stream socket.
+## Stream connect to telepathy MSN managers
## </summary>
## <param name="domain">
## <summary>
@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
## </summary>
## </param>
#
-interface(`telepathy_msn_stream_connect',`
+interface(`telepathy_msn_stream_connect', `
gen_require(`
type telepathy_msn_t, telepathy_msn_tmp_t;
')
- files_search_tmp($1)
stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+ files_search_tmp($1)
')
########################################
## <summary>
-## Connect to salut with a unix
-## domain stream socket.
+## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
## <summary>
@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',`
## </summary>
## </param>
#
-interface(`telepathy_salut_stream_connect',`
+interface(`telepathy_salut_stream_connect', `
gen_require(`
type telepathy_salut_t, telepathy_salut_tmp_t;
')
- files_search_tmp($1)
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+## Send DBus messages to and from
+## all Telepathy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_dbus_chat',`
+ gen_require(`
+ attribute telepathy_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_domain:dbus send_msg;
+ allow telepathy_domain $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Execute telepathy executable
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
+ gen_require(`
+ attribute telepathy_executable;
+ ')
+
+ allow $2 telepathy_executable:file entrypoint;
+ domain_transition_pattern($1, telepathy_executable, $2)
+ type_transition $1 telepathy_executable:process $2;
+
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
+ optional_policy(`
+ telepathy_dbus_chat($1)
+ telepathy_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Create telepathy content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_filetrans_home_content',`
+ gen_require(`
+ type telepathy_mission_control_cache_home_t;
+ type telepathy_mission_control_home_t;
+ type telepathy_logger_cache_home_t;
+ type telepathy_gabble_cache_home_t;
+ type telepathy_sunshine_home_t;
+ type telepathy_logger_data_home_t;
+ type telepathy_cache_home_t, telepathy_data_home_t;
+ type telepathy_mission_control_data_home_t;
+ ')
+
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+
+ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+
+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+ optional_policy(`
+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
+
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+ ')
+')
+
+######################################
+## <summary>
+## Execute telepathy in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_exec',`
+ gen_require(`
+ attribute telepathy_executable;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
index 9afcbc95c..7b8ddb489 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
########################################
#
-# Declarations
+# Declarations.
#
## <desc>
-## <p>
-## Determine whether telepathy connection
-## managers can connect to generic tcp ports.
-## </p>
+## <p>
+## Allow the Telepathy connection managers
+## to connect to any generic TCP port.
+## </p>
## </desc>
gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
## <desc>
-## <p>
-## Determine whether telepathy connection
-## managers can connect to any port.
-## </p>
+## <p>
+## Allow the Telepathy connection managers
+## to connect to any network port.
+## </p>
## </desc>
gen_tunable(telepathy_connect_all_ports, false)
attribute telepathy_domain;
attribute telepathy_executable;
-attribute telepathy_tmp_content;
telepathy_domain_template(gabble)
@@ -67,179 +66,157 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
-# Gabble local policy
+# Telepathy Gabble local policy.
#
-allow telepathy_gabble_t self:tcp_socket { accept listen };
+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
-# ~/.cache/telepathy/gabble/caps-cache.db-journal
-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
-
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
-corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+# ~/.cache/telepathy/gabble/caps-cache.db-journal
+optional_policy(`
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
+ # ~/.cache/wocky
+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
+')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
-
-corenet_sendrecv_http_client_packets(telepathy_gabble_t)
corenet_tcp_connect_http_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
-
-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
-
-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
corenet_tcp_connect_vnc_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
dev_read_rand(telepathy_gabble_t)
files_read_config_files(telepathy_gabble_t)
-files_read_usr_files(telepathy_gabble_t)
+
+fs_getattr_all_fs(telepathy_gabble_t)
miscfiles_read_all_certs(telepathy_gabble_t)
tunable_policy(`telepathy_connect_all_ports',`
- corenet_sendrecv_all_client_packets(telepathy_gabble_t)
corenet_tcp_connect_all_ports(telepathy_gabble_t)
corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
+ corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
')
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
corenet_tcp_connect_generic_port(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
-')
+userdom_home_manager(telepathy_gabble_t)
optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
-# optional_policy(`
- # ~/.config/dconf/user
- # gnome_manage_generic_home_content(telepathy_gabble_t)
-# ')
+optional_policy(`
+ gnome_manage_home_config(telepathy_gabble_t)
+')
#######################################
#
-# Idle local policy
+# Telepathy Idle local policy.
#
corenet_all_recvfrom_netlabel(telepathy_idle_t)
-corenet_all_recvfrom_unlabeled(telepathy_idle_t)
corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
-
-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
-
-corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
corenet_tcp_connect_ircd_port(telepathy_idle_t)
-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
dev_read_rand(telepathy_idle_t)
-files_read_usr_files(telepathy_idle_t)
-
tunable_policy(`telepathy_connect_all_ports',`
- corenet_sendrecv_all_client_packets(telepathy_idle_t)
corenet_tcp_connect_all_ports(telepathy_idle_t)
corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+ corenet_udp_sendrecv_all_ports(telepathy_idle_t)
')
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_idle_t)
corenet_tcp_connect_generic_port(telepathy_idle_t)
- corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
+ corenet_sendrecv_generic_client_packets(telepathy_idle_t)
')
#######################################
#
-# Logger local policy
+# Telepathy Logger local policy.
#
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
-files_read_usr_files(telepathy_logger_t)
+optional_policy(`
+ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
+')
+
files_search_pids(telepathy_logger_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_logger_t)
- fs_manage_nfs_files(telepathy_logger_t)
-')
+fs_getattr_all_fs(telepathy_logger_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_logger_t)
- fs_manage_cifs_files(telepathy_logger_t)
-')
+userdom_home_manager(telepathy_logger_t)
-# optional_policy(`
+optional_policy(`
# ~/.config/dconf/user
- # gnome_manage_generic_home_content(telepathy_logger_t)
-# ')
+ gnome_manage_home_config(telepathy_logger_t)
+')
#######################################
#
-# Mission-Control local policy
+# Telepathy Mission-Control local policy.
#
-
allow telepathy_mission_control_t self:process setsched;
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+manage_sock_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+exec_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+files_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
+
+optional_policy(`
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+ gnome_manage_home_config(telepathy_mission_control_t)
+')
manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
dev_read_rand(telepathy_mission_control_t)
-files_list_tmp(telepathy_mission_control_t)
-files_read_usr_files(telepathy_mission_control_t)
+fs_getattr_all_fs(telepathy_mission_control_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_mission_control_t)
- fs_manage_nfs_files(telepathy_mission_control_t)
-')
+files_list_tmp(telepathy_mission_control_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_mission_control_t)
- fs_manage_cifs_files(telepathy_mission_control_t)
-')
+userdom_home_manager(telepathy_mission_control_t)
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
@@ -248,59 +225,48 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
')
optional_policy(`
networkmanager_dbus_chat(telepathy_mission_control_t)
')
')
-# optional_policy(`
- # ~/.config/dconf/user
- # gnome_manage_generic_home_content(telepathy_mission_control_t)
-# ')
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
#######################################
#
-# Butterfly and Haze local policy
+# Telepathy Butterfly and Haze local policy.
#
allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
corenet_all_recvfrom_netlabel(telepathy_msn_t)
-corenet_all_recvfrom_unlabeled(telepathy_msn_t)
corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
-
-corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_tcp_bind_generic_node(telepathy_msn_t)
corenet_tcp_connect_http_port(telepathy_msn_t)
-corenet_tcp_sendrecv_http_port(telepathy_msn_t)
-
-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
corenet_tcp_connect_mmcc_port(telepathy_msn_t)
-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
-
-corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
corenet_tcp_connect_msnp_port(telepathy_msn_t)
-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
-
-corenet_sendrecv_sip_client_packets(telepathy_msn_t)
corenet_tcp_connect_sip_port(telepathy_msn_t)
-corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
-
-corecmd_exec_bin(telepathy_msn_t)
-corecmd_exec_shell(telepathy_msn_t)
-
-files_read_usr_files(telepathy_msn_t)
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
init_read_state(telepathy_msn_t)
@@ -310,18 +276,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
-
tunable_policy(`telepathy_connect_all_ports',`
- corenet_sendrecv_all_client_packets(telepathy_msn_t)
corenet_tcp_connect_all_ports(telepathy_msn_t)
corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
+ corenet_udp_sendrecv_all_ports(telepathy_msn_t)
')
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_msn_t)
corenet_tcp_connect_generic_port(telepathy_msn_t)
- corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
+ corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+')
+
+optional_policy(`
+ gnome_read_gconf_home_files(telepathy_msn_t)
')
optional_policy(`
@@ -332,43 +299,33 @@ optional_policy(`
')
')
-# optional_policy(`
- # ~/.config/dconf/user
- # gnome_manage_generic_home_content(telepathy_msn_t)
-# ')
-
#######################################
#
-# Salut local policy
+# Telepathy Salut local policy.
#
-allow telepathy_salut_t self:tcp_socket { accept listen };
+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
corenet_all_recvfrom_netlabel(telepathy_salut_t)
-corenet_all_recvfrom_unlabeled(telepathy_salut_t)
corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
corenet_tcp_bind_generic_node(telepathy_salut_t)
-
-corenet_sendrecv_presence_server_packets(telepathy_salut_t)
corenet_tcp_bind_presence_port(telepathy_salut_t)
-corenet_sendrecv_presence_client_packets(telepathy_salut_t)
corenet_tcp_connect_presence_port(telepathy_salut_t)
-corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
tunable_policy(`telepathy_connect_all_ports',`
- corenet_sendrecv_all_client_packets(telepathy_salut_t)
corenet_tcp_connect_all_ports(telepathy_salut_t)
corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+ corenet_udp_sendrecv_all_ports(telepathy_salut_t)
')
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_salut_t)
corenet_tcp_connect_generic_port(telepathy_salut_t)
- corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
+ corenet_sendrecv_generic_client_packets(telepathy_salut_t)
')
optional_policy(`
@@ -381,73 +338,51 @@ optional_policy(`
#######################################
#
-# Sofiasip local policy
+# Telepathy Sofiasip local policy.
#
-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
-allow telepathy_sofiasip_t self:tcp_socket { accept listen };
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
corenet_raw_bind_generic_node(telepathy_sofiasip_t)
-
-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
-
corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
-
-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
kernel_request_load_module(telepathy_sofiasip_t)
tunable_policy(`telepathy_connect_all_ports',`
- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
')
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
+ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
')
#######################################
#
-# Sunshine local policy
+# Telepathy Sunshine local policy.
#
manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
-
-corecmd_exec_bin(telepathy_sunshine_t)
-
-files_read_usr_files(telepathy_sunshine_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_sunshine_t)
- fs_manage_nfs_files(telepathy_sunshine_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_sunshine_t)
- fs_manage_cifs_files(telepathy_sunshine_t)
-')
-
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
@@ -455,31 +390,51 @@ optional_policy(`
#######################################
#
-# Common telepathy domain local policy
+# telepathy domains common policy
#
allow telepathy_domain self:process { getsched signal sigkill };
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+optional_policy(`
+ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+')
-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
+corecmd_exec_bin(telepathy_domain)
+corecmd_exec_shell(telepathy_domain)
dev_read_urand(telepathy_domain)
-kernel_read_system_state(telepathy_domain)
-
fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
-miscfiles_read_localization(telepathy_domain)
+userdom_search_user_tmp_dirs(telepathy_domain)
+userdom_search_user_home_dirs(telepathy_domain)
+userdom_use_inherited_user_ttys(telepathy_domain)
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
+ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(telepathy_domain)
+ systemd_write_inhibit_pipes(telepathy_domain)
+')
+
+optional_policy(`
+ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
diff --git a/telnet.te b/telnet.te
index d7c863369..78e6fccc2 100644
--- a/telnet.te
+++ b/telnet.te
@@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
-allow telnetd_t self:tcp_socket { accept listen };
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
term_create_pty(telnetd_t, telnetd_devpts_t)
allow telnetd_t telnetd_keytab_t:file read_file_perms;
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
@@ -48,7 +51,6 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_all_recvfrom_unlabeled(telnetd_t)
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
corenet_tcp_sendrecv_generic_node(telnetd_t)
@@ -63,7 +65,6 @@ dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
-files_read_usr_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
files_search_home(telnetd_t)
@@ -76,12 +77,12 @@ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
-miscfiles_read_localization(telnetd_t)
-
seutil_read_config(telnetd_t)
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
@@ -93,7 +94,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
kerberos_read_keytab(telnetd_t)
- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
kerberos_manage_host_rcache(telnetd_t)
kerberos_use(telnetd_t)
')
diff --git a/tftp.fc b/tftp.fc
index 3dd87daf5..0d13384b0 100644
--- a/tftp.fc
+++ b/tftp.fc
@@ -1,9 +1,9 @@
-/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/tftp.if b/tftp.if
index 9957e300d..51af58690 100644
--- a/tftp.if
+++ b/tftp.if
@@ -1,8 +1,8 @@
-## <summary>Trivial file transfer protocol daemon.</summary>
+## <summary>Trivial file transfer protocol daemon</summary>
########################################
## <summary>
-## Read tftp content files.
+## Read tftp content
## </summary>
## <param name="domain">
## <summary>
@@ -13,18 +13,40 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
+ type tftpdir_rw_t;
+ ')
+
+ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
+ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+## Search tftp /var/lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_search_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
')
+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
files_search_var_lib($1)
- allow $1 tftpdir_t:dir list_dir_perms;
- allow $1 tftpdir_t:file read_file_perms;
- allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## tftp rw content.
+## Allow read tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -32,20 +54,18 @@ interface(`tftp_read_content',`
## </summary>
## </param>
#
-interface(`tftp_manage_rw_content',`
+interface(`tftp_read_rw_content',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
- allow $1 tftpdir_rw_t:dir manage_dir_perms;
- allow $1 tftpdir_rw_t:file manage_file_perms;
- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms;
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
-## Read tftpd configuration files.
+## Allow write tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -53,19 +73,18 @@ interface(`tftp_manage_rw_content',`
## </summary>
## </param>
#
-interface(`tftp_read_config_files',`
+interface(`tftp_write_rw_content',`
gen_require(`
- type tftpd_conf_t;
+ type tftpdir_rw_t;
')
- files_search_etc($1)
- allow $1 tftpd_conf_t:file read_file_perms;
+ files_search_var_lib($1)
+ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## tftpd configuration files.
+## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -73,55 +92,83 @@ interface(`tftp_read_config_files',`
## </summary>
## </param>
#
-interface(`tftp_manage_config_files',`
+interface(`tftp_manage_rw_content',`
gen_require(`
- type tftpd_conf_t;
+ type tftpdir_rw_t;
')
- files_search_etc($1)
- allow $1 tftpd_conf_t:file manage_file_perms;
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
-## Create objects in etc directories
-## with tftp conf type.
+## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+#
+interface(`tftp_delete_content_dirs',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+## Read tftp config files.
+## </summary>
+## <param name="domain">
## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`tftp_read_config',`
+ gen_require(`
+ type tftpd_etc_t;
+ ')
+
+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+')
+
+########################################
+## <summary>
+## Manage tftp config files.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`tftp_etc_filetrans_config',`
+interface(`tftp_manage_config',`
gen_require(`
- type tftp_conf_t;
+ type tftpd_etc_t;
')
- files_etc_filetrans($1, tftp_conf_t, $2, $3)
+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
')
########################################
## <summary>
## Create objects in tftpdir directories
-## with a private type.
+## with specified types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
+## <param name="file_type">
## <summary>
## Private file type.
## </summary>
@@ -131,25 +178,38 @@ interface(`tftp_etc_filetrans_config',`
## Class of the object being created.
## </summary>
## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`tftp_filetrans_tftpdir',`
gen_require(`
type tftpdir_rw_t;
')
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
files_search_var_lib($1)
- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an tftp environment.
+## Transition to tftp named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_filetrans_named_content',`
+ gen_require(`
+ type tftpd_etc_t;
+ ')
+
+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tftp environment
## </summary>
## <param name="domain">
## <summary>
@@ -161,18 +221,22 @@ interface(`tftp_filetrans_tftpdir',`
interface(`tftp_admin',`
gen_require(`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
- type tftpd_conf_t;
')
- allow $1 tftpd_t:process { ptrace signal_perms };
+ allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tftpd_t:process ptrace;
+ ')
- files_search_etc($1)
- admin_pattern($1, tftpd_conf_t)
+ files_list_var_lib($1)
- files_search_var_lib($1)
- admin_pattern($1, { tftpdir_t tftpdir_rw_t })
+ admin_pattern($1, tftpdir_rw_t)
+
+ admin_pattern($1, tftpdir_t)
files_list_pids($1)
admin_pattern($1, tftpd_var_run_t)
+
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
index cfaa2a19c..ed8204d13 100644
--- a/tftp.te
+++ b/tftp.te
@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
#
## <desc>
-## <p>
-## Determine whether tftp can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(tftp_anon_write, false)
## <desc>
-## <p>
-## Determine whether tftp can manage
-## generic user home content.
-## </p>
+## <p>
+## Allow tftp to read and write files in the user home directories
+## </p>
## </desc>
-gen_tunable(tftp_enable_homedir, false)
+gen_tunable(tftp_home_dir, false)
type tftpd_t;
type tftpd_exec_t;
init_daemon_domain(tftpd_t, tftpd_exec_t)
-type tftpd_conf_t;
-files_config_file(tftpd_conf_t)
-
type tftpd_var_run_t;
files_pid_file(tftpd_var_run_t)
@@ -39,6 +33,9 @@ files_type(tftpdir_t)
type tftpdir_rw_t;
files_type(tftpdir_rw_t)
+type tftpd_etc_t;
+files_config_file(tftpd_etc_t)
+
########################################
#
# Local policy
@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t)
allow tftpd_t self:capability { setgid setuid sys_chroot };
dontaudit tftpd_t self:capability sys_tty_config;
-allow tftpd_t self:tcp_socket { accept listen };
-allow tftpd_t self:unix_stream_socket { accept listen };
-
-allow tftpd_t tftpd_conf_t:file read_file_perms;
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
+
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
-corenet_all_recvfrom_unlabeled(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
+corenet_tcp_sendrecv_generic_if(tftpd_t)
corenet_udp_sendrecv_generic_if(tftpd_t)
+corenet_tcp_sendrecv_generic_node(tftpd_t)
corenet_udp_sendrecv_generic_node(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_generic_node(tftpd_t)
corenet_udp_bind_generic_node(tftpd_t)
-
-corenet_sendrecv_tftp_server_packets(tftpd_t)
corenet_udp_bind_tftp_port(tftpd_t)
-corenet_udp_sendrecv_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
dev_read_sysfs(tftpd_t)
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
domain_use_interactive_fds(tftpd_t)
files_read_etc_runtime_files(tftpd_t)
@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
-fs_getattr_all_fs(tftpd_t)
-fs_search_auto_mountpoints(tftpd_t)
-
auth_use_nsswitch(tftpd_t)
logging_send_syslog_msg(tftpd_t)
-miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_user_terminals(tftpd_t)
-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+userdom_home_manager(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
')
-tunable_policy(`tftp_enable_homedir',`
- allow tftpd_t self:capability { dac_override dac_read_search };
+tunable_policy(`tftp_home_dir',`
+ allow tftpd_t self:capability { dac_read_search };
+ # allow access to /home
files_list_home(tftpd_t)
- userdom_manage_user_home_content_dirs(tftpd_t)
- userdom_manage_user_home_content_files(tftpd_t)
- userdom_manage_user_home_content_symlinks(tftpd_t)
+ userdom_read_user_home_content_files(tftpd_t)
+ userdom_manage_user_home_content(tftpd_t)
+
+ auth_read_all_dirs_except_shadow(tftpd_t)
+ auth_read_all_files_except_shadow(tftpd_t)
+ auth_read_all_symlinks_except_shadow(tftpd_t)
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
')
-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',`
- fs_manage_nfs_dirs(tftpd_t)
- fs_manage_nfs_files(tftpd_t)
- fs_read_nfs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(tftpd_t)
+ fs_read_nfs_symlinks(tftpd_t)
')
-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',`
- fs_manage_cifs_dirs(tftpd_t)
- fs_manage_cifs_files(tftpd_t)
- fs_read_cifs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
+ fs_manage_cifs_files(tftpd_t)
+ fs_read_cifs_symlinks(tftpd_t)
')
optional_policy(`
diff --git a/tgtd.fc b/tgtd.fc
index 38389e675..ae0f9ab51 100644
--- a/tgtd.fc
+++ b/tgtd.fc
@@ -1,7 +1,4 @@
-/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
-
-/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
-
-/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
-
-/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/tgtd.if b/tgtd.if
index 5406b6ee8..dc5b46e28 100644
--- a/tgtd.if
+++ b/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
- files_search_tmpfs($1)
+ fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
index d01096386..c491b2f9c 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
# Local policy
#
-allow tgtd_t self:capability sys_resource;
-allow tgtd_t self:capability2 block_suspend;
+allow tgtd_t self:capability { dac_read_search ipc_lock sys_resource sys_rawio sys_admin };
+allow tgtd_t self:capability2 { block_suspend wake_alarm };
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
-corenet_all_recvfrom_unlabeled(tgtd_t)
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_tcp_connect_isns_port(tgtd_t)
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_client_packets(tgtd_t)
@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
dev_read_sysfs(tgtd_t)
-files_read_etc_files(tgtd_t)
+files_list_mnt(tgtd_t)
fs_read_anon_inodefs_files(tgtd_t)
+miscfiles_read_generic_certs(tgtd_t)
+
storage_manage_fixed_disk(tgtd_t)
+storage_read_scsi_generic(tgtd_t)
+storage_write_scsi_generic(tgtd_t)
logging_send_syslog_msg(tgtd_t)
-miscfiles_read_localization(tgtd_t)
-
optional_policy(`
iscsi_manage_semaphores(tgtd_t)
')
diff --git a/thin.fc b/thin.fc
new file mode 100644
index 000000000..1f8a9086c
--- /dev/null
+++ b/thin.fc
@@ -0,0 +1,12 @@
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
+/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
+
+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
+
+/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
+/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0)
diff --git a/thin.if b/thin.if
new file mode 100644
index 000000000..5e3637e63
--- /dev/null
+++ b/thin.if
@@ -0,0 +1,64 @@
+## <summary>thin policy</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## thin daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`thin_domain_template',`
+ gen_require(`
+ attribute thin_domain;
+ ')
+
+ type $1_t, thin_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ can_exec($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+')
+
+######################################
+## <summary>
+## Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`thin_exec',`
+ gen_require(`
+ type thin_exec_t;
+ ')
+
+ can_exec($1, thin_exec_t)
+')
+
+#####################################
+## <summary>
+## Connect to thin over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`thin_stream_connect',`
+ gen_require(`
+ type thin_t, thin_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
+')
diff --git a/thin.te b/thin.te
new file mode 100644
index 000000000..78550f3b3
--- /dev/null
+++ b/thin.te
@@ -0,0 +1,115 @@
+policy_module(thin, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute thin_domain;
+
+thin_domain_template(thin)
+
+type thin_log_t;
+logging_log_file(thin_log_t)
+
+type thin_var_run_t;
+files_pid_file(thin_var_run_t)
+
+thin_domain_template(thin_aeolus_configserver)
+
+type thin_aeolus_configserver_lib_t;
+files_type(thin_aeolus_configserver_lib_t)
+
+type thin_aeolus_configserver_log_t;
+logging_log_file(thin_aeolus_configserver_log_t)
+
+type thin_aeolus_configserver_var_run_t;
+files_pid_file(thin_aeolus_configserver_var_run_t)
+
+########################################
+#
+# thin_domain local policy
+#
+
+allow thin_domain self:process signal;
+
+allow thin_domain self:fifo_file rw_fifo_file_perms;
+allow thin_domain self:tcp_socket create_stream_socket_perms;
+
+# we want to stay in a new thin domain if we call thin binary from a script
+# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
+can_exec(thin_domain, thin_exec_t)
+
+corecmd_exec_bin(thin_domain)
+corecmd_exec_shell(thin_domain)
+
+corenet_tcp_bind_generic_node(thin_domain)
+
+dev_read_rand(thin_domain)
+dev_read_urand(thin_domain)
+
+
+auth_read_passwd(thin_domain)
+
+miscfiles_read_certs(thin_domain)
+
+
+fs_search_auto_mountpoints(thin_domain)
+
+init_read_utmp(thin_domain)
+
+kernel_read_kernel_sysctls(thin_domain)
+
+optional_policy(`
+ apache_read_sys_content(thin_domain)
+')
+
+optional_policy(`
+ sysnet_read_config(thin_domain)
+')
+
+########################################
+#
+# thin local policy
+#
+
+allow thin_t self:capability { setuid kill setgid dac_read_search };
+allow thin_t self:capability2 block_suspend;
+
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
+allow thin_t self:udp_socket create_socket_perms;
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
+
+manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file })
+
+corenet_tcp_bind_ntop_port(thin_t)
+corenet_tcp_connect_postgresql_port(thin_t)
+
+#######################################
+#
+# thin aeolus configserver local policy
+#
+
+allow thin_aeolus_configserver_t self:capability { setuid setgid };
+
+corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
+logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
index 000000000..115bf6c42
--- /dev/null
+++ b/thumb.fc
@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+
+/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 000000000..d371f62f6
--- /dev/null
+++ b/thumb.if
@@ -0,0 +1,153 @@
+
+## <summary>policy for thumb</summary>
+
+########################################
+## <summary>
+## Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_domtrans',`
+ gen_require(`
+ type thumb_t, thumb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, thumb_exec_t, thumb_t)
+ dontaudit thumb_t $1:unix_stream_socket { getattr read write };
+')
+
+########################################
+## <summary>
+## NNP Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_nnp_domtrans',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ allow $1 thumb_t:process2 { nnp_transition nosuid_transition };
+
+')
+
+########################################
+## <summary>
+## Execute thumb in the thumb domain, and
+## allow the specified role the thumb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the thumb domain.
+## </summary>
+## </param>
+#
+interface(`thumb_run',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ thumb_domtrans($1)
+ thumb_nnp_domtrans($1)
+ role $2 types thumb_t;
+
+ allow $1 thumb_t:process signal_perms;
+
+ dontaudit thumb_t $1:dir list_dir_perms;
+ dontaudit thumb_t $1:file read_file_perms;
+ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
+
+ allow thumb_t $1:shm create_shm_perms;
+ allow thumb_t $1:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+## Role access for thumb
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`thumb_role',`
+ gen_require(`
+ type thumb_t;
+ class dbus send_msg;
+ ')
+
+ thumb_run($2, $1)
+
+ ps_process_pattern($2, thumb_t)
+ allow thumb_t $2:unix_stream_socket connectto;
+
+ thumb_dbus_chat($2)
+ thumb_filetrans_home_content($2)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## thumb over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`thumb_dbus_chat',`
+ gen_require(`
+ type thumb_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 thumb_t:dbus send_msg;
+ allow thumb_t $1:dbus send_msg;
+ ps_process_pattern(thumb_t, $1)
+')
+
+########################################
+## <summary>
+## Create thumb content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`thumb_filetrans_home_content',`
+
+ gen_require(`
+ type thumb_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
+
+ optional_policy(`
+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+ ')
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
index 000000000..a34bf9b9f
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,174 @@
+policy_module(thumb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
+userdom_home_manager(thumb_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
+
+type thumb_home_t;
+userdom_user_home_content(thumb_home_t)
+
+type thumb_tmpfs_t;
+files_tmpfs_file(thumb_tmpfs_t)
+
+########################################
+#
+# thumb local policy
+#
+
+allow thumb_t self:process { setsched signal signull setrlimit };
+dontaudit thumb_t self:capability sys_tty_config;
+dontaudit thumb_t self:process setfscreate;
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
+')
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+allow thumb_t self:unix_dgram_socket create_socket_perms;
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+allow thumb_t self:shm create_shm_perms;
+allow thumb_t self:sem create_sem_perms;
+
+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmp_files(thumb_t)
+userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file })
+
+can_exec(thumb_t, thumb_exec_t)
+
+kernel_read_system_state(thumb_t)
+kernel_dgram_send(thumb_t)
+
+corecmd_exec_bin(thumb_t)
+corecmd_exec_shell(thumb_t)
+
+corenet_tcp_connect_xserver_port(thumb_t)
+corenet_dontaudit_tcp_connect_all_ports(thumb_t)
+
+dev_read_sysfs(thumb_t)
+dev_read_urand(thumb_t)
+dev_dontaudit_rw_dri(thumb_t)
+dev_rw_xserver_misc(thumb_t)
+dev_read_video_dev(thumb_t)
+dev_write_video_dev(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_non_security_files(thumb_t)
+
+fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
+
+auth_read_passwd(thumb_t)
+
+tunable_policy(`selinuxuser_execmod',`
+ libs_legacy_use_shared_libs(thumb_t)
+')
+
+miscfiles_read_fonts(thumb_t)
+miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
+
+sysnet_read_config(thumb_t)
+
+
+term_dontaudit_use_unallocated_ttys(thumb_t)
+
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
+userdom_dontaudit_write_user_tmp_files(thumb_t)
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
+userdom_use_user_terminals(thumb_t)
+
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
+xserver_dontaudit_read_xdm_pid(thumb_t)
+xserver_dontaudit_xdm_tmp_dirs(thumb_t)
+xserver_stream_connect(thumb_t)
+xserver_use_user_fonts(thumb_t)
+
+optional_policy(`
+ bumblebee_stream_connect(thumb_t)
+')
+
+optional_policy(`
+ dbus_exec_dbusd(thumb_t)
+ dbus_connect_session_bus(thumb_t)
+ dbus_stream_connect_session_bus(thumb_t)
+ dbus_chat_session_bus(thumb_t)
+')
+
+optional_policy(`
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_dontaudit_write_config_files(thumb_t)
+ gnome_append_home_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
+ gnome_create_generic_cache_dir(thumb_t)
+ gnome_setattr_cache_home_dir(thumb_t)
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
+
+optional_policy(`
+ sssd_dontaudit_stream_connect(thumb_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_write_sock_file(thumb_t)
+')
+
+optional_policy(`
+ nslcd_dontaudit_write_sock_file(thumb_t)
+')
+
+tunable_policy(`nis_enabled',`
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
+
+optional_policy(`
+ storage_getattr_fixed_disk_dev(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
index 5e867da56..b25ea6e08 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
corecmd_exec_shell(thunderbird_t)
-corenet_all_recvfrom_unlabeled(thunderbird_t)
corenet_all_recvfrom_netlabel(thunderbird_t)
corenet_tcp_sendrecv_generic_if(thunderbird_t)
corenet_tcp_sendrecv_generic_node(thunderbird_t)
@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t)
dev_dontaudit_search_sysfs(thunderbird_t)
files_list_tmp(thunderbird_t)
-files_read_usr_files(thunderbird_t)
files_read_etc_runtime_files(thunderbird_t)
files_read_var_files(thunderbird_t)
files_read_var_symlinks(thunderbird_t)
@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t)
auth_use_nsswitch(thunderbird_t)
miscfiles_read_fonts(thunderbird_t)
-miscfiles_read_localization(thunderbird_t)
userdom_write_user_tmp_sockets(thunderbird_t)
@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t)
userdom_manage_user_home_content_dirs(thunderbird_t)
userdom_manage_user_home_content_files(thunderbird_t)
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
+userdom_filetrans_home_content(thunderbird_t)
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files(thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(thunderbird_t)
- fs_manage_nfs_files(thunderbird_t)
- fs_manage_nfs_symlinks(thunderbird_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(thunderbird_t)
- fs_manage_cifs_files(thunderbird_t)
- fs_manage_cifs_symlinks(thunderbird_t)
-')
+# Access ~/.thunderbird
+userdom_home_manager(thunderbird_t)
ifndef(`enable_mls',`
fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
index 97cd15589..7c0a19c8a 100644
--- a/timidity.te
+++ b/timidity.te
@@ -18,7 +18,7 @@ files_tmpfs_file(timidity_tmpfs_t)
# Local policy
#
-allow timidity_t self:capability { dac_override dac_read_search };
+allow timidity_t self:capability { dac_read_search };
dontaudit timidity_t self:capability sys_tty_config;
allow timidity_t self:process { signal_perms getsched };
allow timidity_t self:shm create_shm_perms;
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
-corenet_all_recvfrom_unlabeled(timidity_t)
corenet_all_recvfrom_netlabel(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
@@ -51,8 +50,6 @@ dev_write_sound(timidity_t)
domain_use_interactive_fds(timidity_t)
-files_read_etc_files(timidity_t)
-files_read_usr_files(timidity_t)
files_search_tmp(timidity_t)
fs_search_auto_mountpoints(timidity_t)
diff --git a/tlp.fc b/tlp.fc
new file mode 100644
index 000000000..eef708d92
--- /dev/null
+++ b/tlp.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*)) -- gen_context(system_u:object_r:tlp_unit_file_t,s0)
+
+/usr/sbin/tlp -- gen_context(system_u:object_r:tlp_exec_t,s0)
+
+/var/lib/tlp(/.*)? gen_context(system_u:object_r:tlp_var_lib_t,s0)
+
+/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
diff --git a/tlp.if b/tlp.if
new file mode 100644
index 000000000..368e18842
--- /dev/null
+++ b/tlp.if
@@ -0,0 +1,184 @@
+
+## <summary>policy for tlp</summary>
+
+########################################
+## <summary>
+## Execute tlp_exec_t in the tlp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tlp_domtrans',`
+ gen_require(`
+ type tlp_t, tlp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, tlp_exec_t, tlp_t)
+')
+
+######################################
+## <summary>
+## Execute tlp in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_exec',`
+ gen_require(`
+ type tlp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, tlp_exec_t)
+')
+
+########################################
+## <summary>
+## Search tlp conf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_search_conf',`
+ gen_require(`
+ type tlp_etc_rw_t;
+ ')
+
+ allow $1 tlp_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read tlp conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_read_conf_files',`
+ gen_require(`
+ type tlp_etc_rw_t;
+ ')
+
+ allow $1 tlp_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage tlp conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_manage_conf_files',`
+ gen_require(`
+ type tlp_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Execute tlp server in the tlp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tlp_systemctl',`
+ gen_require(`
+ type tlp_t;
+ type tlp_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 tlp_unit_file_t:file read_file_perms;
+ allow $1 tlp_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, tlp_t)
+')
+
+########################################
+## <summary>
+## Read all dbus pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_manage_pid_files',`
+ gen_require(`
+ type tlp_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tlp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tlp_admin',`
+ gen_require(`
+ type tlp_t;
+ type tlp_etc_rw_t;
+ type tlp_unit_file_t;
+ ')
+
+ allow $1 tlp_t:process { signal_perms };
+ ps_process_pattern($1, tlp_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tlp_t:process ptrace;
+ ')
+
+ files_search_etc($1)
+ admin_pattern($1, tlp_etc_rw_t)
+
+ tlp_systemctl($1)
+ admin_pattern($1, tlp_unit_file_t)
+ allow $1 tlp_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
index 000000000..80e71067a
--- /dev/null
+++ b/tlp.te
@@ -0,0 +1,95 @@
+policy_module(tlp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tlp_t;
+type tlp_exec_t;
+init_daemon_domain(tlp_t, tlp_exec_t)
+
+type tlp_var_run_t;
+files_pid_file(tlp_var_run_t)
+
+type tlp_var_lib_t;
+files_type(tlp_var_lib_t)
+
+type tlp_unit_file_t;
+systemd_unit_file(tlp_unit_file_t)
+
+########################################
+#
+# tlp local policy
+#
+allow tlp_t self:capability { net_admin sys_rawio };
+allow tlp_t self:unix_stream_socket create_stream_socket_perms;
+allow tlp_t self:udp_socket create_socket_perms;
+allow tlp_t self:unix_dgram_socket create_socket_perms;
+allow tlp_t self:netlink_generic_socket create_socket_perms;
+
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
+
+manage_dirs_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
+manage_files_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
+files_var_lib_filetrans(tlp_t, tlp_var_lib_t, dir)
+
+kernel_read_system_state(tlp_t)
+kernel_read_network_state(tlp_t)
+kernel_read_fs_sysctls(tlp_t)
+kernel_rw_fs_sysctls(tlp_t)
+kernel_rw_kernel_sysctl(tlp_t)
+kernel_rw_vm_sysctls(tlp_t)
+kernel_create_rpc_sysctls(tlp_t)
+
+auth_read_passwd(tlp_t)
+
+corecmd_exec_bin(tlp_t)
+
+dev_list_sysfs(tlp_t)
+dev_manage_sysfs(tlp_t)
+dev_rw_cpu_microcode(tlp_t)
+dev_rw_wireless(tlp_t)
+
+files_read_kernel_modules(tlp_t)
+files_map_kernel_modules(tlp_t)
+files_load_kernel_modules(tlp_t)
+
+modutils_exec_insmod(tlp_t)
+modutils_read_module_config(tlp_t)
+
+logging_send_syslog_msg(tlp_t)
+
+storage_raw_read_fixed_disk(tlp_t)
+storage_raw_read_removable_device(tlp_t)
+storage_raw_write_removable_device(tlp_t)
+
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
+ dbus_stream_connect_system_dbusd(tlp_t)
+ dbus_system_bus_client(tlp_t)
+')
+
+optional_policy(`
+ fstools_exec(tlp_t)
+')
+
+optional_policy(`
+ mount_domtrans(tlp_t)
+')
+
+optional_policy(`
+ sssd_read_public_files(tlp_t)
+ sssd_stream_connect(tlp_t)
+')
+
+optional_policy(`
+ systemd_rfkill_domtrans(tlp_t)
+')
+
+optional_policy(`
+ udev_domtrans(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f95..71981be9d 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -5,20 +5,47 @@ policy_module(tmpreaper, 1.7.1)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether tmpreaper can use
+## nfs file systems.
+## </p>
+## </desc>
+gen_tunable(tmpreaper_use_nfs, false)
+
+
+## <desc>
+## <p>
+## Determine whether tmpreaper can use
+## cifs file systems.
+## </p>
+## </desc>
+gen_tunable(tmpreaper_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether tmpreaper can use samba_share files
+## </p>
+## </desc>
+gen_tunable(tmpreaper_use_samba, false)
+
type tmpreaper_t;
type tmpreaper_exec_t;
init_system_domain(tmpreaper_t, tmpreaper_exec_t)
+application_domain(tmpreaper_t, tmpreaper_exec_t)
+init_nnp_daemon_domain(tmpreaper_t)
########################################
#
# Local Policy
#
-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+allow tmpreaper_t self:capability { dac_read_search fowner };
allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
+kernel_delete_unlabeled(tmpreaper_t)
dev_read_urand(tmpreaper_t)
@@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
+fs_setattr_tmpfs_dirs(tmpreaper_t)
+fs_delete_tmpfs_files(tmpreaper_t)
-files_getattr_all_dirs(tmpreaper_t)
-files_getattr_all_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
-files_setattr_all_tmp_dirs(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
+files_setattr_non_security_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
@@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
-miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
ifdef(`distro_debian',`
@@ -53,10 +80,33 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
- userdom_list_all_user_home_content(tmpreaper_t)
+ userdom_list_user_home_content(tmpreaper_t)
+ userdom_list_admin_dir(tmpreaper_t)
userdom_delete_all_user_home_content_dirs(tmpreaper_t)
userdom_delete_all_user_home_content_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
+')
+
+tunable_policy(`tmpreaper_use_nfs',`
+ fs_setattr_nfs_dirs(tmpreaper_t)
+')
+
+ optional_policy(`
+ tunable_policy(`tmpreaper_use_samba',`
+ samba_setattr_samba_share_dirs(tmpreaper_t)
+ ')
+')
+
+tunable_policy(`tmpreaper_use_cifs',`
+ fs_setattr_cifs_dirs(tmpreaper_t)
+')
+
+ optional_policy(`
+ tunable_policy(`tmpreaper_use_samba',`
+ samba_setattr_samba_share_dirs(tmpreaper_t)
+ ')
')
optional_policy(`
@@ -64,6 +114,7 @@ optional_policy(`
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
@@ -79,7 +130,19 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
+ lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
+ mandb_delete_cache(tmpreaper_t)
+')
+
+optional_policy(`
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
+ sandbox_delete_sock_files(tmpreaper_t)
+ sandbox_setattr_dirs(tmpreaper_t)
')
optional_policy(`
@@ -89,3 +152,8 @@ optional_policy(`
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
+
+optional_policy(`
+ ntp_manage_log(tmpreaper_t)
+')
+
diff --git a/tomcat.fc b/tomcat.fc
new file mode 100644
index 000000000..ae28ea326
--- /dev/null
+++ b/tomcat.fc
@@ -0,0 +1,12 @@
+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
+
+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
+/usr/libexec/tomcat/server -- gen_context(system_u:object_r:tomcat_exec_t,s0)
+
+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
+
+/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
+
+/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
+
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
index 000000000..e5cec8fda
--- /dev/null
+++ b/tomcat.if
@@ -0,0 +1,396 @@
+
+## <summary>policy for tomcat</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## tomcat daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`tomcat_domain_template',`
+ gen_require(`
+ attribute tomcat_domain;
+ ')
+
+ type $1_t, tomcat_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_cache_t;
+ files_type($1_cache_t)
+
+ type $1_log_t;
+ logging_log_file($1_log_t)
+
+ type $1_var_lib_t;
+ files_type($1_var_lib_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##################################
+ #
+ # Local policy
+ #
+
+ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
+ manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
+ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
+ files_var_filetrans($1_t, $1_cache_t, { dir file })
+
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
+ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
+ logging_log_filetrans($1_t, $1_log_t, { dir file })
+
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir })
+
+ can_exec($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
+')
+
+########################################
+## <summary>
+## Transition to tomcat.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tomcat_domtrans',`
+ gen_require(`
+ type tomcat_t, tomcat_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
+')
+
+########################################
+## <summary>
+## Search tomcat cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_search_cache',`
+ gen_require(`
+ type tomcat_cache_t;
+ ')
+
+ allow $1 tomcat_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read tomcat cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_read_cache_files',`
+ gen_require(`
+ type tomcat_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## tomcat cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_manage_cache_files',`
+ gen_require(`
+ type tomcat_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+## Manage tomcat cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_manage_cache_dirs',`
+ gen_require(`
+ type tomcat_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+## Read tomcat's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tomcat_read_log',`
+ gen_require(`
+ type tomcat_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+## Append to tomcat log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_append_log',`
+ gen_require(`
+ type tomcat_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+## Manage tomcat log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_manage_log',`
+ gen_require(`
+ type tomcat_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
+ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
+ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+## Search tomcat lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_search_lib',`
+ gen_require(`
+ type tomcat_var_lib_t;
+ ')
+
+ allow $1 tomcat_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read tomcat lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_read_lib_files',`
+ gen_require(`
+ type tomcat_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage tomcat lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_manage_lib_files',`
+ gen_require(`
+ type tomcat_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage tomcat lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_manage_lib_dirs',`
+ gen_require(`
+ type tomcat_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read tomcat PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tomcat_read_pid_files',`
+ gen_require(`
+ type tomcat_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 tomcat_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute tomcat server in the tomcat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tomcat_systemctl',`
+ gen_require(`
+ type tomcat_t;
+ type tomcat_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 tomcat_unit_file_t:file read_file_perms;
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, tomcat_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tomcat environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tomcat_admin',`
+ gen_require(`
+ type tomcat_t;
+ type tomcat_cache_t;
+ type tomcat_log_t;
+ type tomcat_var_lib_t;
+ type tomcat_var_run_t;
+ type tomcat_unit_file_t;
+ ')
+
+ allow $1 tomcat_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tomcat_t)
+
+ files_search_var($1)
+ admin_pattern($1, tomcat_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, tomcat_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, tomcat_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, tomcat_var_run_t)
+
+ tomcat_systemctl($1)
+ admin_pattern($1, tomcat_unit_file_t)
+ allow $1 tomcat_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
index 000000000..6db6edad3
--- /dev/null
+++ b/tomcat.te
@@ -0,0 +1,126 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tomcat to read rpm database.
+## </p>
+## </desc>
+gen_tunable(tomcat_read_rpm_db, false)
+
+attribute tomcat_domain;
+
+tomcat_domain_template(tomcat)
+
+type tomcat_unit_file_t;
+systemd_unit_file(tomcat_unit_file_t)
+
+#######################################
+#
+# tomcat local policy
+#
+
+auth_use_nsswitch(tomcat_t)
+
+# Temporary fix, while missing SELinux policies for HSM
+init_stream_connect_script(tomcat_t)
+
+optional_policy(`
+ pki_manage_tomcat_cert(tomcat_t)
+ pki_manage_apache_log_files(tomcat_t)
+ pki_manage_tomcat_lib(tomcat_t)
+ pki_manage_tomcat_etc_rw(tomcat_t)
+ pki_search_log_dirs(tomcat_t)
+ pki_manage_tomcat_log(tomcat_t)
+ pki_manage_common_files(tomcat_t)
+ pki_exec_common_files(tomcat_t)
+ pki_stream_connect(tomcat_t)
+')
+
+optional_policy(`
+ unconfined_domain(tomcat_t)
+')
+
+optional_policy(`
+ ipa_read_lib(tomcat_t)
+ ipa_read_tmp(tomcat_t)
+')
+
+########################################
+#
+# tomcat domain local policy
+#
+
+allow tomcat_t self:capability { setuid kill };
+
+allow tomcat_t self:process { execmem setcap setsched signal signull };
+
+allow tomcat_t self:tcp_socket { accept listen };
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
+
+# we want to stay in a new tomcat domain if we call tomcat binary from a script
+# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t
+can_exec(tomcat_domain, tomcat_exec_t)
+
+kernel_read_network_state(tomcat_domain)
+kernel_read_net_sysctls(tomcat_domain)
+kernel_read_usermodehelper_state(tomcat_domain)
+
+corecmd_exec_bin(tomcat_domain)
+corecmd_exec_shell(tomcat_domain)
+
+corenet_tcp_bind_generic_node(tomcat_domain)
+corenet_udp_bind_generic_node(tomcat_domain)
+corenet_tcp_bind_http_port(tomcat_domain)
+corenet_tcp_bind_http_cache_port(tomcat_domain)
+corenet_tcp_bind_mxi_port(tomcat_domain)
+corenet_tcp_bind_bctp_port(tomcat_domain)
+corenet_tcp_connect_http_port(tomcat_domain)
+corenet_tcp_connect_ldap_port(tomcat_domain)
+corenet_tcp_connect_mxi_port(tomcat_domain)
+corenet_tcp_connect_http_cache_port(tomcat_domain)
+corenet_tcp_connect_postgresql_port(tomcat_domain)
+corenet_tcp_connect_amqp_port(tomcat_domain)
+corenet_tcp_connect_oracle_port(tomcat_domain)
+corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
+corenet_tcp_connect_unreserved_ports(tomcat_domain)
+corenet_tcp_connect_mssql_port(tomcat_domain)
+corenet_tcp_connect_mysqld_port(tomcat_domain)
+corenet_tcp_bind_jboss_management_port(tomcat_domain)
+
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
+dev_read_sysfs(tomcat_domain)
+
+domain_use_interactive_fds(tomcat_domain)
+
+libs_exec_ldconfig(tomcat_domain)
+
+fs_getattr_all_fs(tomcat_domain)
+fs_read_hugetlbfs_files(tomcat_domain)
+
+sysnet_dns_name_resolve(tomcat_domain)
+
+optional_policy(`
+ cobbler_read_lib_files(tomcat_domain)
+')
+
+optional_policy(`
+ # needed by FreeIPA
+ ldap_stream_connect(tomcat_domain)
+ ldap_read_certs(tomcat_domain)
+')
+
+optional_policy(`
+ tomcat_search_lib(tomcat_domain)
+')
+
+tunable_policy(`tomcat_read_rpm_db',`
+ rpm_exec(tomcat_domain)
+ rpm_read_db(tomcat_domain)
+')
diff --git a/tor.fc b/tor.fc
index dce42ecc5..b6b67bffe 100644
--- a/tor.fc
+++ b/tor.fc
@@ -5,6 +5,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/tor.if b/tor.if
index 61c2e07d6..3b860953c 100644
--- a/tor.if
+++ b/tor.if
@@ -19,6 +19,30 @@ interface(`tor_domtrans',`
domtrans_pattern($1, tor_exec_t, tor_t)
')
+#######################################
+## <summary>
+## Execute tor server in the tor domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tor_systemctl',`
+ gen_require(`
+ type tor_t;
+ type tor_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 tor_unit_file_t:file read_file_perms;
+ allow $1 tor_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, tor_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -39,12 +63,18 @@ interface(`tor_domtrans',`
interface(`tor_admin',`
gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
+ type tor_var_lib_t, tor_var_run_t;
+ type tor_initrc_exec_t;
+ type tor_unit_file_t;
')
- allow $1 tor_t:process { ptrace signal_perms };
+ allow $1 tor_t:process signal_perms;
ps_process_pattern($1, tor_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tor_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 tor_initrc_exec_t system_r;
@@ -61,4 +91,13 @@ interface(`tor_admin',`
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
+
+ tor_systemctl($1)
+ admin_pattern($1, tor_unit_file_t)
+ allow $1 tor_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/tor.te b/tor.te
index 5ceacde8c..792523bdb 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow tor to act as a relay
+## </p>
+## </desc>
+gen_tunable(tor_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow tor to run onion services
+## </p>
+## </desc>
+gen_tunable(tor_can_onion_services, false)
+
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t)
type tor_var_lib_t;
files_type(tor_var_lib_t)
+files_mountpoint(tor_var_lib_t)
type tor_var_log_t;
logging_log_file(tor_var_log_t)
+files_mountpoint(tor_var_log_t)
type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_run_dir(tor_var_run_t, "tor")
+files_mountpoint(tor_var_run_t)
+
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
########################################
#
@@ -48,10 +68,13 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
+dontaudit tor_t self:capability { net_admin };
+
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
+allow tor_t tor_var_lib_t:file map;
allow tor_t tor_var_log_t:dir setattr_dir_perms;
append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
@@ -77,7 +100,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
-
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
@@ -85,6 +107,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
+corenet_tcp_bind_hplip_port(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
@@ -98,19 +121,26 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
-files_read_usr_files(tor_t)
auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
-miscfiles_read_localization(tor_t)
-
tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(tor_t)
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
+tunable_policy(`tor_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_all_ephemeral_ports(tor_t)
+ corenet_tcp_bind_http_port(tor_t)
+')
+
+tunable_policy(`tor_can_onion_services',`
+ allow tor_t self:capability { dac_read_search };
+')
+
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
diff --git a/transproxy.te b/transproxy.te
index 34973ee4c..1c9a4c613 100644
--- a/transproxy.te
+++ b/transproxy.te
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
-corenet_all_recvfrom_unlabeled(transproxy_t)
corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_generic_node(transproxy_t)
@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t)
domain_use_interactive_fds(transproxy_t)
-files_read_etc_files(transproxy_t)
fs_getattr_all_fs(transproxy_t)
fs_search_auto_mountpoints(transproxy_t)
logging_send_syslog_msg(transproxy_t)
-miscfiles_read_localization(transproxy_t)
-
sysnet_read_config(transproxy_t)
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
index 03aa6b7f0..d262808fc 100644
--- a/tripwire.te
+++ b/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
# Local policy
#
-allow tripwire_t self:capability { setgid setuid dac_override };
+allow tripwire_t self:capability { setgid setuid dac_read_search };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
-userdom_use_user_terminals(tripwire_t)
+userdom_use_inherited_user_terminals(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
@@ -107,9 +107,7 @@ files_search_etc(twadmin_t)
logging_send_syslog_msg(twadmin_t)
-miscfiles_read_localization(twadmin_t)
-
-userdom_use_user_terminals(twadmin_t)
+userdom_use_inherited_user_terminals(twadmin_t)
########################################
#
@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t)
logging_send_syslog_msg(twprint_t)
-miscfiles_read_localization(twprint_t)
-
-userdom_use_user_terminals(twprint_t)
+userdom_use_inherited_user_terminals(twprint_t)
########################################
#
@@ -150,6 +146,4 @@ files_read_all_files(siggen_t)
logging_send_syslog_msg(siggen_t)
-miscfiles_read_localization(siggen_t)
-
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
diff --git a/tuned.if b/tuned.if
index e29db63a2..061fb983c 100644
--- a/tuned.if
+++ b/tuned.if
@@ -119,9 +119,13 @@ interface(`tuned_admin',`
type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
')
- allow $1 tuned_t:process { ptrace signal_perms };
+ allow $1 tuned_t:process signal_perms;
ps_process_pattern($1, tuned_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tuned_t:process ptrace;
+ ')
+
tuned_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
index 393a33073..1664e51c0 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
type tuned_log_t;
logging_log_file(tuned_log_t)
+type tuned_tmp_t;
+files_tmp_file(tuned_tmp_t)
+
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
-allow tuned_t self:capability { sys_admin sys_nice };
-dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
+dontaudit tuned_t self:capability { dac_read_search sys_tty_config };
+allow tuned_t self:process { setsched signal };
allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+allow tuned_t self:socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
@@ -41,22 +48,29 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
+can_exec(tuned_t, tuned_tmp_t)
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+allow tuned_t tuned_var_run_t:file relabel_file_perms;
+can_exec(tuned_t, tuned_var_run_t)
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
kernel_read_kernel_sysctls(tuned_t)
kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
-kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_usermodehelper_state(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
+kernel_setsched(tuned_t)
+kernel_rw_all_sysctls(tuned_t)
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
@@ -64,35 +78,72 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
+dev_rw_cpu_microcode(tuned_t)
dev_rw_sysfs(tuned_t)
dev_rw_netcontrol(tuned_t)
-files_read_usr_files(tuned_t)
+files_dontaudit_all_access_check(tuned_t)
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
+
+fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+fs_rw_hugetlbfs_files(tuned_t)
-fs_getattr_xattr_fs(tuned_t)
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
+#bug in tuned
+logging_manage_syslog_config(tuned_t)
+logging_filetrans_named_conf(tuned_t)
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
+
+modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
userdom_dontaudit_search_user_home_dirs(tuned_t)
optional_policy(`
+ dbus_system_bus_client(tuned_t)
+ dbus_connect_system_bus(tuned_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(tuned_t)
+')
+
+# to allow disk tuning
+optional_policy(`
fstools_domtrans(tuned_t)
')
optional_policy(`
+ gnome_dontaudit_search_config(tuned_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(tuned_t)
+')
+
+optional_policy(`
mount_domtrans(tuned_t)
')
optional_policy(`
+ policykit_dbus_chat(tuned_t)
+')
+
+# to allow network interface tuning
+optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
optional_policy(`
unconfined_dbus_send(tuned_t)
')
+
+optional_policy(`
+ unconfined_domain(tuned_t)
+')
diff --git a/tvtime.if b/tvtime.if
index 1bb0f7c78..372be2f21 100644
--- a/tvtime.if
+++ b/tvtime.if
@@ -1,5 +1,23 @@
## <summary>High quality television application.</summary>
+#######################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tvtime_filetrans_home_content',`
+ gen_require(`
+ type tvtime_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime")
+')
+
########################################
## <summary>
## Role access for tvtime
diff --git a/tvtime.te b/tvtime.te
index afd2d6c3f..3ce900e99 100644
--- a/tvtime.te
+++ b/tvtime.te
@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t)
dev_read_sound(tvtime_t)
dev_read_urand(tvtime_t)
-files_read_usr_files(tvtime_t)
fs_getattr_all_fs(tvtime_t)
fs_search_auto_mountpoints(tvtime_t)
@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t)
auth_use_nsswitch(tvtime_t)
miscfiles_read_fonts(tvtime_t)
-miscfiles_read_localization(tvtime_t)
-userdom_use_user_terminals(tvtime_t)
+userdom_use_inherited_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(tvtime_t)
- fs_manage_nfs_files(tvtime_t)
- fs_manage_nfs_symlinks(tvtime_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(tvtime_t)
- fs_manage_cifs_files(tvtime_t)
- fs_manage_cifs_symlinks(tvtime_t)
-')
+# X access, Home files
+userdom_home_manager(tvtime_t)
optional_policy(`
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/tzdata.te b/tzdata.te
index 221c43b84..2b9c49ac1 100644
--- a/tzdata.te
+++ b/tzdata.te
@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t)
-miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
-userdom_use_user_terminals(tzdata_t)
+userdom_use_inherited_user_terminals(tzdata_t)
optional_policy(`
postfix_search_spool(tzdata_t)
diff --git a/ucspitcp.te b/ucspitcp.te
index 7745b72e6..329c3d899 100644
--- a/ucspitcp.te
+++ b/ucspitcp.te
@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
corenet_tcp_bind_generic_node(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
-files_read_etc_files(rblsmtpd_t)
files_search_var(rblsmtpd_t)
optional_policy(`
@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t)
corenet_sendrecv_generic_server_packets(ucspitcp_t)
corenet_udp_bind_generic_port(ucspitcp_t)
-files_read_etc_files(ucspitcp_t)
files_search_var(ucspitcp_t)
sysnet_read_config(ucspitcp_t)
diff --git a/udisks2.fc b/udisks2.fc
new file mode 100644
index 000000000..c8aa54dab
--- /dev/null
+++ b/udisks2.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/udisks2.* -- gen_context(system_u:object_r:udisks2_unit_file_t,s0)
+
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:udisks2_exec_t,s0)
+/usr/bin/udisksctl -- gen_context(system_u:object_r:udisks2_exec_t,s0)
+
+/var/lib/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_lib_t,s0)
+
+/var/run/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_run_t,s0)
diff --git a/udisks2.if b/udisks2.if
new file mode 100644
index 000000000..45304ea1a
--- /dev/null
+++ b/udisks2.if
@@ -0,0 +1,206 @@
+## <summary>udisks - Disk Manager</summary>
+
+########################################
+## <summary>
+## Execute udisks2_exec_t in the udisks2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udisks2_domtrans',`
+ gen_require(`
+ type udisks2_t, udisks2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, udisks2_exec_t, udisks2_t)
+')
+
+######################################
+## <summary>
+## Execute udisks2 in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_exec',`
+ gen_require(`
+ type udisks2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, udisks2_exec_t)
+')
+
+########################################
+## <summary>
+## Search udisks2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_search_lib',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ allow $1 udisks2_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read udisks2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_read_lib_files',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage udisks2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_manage_lib_files',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage udisks2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_manage_lib_dirs',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read udisks2 PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_read_pid_files',`
+ gen_require(`
+ type udisks2_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, udisks2_var_run_t, udisks2_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute udisks2 server in the udisks2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udisks2_systemctl',`
+ gen_require(`
+ type udisks2_t;
+ type udisks2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 udisks2_unit_file_t:file read_file_perms;
+ allow $1 udisks2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, udisks2_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an udisks2 environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udisks2_admin',`
+ gen_require(`
+ type udisks2_t;
+ type udisks2_var_lib_t;
+ type udisks2_var_run_t;
+ type udisks2_unit_file_t;
+ ')
+
+ allow $1 udisks2_t:process { signal_perms };
+ ps_process_pattern($1, udisks2_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 udisks2_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, udisks2_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, udisks2_var_run_t)
+
+ udisks2_systemctl($1)
+ admin_pattern($1, udisks2_unit_file_t)
+ allow $1 udisks2_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/udisks2.te b/udisks2.te
new file mode 100644
index 000000000..617ee56f4
--- /dev/null
+++ b/udisks2.te
@@ -0,0 +1,58 @@
+policy_module(udisks2, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type udisks2_t;
+type udisks2_exec_t;
+init_daemon_domain(udisks2_t, udisks2_exec_t)
+
+type udisks2_var_lib_t;
+files_type(udisks2_var_lib_t)
+
+type udisks2_var_run_t;
+files_pid_file(udisks2_var_run_t)
+
+type udisks2_unit_file_t;
+systemd_unit_file(udisks2_unit_file_t)
+
+########################################
+#
+# udisks2 local policy
+#
+allow udisks2_t self:capability { sys_rawio };
+allow udisks2_t self:unix_stream_socket create_stream_socket_perms;
+allow udisks2_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
+
+manage_dirs_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+manage_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+manage_lnk_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+files_var_lib_filetrans(udisks2_t, udisks2_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+manage_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+manage_lnk_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+files_pid_filetrans(udisks2_t, udisks2_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(udisks2_t)
+
+auth_use_nsswitch(udisks2_t)
+
+dev_read_sysfs(udisks2_t)
+
+logging_send_syslog_msg(udisks2_t)
+
+storage_raw_read_fixed_disk(udisks2_t)
+storage_raw_read_removable_device(udisks2_t)
+
+udev_read_db(udisks2_t)
+
+optional_policy(`
+ dbus_system_bus_client(udisks2_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(udisks2_t)
+')
diff --git a/ulogd.if b/ulogd.if
index 9b95c3ef7..a892845bb 100644
--- a/ulogd.if
+++ b/ulogd.if
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
type ulogd_var_log_t, ulogd_initrc_exec_t;
')
- allow $1 ulogd_t:process { ptrace signal_perms };
+ allow $1 ulogd_t:process signal_perms;
ps_process_pattern($1, ulogd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ulogd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
index de35e5f4c..91cac1110 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -29,8 +29,11 @@ logging_log_file(ulogd_var_log_t)
allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
-allow ulogd_t self:tcp_socket create_stream_socket_perms;
+allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
@@ -42,10 +45,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
-files_read_etc_files(ulogd_t)
-files_read_usr_files(ulogd_t)
-
-miscfiles_read_localization(ulogd_t)
+kernel_request_load_module(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
diff --git a/uml.if b/uml.if
index ab5c1d0da..d13105ea7 100644
--- a/uml.if
+++ b/uml.if
@@ -32,7 +32,7 @@ interface(`uml_role',`
allow uml_t $2:unix_dgram_socket sendto;
ps_process_pattern($2, uml_t)
- allow $2 uml_t:process { ptrace signal_perms };
+ allow $2 uml_t:process signal_perms;
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
diff --git a/uml.te b/uml.te
index b68bd49ff..da0c6912f 100644
--- a/uml.te
+++ b/uml.te
@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
corecmd_exec_bin(uml_t)
-corenet_all_recvfrom_unlabeled(uml_t)
corenet_all_recvfrom_netlabel(uml_t)
corenet_tcp_sendrecv_generic_if(uml_t)
corenet_tcp_sendrecv_generic_node(uml_t)
@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t)
libs_exec_lib_files(uml_t)
-userdom_use_user_terminals(uml_t)
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_inherited_user_terminals(uml_t)
userdom_attach_admin_tun_iface(uml_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- seutil_use_newrole_fds(uml_t)
-')
-
-optional_policy(`
virt_attach_tun_iface(uml_t)
')
@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t)
logging_send_syslog_msg(uml_switch_t)
-miscfiles_read_localization(uml_switch_t)
-
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
diff --git a/updfstab.te b/updfstab.te
index 5ceb91249..793032477 100644
--- a/updfstab.te
+++ b/updfstab.te
@@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
# Local policy
#
-allow updfstab_t self:capability dac_override;
+allow updfstab_t self:capability { dac_read_search };
dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
allow updfstab_t self:process signal_perms;
allow updfstab_t self:fifo_file rw_fifo_file_perms;
@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
logging_search_logs(updfstab_t)
logging_send_syslog_msg(updfstab_t)
-miscfiles_read_localization(updfstab_t)
-
seutil_read_config(updfstab_t)
seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t)
@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t)
userdom_dontaudit_search_user_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-optional_policy(`
- auth_domtrans_pam_console(updfstab_t)
-')
+auth_use_nsswitch(updfstab_t)
+auth_domtrans_pam_console(updfstab_t)
optional_policy(`
dbus_system_bus_client(updfstab_t)
diff --git a/uptime.if b/uptime.if
index 01a3234b6..19f472475 100644
--- a/uptime.if
+++ b/uptime.if
@@ -19,7 +19,7 @@
#
interface(`uptime_admin',`
gen_require(`
- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
type uptimed_spool_t, uptimed_var_run_t;
')
diff --git a/uptime.te b/uptime.te
index 58397dc31..e6b6a3472 100644
--- a/uptime.te
+++ b/uptime.te
@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
init_script_file(uptimed_initrc_exec_t)
type uptimed_spool_t;
-files_type(uptimed_spool_t)
+files_spool_file(uptimed_spool_t)
type uptimed_var_run_t;
files_pid_file(uptimed_var_run_t)
@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
logging_send_syslog_msg(uptimed_t)
-miscfiles_read_localization(uptimed_t)
-
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
userdom_dontaudit_search_user_home_dirs(uptimed_t)
diff --git a/usbmodules.te b/usbmodules.te
index 279e511df..4f79ad697 100644
--- a/usbmodules.te
+++ b/usbmodules.te
@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
dev_list_usbfs(usbmodules_t)
dev_rw_usbfs(usbmodules_t)
-files_list_etc(usbmodules_t)
-
term_read_console(usbmodules_t)
term_write_console(usbmodules_t)
@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t)
miscfiles_read_hwdata(usbmodules_t)
-modutils_read_module_deps(usbmodules_t)
-
-userdom_use_user_terminals(usbmodules_t)
+userdom_use_inherited_user_terminals(usbmodules_t)
optional_policy(`
hotplug_read_config(usbmodules_t)
')
+
+optional_policy(`
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
index 220f6add1..ccbb5dabc 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
@@ -1,3 +1,6 @@
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+
+/var/lib/lockdown(/.*)? gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
index 1ec5e996b..5b6c80bba 100644
--- a/usbmuxd.if
+++ b/usbmuxd.if
@@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
')
+
+########################################
+## <summary>
+## Execute usbmuxd server in the usbmuxd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_systemctl',`
+ gen_require(`
+ type usbmuxd_t;
+ type usbmuxd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 usbmuxd_unit_file_t:file read_file_perms;
+ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, usbmuxd_t)
+')
+
+#####################################
+## <summary>
+## All of the rules required to administrate
+## an usbmuxd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the usbmuxd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usbmuxd_admin',`
+ gen_require(`
+ type usbmuxd_t,usbmuxd_var_run_t;
+ type usbmuxd_unit_file_t;
+ ')
+
+ allow $1 usbmuxd_t:process { signal_perms };
+ ps_process_pattern($1, usbmuxd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 usbmuxd_t:process ptrace;
+ ')
+
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, usbmuxd_var_run_t)
+
+ usbmuxd_systemctl($1)
+ admin_pattern($1, usbmuxd_unit_file_t)
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
index 34a891755..933baa42d 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,58 @@ roleattribute system_r usbmuxd_roles;
type usbmuxd_t;
type usbmuxd_exec_t;
+init_system_domain(usbmuxd_t, usbmuxd_exec_t)
application_domain(usbmuxd_t, usbmuxd_exec_t)
role usbmuxd_roles types usbmuxd_t;
type usbmuxd_var_run_t;
files_pid_file(usbmuxd_var_run_t)
+type usbmuxd_var_lib_t;
+files_type(usbmuxd_var_lib_t)
+
+type usbmuxd_unit_file_t;
+systemd_unit_file(usbmuxd_unit_file_t)
+
########################################
#
# Local policy
#
-allow usbmuxd_t self:capability { kill setgid setuid };
-allow usbmuxd_t self:process { signal signull };
+allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
+allow usbmuxd_t self:process { signal_perms setrlimit };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow usbmuxd_t self:unix_stream_socket connectto;
manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+files_var_lib_filetrans(usbmuxd_t, usbmuxd_var_lib_t, { dir file })
+
kernel_read_kernel_sysctls(usbmuxd_t)
kernel_read_system_state(usbmuxd_t)
dev_read_sysfs(usbmuxd_t)
+dev_read_urand(usbmuxd_t)
dev_rw_generic_usb_dev(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
-miscfiles_read_localization(usbmuxd_t)
-
logging_send_syslog_msg(usbmuxd_t)
+
+seutil_dontaudit_read_file_contexts(usbmuxd_t)
+
+optional_policy(`
+ udev_read_pid_files(usbmuxd_t)
+')
+
+optional_policy(`
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/userhelper.fc b/userhelper.fc
index c416a833e..cd83b89ee 100644
--- a/userhelper.fc
+++ b/userhelper.fc
@@ -1,5 +1,10 @@
-/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+#
+# /etc
+#
+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
-/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
-
-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
\ No newline at end of file
+#
+# /usr
+#
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
index 98b51fd0b..d33d87f30 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
-## <summary>A wrapper that helps users run system programs.</summary>
+## <summary>SELinux utility to run a shell with a new role</summary>
#######################################
## <summary>
@@ -23,9 +23,9 @@
#
template(`userhelper_role_template',`
gen_require(`
- attribute userhelper_type, consolehelper_type;
- attribute_role userhelper_roles, consolehelper_roles;
- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
+ attribute userhelper_type;
+ type userhelper_exec_t, userhelper_conf_t;
+ class dbus send_msg;
')
########################################
@@ -33,64 +33,123 @@ template(`userhelper_role_template',`
# Declarations
#
- type $1_consolehelper_t, consolehelper_type;
- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
-
- role consolehelper_roles types $1_consolehelper_t;
- roleattribute $2 consolehelper_roles;
-
type $1_userhelper_t, userhelper_type;
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
-
domain_role_change_exemption($1_userhelper_t)
domain_obj_id_change_exemption($1_userhelper_t)
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
-
- role userhelper_roles types $1_userhelper_t;
- roleattribute $2 userhelper_roles;
+ role $2 types $1_userhelper_t;
########################################
#
- # Consolehelper local policy
+ # Local policy
#
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:process setexec;
+ allow $1_userhelper_t self:fd use;
+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
+ allow $1_userhelper_t self:shm create_shm_perms;
+ allow $1_userhelper_t self:sem create_sem_perms;
+ allow $1_userhelper_t self:msgq create_msgq_perms;
+ allow $1_userhelper_t self:msg { send receive };
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+ #Transition to the derived domain.
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
- allow $1_consolehelper_t $3:unix_stream_socket connectto;
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+ can_exec($1_userhelper_t, userhelper_exec_t)
- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
- ps_process_pattern($3, $1_consolehelper_t)
+ dontaudit $3 $1_userhelper_t:process signal;
- auth_use_pam($1_consolehelper_t)
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
- optional_policy(`
- dbus_connect_all_session_bus($1_consolehelper_t)
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t, $3)
- optional_policy(`
- userhelper_dbus_chat_all_consolehelper($3)
- ')
- ')
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
+
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
+
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
+
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
+
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
+ selinux_get_fs_mount($1_userhelper_t)
+ selinux_validate_context($1_userhelper_t)
+ selinux_compute_access_vector($1_userhelper_t)
+ selinux_compute_create_context($1_userhelper_t)
+ selinux_compute_relabel_context($1_userhelper_t)
+ selinux_compute_user_contexts($1_userhelper_t)
+
+ # Read the devpts root directory.
+ term_list_ptys($1_userhelper_t)
+ # Relabel terminals.
+ term_relabel_all_ttys($1_userhelper_t)
+ term_relabel_all_ptys($1_userhelper_t)
+ # Access terminals.
+ term_use_all_ttys($1_userhelper_t)
+ term_use_all_ptys($1_userhelper_t)
- ########################################
- #
- # Userhelper local policy
- #
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+ logging_send_syslog_msg($1_userhelper_t)
- dontaudit $3 $1_userhelper_t:process signal;
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
- corecmd_bin_domtrans($1_userhelper_t, $3)
- auth_domtrans_chk_passwd($1_userhelper_t)
- auth_use_nsswitch($1_userhelper_t)
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+ # Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ # Allow transitioning to rpm_t, for up2date
+ rpm_domtrans($1_userhelper_t)
+ ')
+ ')
+
optional_policy(`
tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
sysadm_entry_spec_domtrans($1_userhelper_t)
')
@@ -99,7 +158,7 @@ template(`userhelper_role_template',`
########################################
## <summary>
-## Search userhelper configuration directories.
+## Search the userhelper configuration directory.
## </summary>
## <param name="domain">
## <summary>
@@ -118,7 +177,7 @@ interface(`userhelper_search_config',`
########################################
## <summary>
## Do not audit attempts to search
-## userhelper configuration directories.
+## the userhelper configuration directory.
## </summary>
## <param name="domain">
## <summary>
@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',`
########################################
## <summary>
-## Send and receive messages from
-## consolehelper over dbus.
+## Do not audit attempts to write
+## the userhelper configuration files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`userhelper_dbus_chat_all_consolehelper',`
+interface(`userhelper_dontaudit_write_config',`
gen_require(`
- attribute consolehelper_type;
- class dbus send_msg;
+ type userhelper_conf_t;
')
- allow $1 consolehelper_type:dbus send_msg;
- allow consolehelper_type $1:dbus send_msg;
+ dontaudit $1 userhelper_conf_t:file write;
')
########################################
## <summary>
-## Use userhelper all userhelper file descriptors.
+## Allow domain to use userhelper file descriptor.
## </summary>
## <param name="domain">
## <summary>
@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',`
########################################
## <summary>
-## Send child terminated signals to all userhelper.
+## Allow domain to send sigchld to userhelper.
## </summary>
## <param name="domain">
## <summary>
@@ -206,10 +263,83 @@ interface(`userhelper_exec',`
type userhelper_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, userhelper_exec_t)
')
+#######################################
+## <summary>
+## The role template for the consolehelper module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for consolehelper applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`userhelper_console_role_template',`
+ gen_require(`
+ type consolehelper_exec_t;
+ attribute consolehelper_domain;
+ class dbus send_msg;
+ ')
+ type $1_consolehelper_t, consolehelper_domain;
+ domain_type($1_consolehelper_t)
+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
+ role $2 types $1_consolehelper_t;
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+ allow $3 $1_consolehelper_t:process signal;
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
+ allow $1_consolehelper_t $3:unix_stream_socket connectto;
+
+ kernel_read_system_state($1_consolehelper_t)
+
+ auth_use_pam($1_consolehelper_t)
+
+ userdom_manage_tmp_role($2, $1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_session_bus($1_consolehelper_t)
+ ')
+
+ optional_policy(`
+ hddtemp_run($1_consolehelper_t, $2)
+ ')
+
+ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
+
+ optional_policy(`
+ mock_run($1_consolehelper_t, $2)
+ ')
+
+ optional_policy(`
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
+
########################################
## <summary>
## Execute the consolehelper program
diff --git a/userhelper.te b/userhelper.te
index 42cfce06e..b9f267a10 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
# Declarations
#
-attribute consolehelper_type;
attribute userhelper_type;
-
-attribute_role consolehelper_roles;
-attribute_role userhelper_roles;
+attribute consolehelper_domain;
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t)
########################################
#
-# Common consolehelper domain local policy
+# consolehelper local policy
#
-allow consolehelper_type self:capability { setgid setuid dac_override };
-allow consolehelper_type self:process signal;
-allow consolehelper_type self:fifo_file rw_fifo_file_perms;
-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
-allow consolehelper_type self:shm create_shm_perms;
-
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid dac_read_search sys_nice };
+allow consolehelper_domain self:process { signal_perms getsched setsched };
-domain_use_interactive_fds(consolehelper_type)
+allow consolehelper_domain userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
-kernel_read_system_state(consolehelper_type)
-kernel_read_kernel_sysctls(consolehelper_type)
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
-corecmd_exec_bin(consolehelper_type)
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
-dev_getattr_all_chr_files(consolehelper_type)
-dev_dontaudit_list_all_dev_nodes(consolehelper_type)
+kernel_read_kernel_sysctls(consolehelper_domain)
-files_read_config_files(consolehelper_type)
-files_read_usr_files(consolehelper_type)
+corecmd_exec_bin(consolehelper_domain)
-fs_getattr_all_dirs(consolehelper_type)
-fs_getattr_all_fs(consolehelper_type)
-fs_search_auto_mountpoints(consolehelper_type)
-files_search_mnt(consolehelper_type)
+dev_getattr_all_chr_files(consolehelper_domain)
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
+dev_dontaudit_getattr_all(consolehelper_domain)
+fs_getattr_all_fs(consolehelper_domain)
+fs_getattr_all_dirs(consolehelper_domain)
-term_list_ptys(consolehelper_type)
+files_read_config_files(consolehelper_domain)
-auth_search_pam_console_data(consolehelper_type)
-auth_read_pam_pid(consolehelper_type)
+term_list_ptys(consolehelper_domain)
-miscfiles_read_localization(consolehelper_type)
-miscfiles_read_fonts(consolehelper_type)
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
-userhelper_exec(consolehelper_type)
+init_read_utmp(consolehelper_domain)
+init_telinit(consolehelper_domain)
-userdom_use_user_terminals(consolehelper_type)
+miscfiles_read_fonts(consolehelper_domain)
-# might want to make this consolehelper_tmp_t
-userdom_manage_user_tmp_dirs(consolehelper_type)
-userdom_manage_user_tmp_files(consolehelper_type)
-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userhelper_exec(consolehelper_domain)
-tunable_policy(`use_nfs_home_dirs',`
- fs_search_nfs(consolehelper_type)
-')
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+userdom_search_admin_dir(consolehelper_domain)
-tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs(consolehelper_type)
+optional_policy(`
+ dbus_session_bus_client(consolehelper_domain)
+ optional_policy(`
+ devicekit_dbus_chat_disk(consolehelper_domain)
+ ')
')
optional_policy(`
- shutdown_run(consolehelper_type, consolehelper_roles)
- shutdown_signal(consolehelper_type)
+ gnome_read_gconf_home_files(consolehelper_domain)
')
optional_policy(`
- xserver_domtrans_xauth(consolehelper_type)
- xserver_read_xdm_pid(consolehelper_type)
- xserver_stream_connect(consolehelper_type)
+ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
+ xserver_admin_home_dir_filetrans_xauth(consolehelper_domain)
+ xserver_manage_user_xauth(consolehelper_domain)
')
-########################################
-#
-# Common userhelper domain local policy
-#
-
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
-allow userhelper_type self:fd use;
-allow userhelper_type self:fifo_file rw_fifo_file_perms;
-allow userhelper_type self:shm create_shm_perms;
-allow userhelper_type self:sem create_sem_perms;
-allow userhelper_type self:msgq create_msgq_perms;
-allow userhelper_type self:msg { send receive };
-allow userhelper_type self:unix_dgram_socket sendto;
-allow userhelper_type self:unix_stream_socket { accept connectto listen };
-
-dontaudit userhelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
-
-can_exec(userhelper_type, userhelper_exec_t)
-
-kernel_read_all_sysctls(userhelper_type)
-kernel_getattr_debugfs(userhelper_type)
-kernel_read_system_state(userhelper_type)
-
-corecmd_exec_shell(userhelper_type)
-
-domain_use_interactive_fds(userhelper_type)
-domain_sigchld_interactive_fds(userhelper_type)
-
-dev_read_urand(userhelper_type)
-dev_list_all_dev_nodes(userhelper_type)
-
-files_list_var_lib(userhelper_type)
-files_read_var_files(userhelper_type)
-files_read_var_symlinks(userhelper_type)
-files_search_home(userhelper_type)
-
-fs_getattr_all_fs(userhelper_type)
-fs_search_auto_mountpoints(userhelper_type)
-
-selinux_get_fs_mount(userhelper_type)
-selinux_validate_context(userhelper_type)
-selinux_compute_access_vector(userhelper_type)
-selinux_compute_create_context(userhelper_type)
-selinux_compute_relabel_context(userhelper_type)
-selinux_compute_user_contexts(userhelper_type)
-
-term_list_ptys(userhelper_type)
-term_relabel_all_ttys(userhelper_type)
-term_relabel_all_ptys(userhelper_type)
-term_use_all_ttys(userhelper_type)
-term_use_all_ptys(userhelper_type)
-
-auth_manage_pam_pid(userhelper_type)
-auth_manage_var_auth(userhelper_type)
-auth_search_pam_console_data(userhelper_type)
-
-init_use_fds(userhelper_type)
-init_manage_utmp(userhelper_type)
-init_pid_filetrans_utmp(userhelper_type)
-
-logging_send_syslog_msg(userhelper_type)
-
-miscfiles_read_localization(userhelper_type)
-
-seutil_read_config(userhelper_type)
-seutil_read_default_contexts(userhelper_type)
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_nfs(consolehelper_domain)
+')
-optional_policy(`
- rpm_domtrans(userhelper_type)
+tunable_policy(`use_samba_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_cifs(consolehelper_domain)
')
diff --git a/usernetctl.if b/usernetctl.if
index 7deec55cf..c542887da 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',`
#
interface(`usernetctl_run',`
gen_require(`
+ type usernetctl_t;
attribute_role usernetctl_roles;
')
diff --git a/usernetctl.te b/usernetctl.te
index f973af82b..5e354edc5 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0)
#
attribute_role usernetctl_roles;
+roleattribute system_r usernetctl_roles;
type usernetctl_t;
type usernetctl_exec_t;
application_domain(usernetctl_t, usernetctl_exec_t)
domain_interactive_fd(usernetctl_t)
-role usernetctl_roles types usernetctl_t;
########################################
#
# Local policy
#
-allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:capability { setuid setgid dac_read_search };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t)
files_read_etc_runtime_files(usernetctl_t)
files_list_pids(usernetctl_t)
files_list_home(usernetctl_t)
-files_read_usr_files(usernetctl_t)
fs_search_auto_mountpoints(usernetctl_t)
@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t)
logging_send_syslog_msg(usernetctl_t)
-miscfiles_read_localization(usernetctl_t)
-
seutil_read_config(usernetctl_t)
+sysnet_read_config(usernetctl_t)
+
sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
-userdom_use_user_terminals(usernetctl_t)
-
-optional_policy(`
- consoletype_run(usernetctl_t, usernetctl_roles)
-')
+userdom_use_inherited_user_terminals(usernetctl_t)
optional_policy(`
hostname_exec(usernetctl_t)
@@ -74,5 +69,9 @@ optional_policy(`
')
optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+')
+
+optional_policy(`
ppp_run(usernetctl_t, usernetctl_roles)
')
diff --git a/uucp.if b/uucp.if
index af9acc0d3..cdaf82e21 100644
--- a/uucp.if
+++ b/uucp.if
@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`uucp_admin',`
@@ -104,14 +99,13 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 uucpd_t:process { ptrace signal_perms };
+ allow $1 uucpd_t:process signal_perms;
ps_process_pattern($1, uucpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 uucpd_t:process ptrace;
+ ')
+
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
index 849f607b1..e01ec6d2e 100644
--- a/uucp.te
+++ b/uucp.te
@@ -31,7 +31,7 @@ type uucpd_ro_t;
files_type(uucpd_ro_t)
type uucpd_spool_t;
-files_type(uucpd_spool_t)
+files_spool_file(uucpd_spool_t)
type uucpd_log_t;
logging_log_file(uucpd_log_t)
@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
-corenet_all_recvfrom_unlabeled(uucpd_t)
corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_generic_if(uucpd_t)
corenet_tcp_sendrecv_generic_node(uucpd_t)
+corenet_udp_sendrecv_generic_node(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
corenet_sendrecv_ssh_client_packets(uucpd_t)
corenet_tcp_connect_ssh_port(uucpd_t)
corenet_tcp_sendrecv_ssh_port(uucpd_t)
+corenet_tcp_bind_uucpd_port(uucpd_t)
+corenet_tcp_connect_uucpd_port(uucpd_t)
+
corecmd_exec_bin(uucpd_t)
corecmd_exec_shell(uucpd_t)
@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
-miscfiles_read_localization(uucpd_t)
+mta_send_mail(uucpd_t)
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
@@ -125,10 +130,6 @@ optional_policy(`
')
optional_policy(`
- mta_send_mail(uucpd_t)
-')
-
-optional_policy(`
ssh_exec(uucpd_t)
')
@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
logging_search_logs(uux_t)
logging_send_syslog_msg(uux_t)
-miscfiles_read_localization(uux_t)
-
optional_policy(`
mta_send_mail(uux_t)
mta_read_queue(uux_t)
+')
+
+optional_policy(`
sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(uux_t)
+')
diff --git a/uuidd.if b/uuidd.if
index 6e4865333..6abf74a90 100644
--- a/uuidd.if
+++ b/uuidd.if
@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',`
#
interface(`uuidd_stream_connect_manager',`
gen_require(`
- type uuidd_t, uuidd_var_run_t;
+ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
')
########################################
@@ -180,6 +181,9 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 uuidd_t:process ptrace;
+ ')
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/uuidd.te b/uuidd.te
index f8e52fc97..b283c25f7 100644
--- a/uuidd.te
+++ b/uuidd.te
@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
domain_use_interactive_fds(uuidd_t)
-files_read_etc_files(uuidd_t)
-miscfiles_read_localization(uuidd_t)
diff --git a/uwimap.te b/uwimap.te
index acdc78ae7..7f295e597 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t)
# Local policy
#
-allow imapd_t self:capability { dac_override setgid setuid sys_resource };
+allow imapd_t self:capability { dac_read_search setgid setuid sys_resource };
dontaudit imapd_t self:capability sys_tty_config;
allow imapd_t self:process signal_perms;
allow imapd_t self:fifo_file rw_fifo_file_perms;
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
-corenet_all_recvfrom_unlabeled(imapd_t)
corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_generic_node(imapd_t)
@@ -56,8 +55,6 @@ dev_read_urand(imapd_t)
domain_use_interactive_fds(imapd_t)
-files_read_etc_files(imapd_t)
-
fs_getattr_all_fs(imapd_t)
fs_search_auto_mountpoints(imapd_t)
@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t)
logging_send_syslog_msg(imapd_t)
-miscfiles_read_localization(imapd_t)
-
sysnet_dns_name_resolve(imapd_t)
userdom_dontaudit_use_unpriv_user_fds(imapd_t)
diff --git a/varnishd.if b/varnishd.if
index 1c35171d8..2cba4dfea 100644
--- a/varnishd.if
+++ b/varnishd.if
@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
+ type varnishd_t;
type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
type varnishlog_var_run_t;
')
- allow $1 varnishlog_t:process { ptrace signal_perms };
+ allow $1 varnishlog_t:process signal_perms;
ps_process_pattern($1, varnishlog_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 varnishd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
domain_system_change_exemption($1)
@@ -196,9 +200,13 @@ interface(`varnishd_admin',`
type varnishd_initrc_exec_t;
')
- allow $1 varnishd_t:process { ptrace signal_perms };
+ allow $1 varnishd_t:process signal_perms;
ps_process_pattern($1, varnishd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 varnishd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
index 9d4d8cbb0..80e6c6fb4 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
init_script_file(varnishd_initrc_exec_t)
type varnishd_etc_t;
-files_type(varnishd_etc_t)
+files_config_file(varnishd_etc_t)
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)
type varnishlog_log_t;
-files_type(varnishlog_log_t)
+logging_log_file(varnishlog_log_t)
########################################
#
# Local policy
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { kill dac_read_search ipc_lock setuid setgid chown fowner fsetid };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket { accept listen };
@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
dev_read_urand(varnishd_t)
-files_read_usr_files(varnishd_t)
-
fs_getattr_all_fs(varnishd_t)
auth_use_nsswitch(varnishd_t)
logging_send_syslog_msg(varnishd_t)
-miscfiles_read_localization(varnishd_t)
+sysnet_read_config(varnishd_t)
tunable_policy(`varnishd_connect_any',`
corenet_sendrecv_all_client_packets(varnishd_t)
diff --git a/vbetool.te b/vbetool.te
index 2a61f7526..99b151a18 100644
--- a/vbetool.te
+++ b/vbetool.te
@@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t;
# Local policy
#
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_read_search sys_tty_config sys_admin };
+#allow vbetool_t self:capability2 compromise_kernel;
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t)
term_use_unallocated_ttys(vbetool_t)
-miscfiles_read_localization(vbetool_t)
tunable_policy(`vbetool_mmap_zero_ignore',`
dontaudit vbetool_t self:memprotect mmap_zero;
diff --git a/vdagent.if b/vdagent.if
index 31c752ea6..ef522355b 100644
--- a/vdagent.if
+++ b/vdagent.if
@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',`
## Get attributes of vdagent executable files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`vdagent_getattr_exec_files',`
- gen_require(`
- type vdagent_exec_t;
- ')
+ gen_require(`
+ type vdagent_exec_t;
+ ')
allow $1 vdagent_exec_t:file getattr_file_perms;
')
@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',`
## Get attributes of vdagent log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`vdagent_getattr_log',`
- gen_require(`
- type vdagent_log_t;
- ')
+ gen_require(`
+ type vdagent_log_t;
+ ')
- logging_search_logs($1)
- allow $1 vdagent_log_t:file getattr_file_perms;
+ logging_search_logs($1)
+ allow $1 vdagent_log_t:file getattr_file_perms;
')
########################################
@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',`
## domain stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`vdagent_stream_connect',`
- gen_require(`
- type vdagent_var_run_t, vdagent_t;
- ')
+ gen_require(`
+ type vdagent_var_run_t, vdagent_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
')
########################################
@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',`
## Role allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`vdagent_admin',`
gen_require(`
@@ -120,6 +119,9 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vdagent_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
index 87da8a24d..b80a6f422 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
dontaudit vdagent_t self:capability sys_admin;
allow vdagent_t self:process signal;
+
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
@@ -39,23 +40,30 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+kernel_request_load_module(vdagent_t)
+
dev_rw_input_dev(vdagent_t)
dev_rw_mtrr(vdagent_t)
dev_read_sysfs(vdagent_t)
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
+fs_getattr_cgroup(vdagent_t)
+fs_getattr_tmpfs(vdagent_t)
term_use_virtio_console(vdagent_t)
init_read_state(vdagent_t)
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
+systemd_dbus_chat_logind(vdagent_t)
-miscfiles_read_localization(vdagent_t)
+logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)
+xserver_read_xdm_state(vdagent_t)
+
optional_policy(`
dbus_system_bus_client(vdagent_t)
diff --git a/vhostmd.if b/vhostmd.if
index 22edd58f8..c3a536427 100644
--- a/vhostmd.if
+++ b/vhostmd.if
@@ -216,9 +216,13 @@ interface(`vhostmd_admin',`
type vhostmd_tmpfs_t;
')
- allow $1 vhostmd_t:process { ptrace signal_perms };
+ allow $1 vhostmd_t:process signal_perms;
ps_process_pattern($1, vhostmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vhostmd_t:process ptrace;
+ ')
+
vhostmd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
index 3d11c6a3d..3590f3ef9 100644
--- a/vhostmd.te
+++ b/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
# Local policy
#
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:capability { dac_read_search ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched signal };
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
dev_read_sysfs(vhostmd_t)
files_list_tmp(vhostmd_t)
-files_read_usr_files(vhostmd_t)
auth_use_nsswitch(vhostmd_t)
logging_send_syslog_msg(vhostmd_t)
-miscfiles_read_localization(vhostmd_t)
-
optional_policy(`
hostname_exec(vhostmd_t)
')
@@ -77,6 +74,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
+ virt_write_content(vhostmd_t)
')
optional_policy(`
diff --git a/virt.fc b/virt.fc
index a4f20bcfc..95abdb144 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,51 +1,113 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/virtlogd.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
+/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-
-/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
-/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-
-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
-/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
-
-/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
+/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
-/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
-/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+# support for AEOLUS project
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0)
+
+# add support vios-proxy-*
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+#support for vdsm
+/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8b3..2a619ba9e 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,111 @@
-## <summary>Libvirt virtualization API.</summary>
+## <summary>Libvirt virtualization API</summary>
-#######################################
+########################################
## <summary>
-## The template to define a virt domain.
+## virtd_lxc_t stub interface. No access allowed.
## </summary>
-## <param name="domain_prefix">
+## <param name="domain" unused="true">
## <summary>
-## Domain prefix to be used.
+## Domain allowed access.
## </summary>
## </param>
#
-template(`virt_domain_template',`
+interface(`virt_stub_lxc',`
gen_require(`
- attribute_role virt_domain_roles;
- attribute virt_image_type, virt_domain, virt_tmpfs_type;
- attribute virt_ptynode, virt_tmp_type;
+ type virtd_lxc_t;
')
+')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, virt_domain;
- application_type($1_t)
- qemu_entry_type($1_t)
- domain_user_exemption_target($1_t)
- mls_rangetrans_target($1_t)
- mcs_constrained($1_t)
- role virt_domain_roles types $1_t;
-
- type $1_devpts_t, virt_ptynode;
- term_pty($1_devpts_t)
-
- type $1_tmp_t, virt_tmp_type;
- files_tmp_file($1_tmp_t)
-
- type $1_tmpfs_t, virt_tmpfs_type;
- files_tmpfs_file($1_tmpfs_t)
-
- optional_policy(`
- pulseaudio_tmpfs_content($1_tmpfs_t)
+########################################
+## <summary>
+## svirt_sandbox_domain attribute stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stub_svirt_sandbox_domain',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
')
+')
- type $1_image_t, virt_image_type;
- files_type($1_image_t)
- dev_node($1_image_t)
- dev_associate_sysfs($1_image_t)
-
- ########################################
- #
- # Policy
- #
-
- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
- term_create_pty($1_t, $1_devpts_t)
-
- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
- manage_files_pattern($1_t, $1_image_t, $1_image_t)
- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t)
- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
- fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
-
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
-
- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-
- optional_policy(`
- pulseaudio_run($1_t, virt_domain_roles)
+########################################
+## <summary>
+## container_file_t stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stub_container_image',`
+ gen_require(`
+ type container_file_t;
')
+')
- optional_policy(`
- xserver_rw_shm($1_t)
+interface(`virt_stub_svirt_sandbox_file',`
+ gen_require(`
+ type container_file_t;
+ type container_ro_file_t;
')
')
-#######################################
+########################################
## <summary>
-## The template to define a virt lxc domain.
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
-template(`virt_lxc_domain_template',`
+template(`virt_domain_template',`
gen_require(`
- attribute_role svirt_lxc_domain_roles;
- attribute svirt_lxc_domain;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
+ type qemu_exec_t;
+ type virtlogd_t;
')
- type $1_t, svirt_lxc_domain;
- domain_type($1_t)
+ type $1_t, virt_domain;
+ application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
- role svirt_lxc_domain_roles types $1_t;
+ role system_r types $1_t;
+
+ type $1_devpts_t, virt_ptynode;
+ term_pty($1_devpts_t)
+
+ kernel_read_system_state($1_t)
+
+ auth_read_passwd($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty($1_t, $1_devpts_t)
+
+ # Allow domain to write to pipes connected to virtlogd
+ allow $1_t virtlogd_t:fd use;
+ allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
-## Make the specified type virt image type.
+## Make the specified type usable as a virt image
## </summary>
## <param name="type">
## <summary>
-## Type to be used as a virtual image.
+## Type to be used as a virtual image
## </summary>
## </param>
#
@@ -125,31 +116,32 @@ interface(`virt_image',`
typeattribute $1 virt_image_type;
files_type($1)
+
+ # virt images can be assigned to blk devices
dev_node($1)
')
-########################################
+#######################################
## <summary>
-## Execute a domain transition to run virtd.
+## Getattr on virt executable.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
-interface(`virt_domtrans',`
- gen_require(`
- type virtd_t, virtd_exec_t;
- ')
+interface(`virt_getattr_exec',`
+ gen_require(`
+ type virtd_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, virtd_exec_t, virtd_t)
+ allow $1 virtd_exec_t:file getattr;
')
########################################
## <summary>
-## Execute a domain transition to run virt qmf.
+## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
## <summary>
@@ -157,95 +149,71 @@ interface(`virt_domtrans',`
## </summary>
## </param>
#
-interface(`virt_domtrans_qmf',`
+interface(`virt_domtrans',`
gen_require(`
- type virt_qmf_t, virt_qmf_exec_t;
+ type virtd_t, virtd_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
')
########################################
## <summary>
-## Execute a domain transition to
-## run virt bridgehelper.
+## Execute virtd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_domtrans_bridgehelper',`
+interface(`virt_exec',`
gen_require(`
- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+ type virtd_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+ can_exec($1, virtd_exec_t)
')
########################################
## <summary>
-## Execute bridgehelper in the bridgehelper
-## domain, and allow the specified role
-## the bridgehelper domain.
+## Transition to virt_qmf.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`virt_run_bridgehelper',`
+interface(`virt_domtrans_qmf',`
gen_require(`
- attribute_role virt_bridgehelper_roles;
+ type virt_qmf_t, virt_qmf_exec_t;
')
- virt_domtrans_bridgehelper($1)
- roleattribute $2 virt_bridgehelper_roles;
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
')
########################################
## <summary>
-## Execute virt domain in the their
-## domain, and allow the specified
-## role that virt domain.
+## Transition to virt_bridgehelper.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
-#
-interface(`virt_run_virt_domain',`
+interface(`virt_domtrans_bridgehelper',`
gen_require(`
- attribute virt_domain;
- attribute_role virt_domain_roles;
+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
')
- allow $1 virt_domain:process { signal transition };
- roleattribute $2 virt_domain_roles;
-
- allow virt_domain $1:fd use;
- allow virt_domain $1:fifo_file rw_fifo_file_perms;
- allow virt_domain $1:process sigchld;
+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
')
-########################################
+#######################################
## <summary>
-## Send generic signals to all virt domains.
+## Connect to virt over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -253,17 +221,18 @@ interface(`virt_run_virt_domain',`
## </summary>
## </param>
#
-interface(`virt_signal_all_virt_domains',`
+interface(`virt_stream_connect',`
gen_require(`
- attribute virt_domain;
+ type virtd_t, virt_var_run_t;
')
- allow $1 virt_domain:process signal;
+ files_search_pids($1)
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
-########################################
+#######################################
## <summary>
-## Send kill signals to all virt domains.
+## Connect to svirt process over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -271,48 +240,36 @@ interface(`virt_signal_all_virt_domains',`
## </summary>
## </param>
#
-interface(`virt_kill_all_virt_domains',`
+interface(`virt_stream_connect_svirt',`
gen_require(`
- attribute virt_domain;
+ type svirt_t;
')
- allow $1 virt_domain:process sigkill;
+ allow $1 svirt_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Execute svirt lxc domains in their
-## domain, and allow the specified
-## role that svirt lxc domain.
+## Read and write to apmd unix
+## stream sockets.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_run_svirt_lxc_domain',`
+interface(`virt_rw_stream_sockets_svirt',`
gen_require(`
- attribute svirt_lxc_domain;
- attribute_role svirt_lxc_domain_roles;
+ type svirt_t;
')
- allow $1 svirt_lxc_domain:process { signal transition };
- roleattribute $2 svirt_lxc_domain_roles;
-
- allow svirt_lxc_domain $1:fd use;
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
- allow svirt_lxc_domain $1:process sigchld;
+ allow $1 svirt_t:unix_stream_socket { setopt getopt read write };
')
-#######################################
+########################################
## <summary>
-## Get attributes of virtd executable files.
+## Allow domain to attach to virt TUN devices
## </summary>
## <param name="domain">
## <summary>
@@ -320,18 +277,18 @@ interface(`virt_run_svirt_lxc_domain',`
## </summary>
## </param>
#
-interface(`virt_getattr_virtd_exec_files',`
+interface(`virt_attach_tun_iface',`
gen_require(`
- type virtd_exec_t;
+ type virtd_t;
')
- allow $1 virtd_exec_t:file getattr_file_perms;
+ allow $1 virtd_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
')
-#######################################
+########################################
## <summary>
-## Connect to virt with a unix
-## domain stream socket.
+## Allow domain to attach to virt sandbox TUN devices
## </summary>
## <param name="domain">
## <summary>
@@ -339,18 +296,18 @@ interface(`virt_getattr_virtd_exec_files',`
## </summary>
## </param>
#
-interface(`virt_stream_connect',`
+interface(`virt_attach_sandbox_tun_iface',`
gen_require(`
- type virtd_t, virt_var_run_t;
+ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+ allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
')
########################################
## <summary>
-## Attach to virt tun devices.
+## Read virt config files.
## </summary>
## <param name="domain">
## <summary>
@@ -358,18 +315,20 @@ interface(`virt_stream_connect',`
## </summary>
## </param>
#
-interface(`virt_attach_tun_iface',`
+interface(`virt_read_config',`
gen_require(`
- type virtd_t;
+ type virt_etc_t, virt_etc_rw_t;
')
- allow $1 virtd_t:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
## <summary>
-## Read virt configuration content.
+## manage virt config files.
## </summary>
## <param name="domain">
## <summary>
@@ -377,22 +336,20 @@ interface(`virt_attach_tun_iface',`
## </summary>
## </param>
#
-interface(`virt_read_config',`
+interface(`virt_manage_config',`
gen_require(`
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
- read_files_pattern($1, virt_etc_t, virt_etc_t)
- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt configuration content.
+## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
@@ -400,22 +357,17 @@ interface(`virt_read_config',`
## </summary>
## </param>
#
-interface(`virt_manage_config',`
+interface(`virt_getattr_content',`
gen_require(`
- type virt_etc_t, virt_etc_rw_t;
+ type virt_content_t;
')
- files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
- manage_files_pattern($1, virt_etc_t, virt_etc_t)
- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ allow $1 virt_content_t:file getattr_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
@@ -434,6 +386,7 @@ interface(`virt_read_content',`
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
+ read_chr_files_pattern($1, virt_content_t, virt_content_t)
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
@@ -450,8 +403,7 @@ interface(`virt_read_content',`
########################################
## <summary>
-## Create, read, write, and delete
-## virt content.
+## Allow domain to write virt image files
## </summary>
## <param name="domain">
## <summary>
@@ -459,35 +411,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
-interface(`virt_manage_virt_content',`
+interface(`virt_write_content',`
gen_require(`
type virt_content_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 virt_content_t:dir manage_dir_perms;
- allow $1 virt_content_t:file manage_file_perms;
- allow $1 virt_content_t:fifo_file manage_fifo_file_perms;
- allow $1 virt_content_t:lnk_file manage_lnk_file_perms;
- allow $1 virt_content_t:sock_file manage_sock_file_perms;
- allow $1 virt_content_t:blk_file manage_blk_file_perms;
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
+ allow $1 virt_content_t:file write_file_perms;
')
########################################
## <summary>
-## Relabel virt content.
+## Read virt PID symlinks files.
## </summary>
## <param name="domain">
## <summary>
@@ -495,53 +429,38 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
-interface(`virt_relabel_virt_content',`
+interface(`virt_read_pid_symlinks',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 virt_content_t:dir relabel_dir_perms;
- allow $1 virt_content_t:file relabel_file_perms;
- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
+ files_search_pids($1)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
## <summary>
-## Create specified objects in user home
-## directories with the virt content type.
+## Read virt PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`virt_home_filetrans_virt_content',`
+interface(`virt_read_pid_files',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
')
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt home content.
+## Manage virt pid directories.
## </summary>
## <param name="domain">
## <summary>
@@ -549,34 +468,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_home_content',`
+interface(`virt_manage_pid_dirs',`
gen_require(`
- type svirt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir manage_dir_perms;
- allow $1 svirt_home_t:file manage_file_perms;
- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms;
- allow $1 svirt_home_t:sock_file manage_sock_file_perms;
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
+ type virt_var_run_t;
+ type virt_lxc_var_run_t;
')
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
+ files_search_pids($1)
+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+ virt_filetrans_named_content($1)
')
########################################
## <summary>
-## Relabel svirt home content.
+## Manage virt pid files.
## </summary>
## <param name="domain">
## <summary>
@@ -584,32 +490,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
-interface(`virt_relabel_svirt_home_content',`
+interface(`virt_manage_pid_files',`
gen_require(`
- type svirt_home_t;
+ type virt_var_run_t;
+ type virt_lxc_var_run_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir relabel_dir_perms;
- allow $1 svirt_home_t:file relabel_file_perms;
- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
')
########################################
## <summary>
-## Create specified objects in user home
-## directories with the svirt home type.
+## Create objects in the pid directory
+## with a private type with a type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="class">
## <summary>
-## Class of the object being created.
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -618,54 +528,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
-interface(`virt_home_filetrans_svirt_home',`
+interface(`virt_pid_filetrans',`
gen_require(`
- type svirt_home_t;
+ type virt_var_run_t;
')
- virt_home_filetrans($1, svirt_home_t, $2, $3)
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
')
########################################
## <summary>
-## Create specified objects in generic
-## virt home directories with private
-## home type.
+## Search virt lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`virt_home_filetrans',`
+interface(`virt_search_lib',`
gen_require(`
- type virt_home_t;
+ type virt_var_lib_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, virt_home_t, $2, $3, $4)
+ allow $1 virt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt home files.
+## Read virt lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -673,54 +565,607 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
-interface(`virt_manage_home_files',`
+interface(`virt_read_lib_files',`
gen_require(`
- type virt_home_t;
+ type virt_var_lib_t;
')
- userdom_search_user_home_dirs($1)
- manage_files_pattern($1, virt_home_t, virt_home_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt home content.
+## Dontaudit inherited read virt lib files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`virt_manage_generic_virt_home_content',`
+interface(`virt_dontaudit_read_lib_files',`
gen_require(`
- type virt_home_t;
+ type virt_var_lib_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 virt_home_t:dir manage_dir_perms;
- allow $1 virt_home_t:file manage_file_perms;
- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
- allow $1 virt_home_t:sock_file manage_sock_file_perms;
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## virt log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to getattr virt image direcories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to search virt image direcories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_search_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+## Allow domain to read/write virt image chr files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_chr_files',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## svirt cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_cache',`
+ gen_require(`
+ type virt_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+#######################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_default_image_type',`
+ gen_require(`
+ type virt_var_lib_t;
+ type virt_image_t;
+ ')
+
+ virt_search_lib($1)
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+')
+
+########################################
+## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_systemctl',`
+ gen_require(`
+ type virtd_unit_file_t;
+ type virtd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
+')
+
+########################################
+## <summary>
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process ptrace;
+')
+
+#######################################
+## <summary>
+## Execute Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ can_exec($1, svirt_file_type)
+')
+
+########################################
+## <summary>
+## Allow any svirt_file_type to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_sandbox_entrypoint',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+ allow $1 svirt_file_type:file entrypoint;
+')
+
+#######################################
+## <summary>
+## List Sandbox Dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_list_sandbox_dirs',`
+ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
+ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+')
+
+#######################################
+## <summary>
+## Read Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ list_dirs_pattern($1, svirt_file_type, svirt_file_type)
+ read_files_pattern($1, svirt_file_type, svirt_file_type)
+ read_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
+')
+
+#######################################
+## <summary>
+## Manage Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ manage_dirs_pattern($1, svirt_file_type, svirt_file_type)
+ manage_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_chr_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
+ allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+## Getattr Sandbox File systems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_sandbox_filesystem',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:filesystem getattr;
+')
+
+#######################################
+## <summary>
+## Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:filesystem { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+## Mounton Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_mounton_sandbox_file',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:dir_file_class_set mounton;
+')
+
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ attribute svirt_file_type;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain)
+ ps_process_pattern(svirt_sandbox_domain, $1)
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
+ type svirt_socket_t;
+ ')
+
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
+ role $2 types svirt_socket_t;
+
+ allow $1 virt_domain:process { sigkill sigstop signull signal };
+ allow $1 svirt_image_t:file { relabelfrom relabelto };
+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send a sigkill to virtual machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_kill_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a sigkill to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_kill',`
+ gen_require(`
+ type virtd_t;
')
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
+ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Relabel virt home content.
+## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -728,52 +1173,35 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
-interface(`virt_relabel_generic_virt_home_content',`
+interface(`virt_signal',`
gen_require(`
- type virt_home_t;
+ type virtd_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 virt_home_t:dir relabel_dir_perms;
- allow $1 virt_home_t:file relabel_file_perms;
- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
+ allow $1 virtd_t:process signal;
')
########################################
## <summary>
-## Create specified objects in user home
-## directories with the generic virt
-## home type.
+## Send null signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`virt_home_filetrans_virt_home',`
+interface(`virt_signull',`
gen_require(`
- type virt_home_t;
+ type virtd_t;
')
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ allow $1 virtd_t:process signull;
')
########################################
## <summary>
-## Read virt pid files.
+## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
@@ -781,19 +1209,17 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
-interface(`virt_read_pid_files',`
+interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_run_t;
+ attribute virt_domain;
')
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt pid files.
+## Send a signal to sandbox domains
## </summary>
## <param name="domain">
## <summary>
@@ -801,18 +1227,17 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
-interface(`virt_manage_pid_files',`
+interface(`virt_signal_sandbox',`
gen_require(`
- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ allow $1 svirt_sandbox_domain:process signal;
')
########################################
## <summary>
-## Search virt lib directories.
+## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
@@ -820,211 +1245,247 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
-interface(`virt_search_lib',`
+interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
+ type virt_home_t;
')
- files_search_var_lib($1)
- allow $1 virt_var_lib_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
## <summary>
-## Read virt lib files.
+## allow domain to read
+## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_read_lib_files',`
+interface(`virt_read_tmpfs_files',`
gen_require(`
- type virt_var_lib_t;
+ attribute virt_tmpfs_type;
')
- files_search_var_lib($1)
- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt lib files.
+## allow domain to manage
+## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_manage_lib_files',`
+interface(`virt_manage_tmpfs_files',`
gen_require(`
- type virt_var_lib_t;
+ attribute virt_tmpfs_type;
')
- files_search_var_lib($1)
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
-## Create objects in virt pid
-## directories with a private type.
+## Create .virt directory in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
+#
+interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
+ type svirt_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
+ optional_policy(`
+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
+ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
## <summary>
-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
+## <param name="prefix">
## <summary>
-## The name of the object being created.
+## Prefix for the domain.
## </summary>
## </param>
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
+template(`virt_sandbox_domain_template',`
gen_require(`
- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_system_state($1_t)
+ kernel_read_all_proc($1_t)
+
+ # optional_policy(`
+ # container_runtime_typebounds($1_t)
+ # ')
')
########################################
## <summary>
-## Read virt log files.
+## Make the specified type usable as a lxc domain
## </summary>
-## <param name="domain">
+## <param name="type">
## <summary>
-## Domain allowed access.
+## Type to be used as a lxc domain
## </summary>
## </param>
-## <rolecap/>
#
-interface(`virt_read_log',`
+template(`virt_sandbox_domain',`
gen_require(`
- type virt_log_t;
+ attribute svirt_sandbox_domain;
')
- logging_search_logs($1)
- read_files_pattern($1, virt_log_t, virt_log_t)
+ typeattribute $1 svirt_sandbox_domain;
')
########################################
## <summary>
-## Append virt log files.
+## Make the specified type usable as a lxc network domain
## </summary>
-## <param name="domain">
+## <param name="type">
## <summary>
-## Domain allowed access.
+## Type to be used as a lxc network domain
## </summary>
## </param>
#
-interface(`virt_append_log',`
+template(`virt_sandbox_net_domain',`
gen_require(`
- type virt_log_t;
+ attribute sandbox_net_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
+ virt_sandbox_domain($1)
+ typeattribute $1 sandbox_net_domain;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
+## Execute a qemu_exec_t in the callers domain
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`virt_manage_log',`
+interface(`virt_exec_qemu',`
gen_require(`
- type virt_log_t;
+ type qemu_exec_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+ can_exec($1, qemu_exec_t)
')
########################################
## <summary>
-## Search virt image directories.
+## Transition to virt named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_search_images',`
+interface(`virt_filetrans_named_content',`
gen_require(`
- attribute virt_image_type;
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
')
########################################
## <summary>
-## Read virt image files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`virt_read_images',`
+interface(`virt_transition_svirt_sandbox',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
+ attribute svirt_sandbox_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- list_dirs_pattern($1, virt_image_type, virt_image_type)
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 svirt_sandbox_domain:process { transition signal_perms };
+ role $2 types svirt_sandbox_domain;
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
+ allow svirt_sandbox_domain $1:fd use;
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ allow svirt_sandbox_domain $1:process sigchld;
+ ps_process_pattern($1, svirt_sandbox_domain)
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
+## Read the process state of virt sandbox containers
## </summary>
## <param name="domain">
## <summary>
@@ -1032,20 +1493,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_sandbox_read_state',`
gen_require(`
- attribute virt_image_type;
+ attribute svirt_sandbox_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ ps_process_pattern($1, svirt_sandbox_domain)
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
+## Read and write to svirt_image devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1053,15 +1511,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
+interface(`virt_rw_svirt_dev',`
+ gen_require(`
+ type svirt_image_t;
+ ')
+
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt cache content.
+## Read and write to svirt_image devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1069,21 +1529,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_virt_cache',`
+interface(`virt_rlimitinh',`
gen_require(`
- type virt_cache_t;
+ type virtd_t;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ allow $1 virtd_t:process { rlimitinh };
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Read and write to svirt_image devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1091,36 +1547,18 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_images',`
+interface(`virt_noatsecure',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- manage_dirs_pattern($1, virt_image_type, virt_image_type)
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
+ type virtd_t;
')
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
+ allow $1 virtd_t:process { noatsecure rlimitinh };
')
########################################
## <summary>
-## All of the rules required to
-## administrate an virt environment.
+## All of the rules required to administrate
+## an virt environment
## </summary>
## <param name="domain">
## <summary>
@@ -1136,50 +1574,148 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ attribute virt_domain;
+ attribute virt_system_domain;
+ attribute svirt_file_type;
+ attribute virt_file_type;
+ type virtd_initrc_exec_t;
')
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
+ allow $1 virt_system_domain:process signal_perms;
+ allow $1 virt_domain:process signal_perms;
+ ps_process_pattern($1, virt_system_domain)
+ ps_process_pattern($1, virt_domain)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 virt_system_domain:process ptrace;
+ allow $1 virt_domain:process ptrace;
+ ')
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
+ allow $1 virt_domain:process signal_perms;
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ admin_pattern($1, virt_file_type)
+ admin_pattern($1, svirt_file_type)
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ virt_systemctl($1)
+ allow $1 virtd_unit_file_t:service all_service_perms;
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
+')
+#######################################
+## <summary>
+## Getattr on virt executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_default_capabilities',`
+ gen_require(`
+ attribute sandbox_caps_domain;
+ ')
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+ typeattribute $1 sandbox_caps_domain;
+')
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
+########################################
+## <summary>
+## Send and receive messages from
+## virt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dbus_chat',`
+ gen_require(`
+ type virtd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 virtd_t:dbus send_msg;
+ allow virtd_t $1:dbus send_msg;
+ ps_process_pattern(virtd_t, $1)
+')
+
+########################################
+## <summary>
+## Execute a file in a sandbox directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sandbox directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`virt_sandbox_domtrans',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ domtrans_pattern($1,container_file_t, $2)
+')
+
+########################################
+## <summary>
+## Dontaudit read the process state (/proc/pid) of libvirt
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_state',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:dir search_dir_perms;
+ dontaudit $1 virtd_t:file read_file_perms;
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
+')
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+#######################################
+## <summary>
+## Send to libvirt with a unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dgram_send',`
+ gen_require(`
+ type virtd_t, virt_var_run_t;
+ ')
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
+ files_search_pids($1)
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
index f03dcf567..6467b8676 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,424 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
########################################
#
# Declarations
#
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+')
+
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+attribute virt_system_domain;
+attribute virt_domain;
+attribute virt_image_type;
+attribute virt_tmpfs_type;
+attribute svirt_file_type;
+attribute virt_file_type;
+attribute sandbox_net_domain;
+attribute sandbox_caps_domain;
+
+type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
+
+type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
+files_tmpfs_file(svirt_tmpfs_t)
+
+type svirt_image_t, virt_image_type, svirt_file_type;
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
+
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use serial/parallel communication ports.
-## </p>
+## <p>
+## Allow confined virtual guests to use serial/parallel communication ports
+## </p>
## </desc>
gen_tunable(virt_use_comm, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use executable memory and can make
-## their stack executable.
-## </p>
+## <p>
+## Allow virtual processes to run as userdomains
+## </p>
+## </desc>
+gen_tunable(virt_transition_userdomain, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use executable memory and executable stack
+## </p>
## </desc>
gen_tunable(virt_use_execmem, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use fuse file systems.
-## </p>
+## <p>
+## Allow confined virtual guests to read fuse files
+## </p>
## </desc>
gen_tunable(virt_use_fusefs, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use nfs file systems.
-## </p>
+## <p>
+## Allow confined virtual guests to use glusterd
+## </p>
+## </desc>
+gen_tunable(virt_use_glusterd, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to share apache content
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_share_apache_content, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers manage fuse files
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
## </desc>
gen_tunable(virt_use_nfs, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use cifs file systems.
-## </p>
+## <p>
+## Allow confined virtual guests to manage cifs files
+## </p>
## </desc>
gen_tunable(virt_use_samba, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can manage device configuration.
-## </p>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
## </desc>
-gen_tunable(virt_use_sysfs, false)
+gen_tunable(virt_use_sanlock, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can use usb devices.
-## </p>
+## <p>
+## Allow confined virtual guests to interact with rawip sockets
+## </p>
## </desc>
-gen_tunable(virt_use_usb, false)
+gen_tunable(virt_use_rawip, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can interact with xserver.
-## </p>
+## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
## </desc>
gen_tunable(virt_use_xserver, false)
-attribute virt_ptynode;
-attribute virt_domain;
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use smartcards
+## </p>
+## </desc>
+gen_tunable(virt_use_pcscd, false)
-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow sandbox containers to send audit messages
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_audit, true)
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
+## <desc>
+## <p>
+## Allow sandbox containers to use netlink system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
+## <desc>
+## <p>
+## Allow sandbox containers to use sys_admin system calls, for example mount
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_sys_admin, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use mknod system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_mknod, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use all capabilities
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_all_caps, true)
+
+## <desc>
+## <p>
+## Allow qemu-ga to read qemu-ga date.
+## </p>
+## </desc>
+gen_tunable(virt_read_qemu_ga_data, false)
+
+## <desc>
+## <p>
+## Allow qemu-ga to manage qemu-ga date.
+## </p>
+## </desc>
+gen_tunable(virt_rw_qemu_ga_data, false)
virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
+
+type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
-type virt_etc_t;
+type virt_etc_t, virt_file_type;
files_config_file(virt_etc_t)
-type virt_etc_rw_t;
+type virt_etc_rw_t, virt_file_type;
files_type(virt_etc_rw_t)
-type virt_home_t;
+type virt_home_t, virt_file_type;
userdom_user_home_content(virt_home_t)
-type svirt_home_t;
+type svirt_home_t, svirt_file_type;
userdom_user_home_content(svirt_home_t)
-type svirt_var_run_t;
-files_pid_file(svirt_var_run_t)
-mls_trusted_object(svirt_var_run_t)
-
-type virt_image_t; # customizable
+# virt Image files
+type virt_image_t, virt_file_type; # customizable
virt_image(virt_image_t)
files_mountpoint(virt_image_t)
-type virt_content_t; # customizable
+# virt Image files
+type virt_content_t, virt_file_type; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
-type virt_lock_t;
-files_lock_file(virt_lock_t)
+type virt_tmp_t, virt_file_type;
+files_tmp_file(virt_tmp_t)
-type virt_log_t;
+type virt_log_t, virt_file_type;
logging_log_file(virt_log_t)
mls_trusted_object(virt_log_t)
-type virt_tmp_t;
-files_tmp_file(virt_tmp_t)
+type virt_lock_t, virt_file_type;
+files_lock_file(virt_lock_t)
-type virt_var_run_t;
+type virt_var_run_t, virt_file_type;
files_pid_file(virt_var_run_t)
-type virt_var_lib_t;
+type virt_var_lib_t, virt_file_type;
files_mountpoint(virt_var_lib_t)
-type virtd_t;
-type virtd_exec_t;
+type virtd_t, virt_system_domain;
+type virtd_exec_t, virt_file_type;
init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
-type virtd_initrc_exec_t;
+type virtd_unit_file_t, virt_file_type;
+systemd_unit_file(virtd_unit_file_t)
+
+type virtd_initrc_exec_t, virt_file_type;
init_script_file(virtd_initrc_exec_t)
type virtd_keytab_t;
files_type(virtd_keytab_t)
+type virtlogd_t, virt_system_domain;
+type virtlogd_exec_t, virt_file_type;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_etc_t, virt_file_type;
+files_config_file(virtlogd_etc_t)
+
+type virtlogd_var_run_t, virt_file_type;
+files_pid_file(virtlogd_var_run_t)
+
+type virtlogd_unit_file_t, virt_file_type;
+systemd_unit_file(virtlogd_unit_file_t)
+
+type virtlogd_initrc_exec_t, virt_file_type;
+init_script_file(virtlogd_initrc_exec_t)
+
+
+type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
-type virt_qmf_t;
-type virt_qmf_exec_t;
+type virt_qmf_t, virt_system_domain;
+type virt_qmf_exec_t, virt_file_type;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
-type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
+type virt_bridgehelper_t, virt_system_domain;
domain_type(virt_bridgehelper_t)
+
+type virt_bridgehelper_exec_t, virt_file_type;
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+role system_r types virt_bridgehelper_t;
-type virtd_lxc_t;
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+# policy for qemu_ga
+type virt_qemu_ga_t, virt_system_domain;
+type virt_qemu_ga_exec_t, virt_file_type;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-type virtd_lxc_var_run_t;
-files_pid_file(virtd_lxc_var_run_t)
+type virt_qemu_ga_var_run_t, virt_file_type;
+files_pid_file(virt_qemu_ga_var_run_t)
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
+type virt_qemu_ga_log_t, virt_file_type;
+logging_log_file(virt_qemu_ga_log_t)
-virt_lxc_domain_template(svirt_lxc_net)
+type virt_qemu_ga_tmp_t, virt_file_type;
+files_tmp_file(virt_qemu_ga_tmp_t)
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
+type virt_qemu_ga_data_t, virt_file_type;
+files_type(virt_qemu_ga_data_t)
+
+type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+application_executable_file(virt_qemu_ga_unconfined_exec_t)
########################################
#
-# Common virt domain local policy
+# Declarations
#
+attribute svirt_sandbox_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
-allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
-allow virt_domain self:shm create_shm_perms;
-allow virt_domain self:tcp_socket create_stream_socket_perms;
-allow virt_domain self:unix_stream_socket { accept listen };
-allow virt_domain self:unix_dgram_socket sendto;
-
-allow virt_domain virtd_t:fd use;
-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
-allow virt_domain virtd_t:process sigchld;
-
-dontaudit virt_domain virtd_t:unix_stream_socket { read write };
-
-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-
-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
-
-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
-
-dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-kernel_read_system_state(virt_domain)
-
-fs_getattr_xattr_fs(virt_domain)
-
-corecmd_exec_bin(virt_domain)
-corecmd_exec_shell(virt_domain)
-
-corenet_all_recvfrom_unlabeled(virt_domain)
-corenet_all_recvfrom_netlabel(virt_domain)
-corenet_tcp_sendrecv_generic_if(virt_domain)
-corenet_tcp_sendrecv_generic_node(virt_domain)
-corenet_tcp_bind_generic_node(virt_domain)
-
-corenet_sendrecv_vnc_server_packets(virt_domain)
-corenet_tcp_bind_vnc_port(virt_domain)
-corenet_tcp_sendrecv_vnc_port(virt_domain)
-
-corenet_sendrecv_virt_migration_server_packets(virt_domain)
-corenet_tcp_bind_virt_migration_port(virt_domain)
-corenet_sendrecv_virt_migration_client_packets(virt_domain)
-corenet_tcp_connect_virt_migration_port(virt_domain)
-corenet_tcp_sendrecv_virt_migration_port(virt_domain)
-
-corenet_rw_tun_tap_dev(virt_domain)
-
-dev_getattr_fs(virt_domain)
-dev_list_sysfs(virt_domain)
-dev_read_generic_symlinks(virt_domain)
-dev_read_rand(virt_domain)
-dev_read_sound(virt_domain)
-dev_read_urand(virt_domain)
-dev_write_sound(virt_domain)
-dev_rw_ksm(virt_domain)
-dev_rw_kvm(virt_domain)
-dev_rw_qemu(virt_domain)
-dev_rw_vhost(virt_domain)
-
-domain_use_interactive_fds(virt_domain)
-
-files_read_etc_files(virt_domain)
-files_read_mnt_symlinks(virt_domain)
-files_read_usr_files(virt_domain)
-files_read_var_files(virt_domain)
-files_search_all(virt_domain)
-
-fs_getattr_all_fs(virt_domain)
-fs_rw_anon_inodefs_files(virt_domain)
-fs_rw_tmpfs_files(virt_domain)
-fs_getattr_hugetlbfs(virt_domain)
-
-# fs_rw_inherited_nfs_files(virt_domain)
-# fs_rw_inherited_cifs_files(virt_domain)
-# fs_rw_inherited_noxattr_fs_files(virt_domain)
-
-storage_raw_write_removable_device(virt_domain)
-storage_raw_read_removable_device(virt_domain)
-
-term_use_all_terms(virt_domain)
-term_getattr_pty_fs(virt_domain)
-term_use_generic_ptys(virt_domain)
-term_use_ptmx(virt_domain)
-
-logging_send_syslog_msg(virt_domain)
-
-miscfiles_read_localization(virt_domain)
-miscfiles_read_public_files(virt_domain)
-
-sysnet_read_config(virt_domain)
-
-userdom_search_user_home_dirs(virt_domain)
-userdom_read_all_users_state(virt_domain)
-
-virt_run_bridgehelper(virt_domain, virt_domain_roles)
-virt_read_config(virt_domain)
-virt_read_lib_files(virt_domain)
-virt_read_content(virt_domain)
-virt_stream_connect(virt_domain)
-
-qemu_exec(virt_domain)
-
-tunable_policy(`virt_use_execmem',`
- allow virt_domain self:process { execmem execstack };
-')
-
-tunable_policy(`virt_use_comm',`
- term_use_unallocated_ttys(virt_domain)
- dev_rw_printer(virt_domain)
-')
-
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virt_domain)
- fs_manage_fusefs_files(virt_domain)
- fs_read_fusefs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(virt_domain)
- fs_manage_nfs_files(virt_domain)
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
- fs_manage_cifs_files(virt_domain)
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
-
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
- fs_getattr_dos_fs(virt_domain)
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-optional_policy(`
- nscd_use(virt_domain)
-')
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
- samba_domtrans_smbd(virt_domain)
-')
+# virt lxc container files
+type container_file_t, svirt_file_type;
+typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
+files_mountpoint(container_file_t)
-optional_policy(`
- xen_rw_image_files(virt_domain)
-')
+type container_ro_file_t, svirt_file_type;
+files_mountpoint(container_ro_file_t)
########################################
#
# svirt local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_t self:process ptrace;
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
-
-corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+init_dontaudit_read_state(svirt_t)
+
+virt_dontaudit_read_state(svirt_t)
+
+storage_raw_read_fixed_disk(svirt_t)
+
+userdom_read_all_users_state(svirt_t)
+
+#######################################
+#
+# svirt_prot_exec local policy
+#
+
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
+corenet_udp_bind_generic_node(svirt_tcg_t)
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
+
########################################
#
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_read_search fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+#allow virtd_t self:capability2 compromise_kernel;
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit virtd_t self:capability { sys_module };
+')
+
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
-allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms;
allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow virtd_t self:netlink_route_socket nlmsg_write;
-
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-allow virtd_t svirt_lxc_domain:process signal_perms;
-
-allow virtd_t virtd_lxc_t:process { signal signull sigkill };
-
-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+files_var_filetrans(virtd_t, virt_cache_t, dir)
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
-allow virtd_t svirt_var_run_t:file relabel_file_perms;
-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain virtd_t:tun_socket attach_queue;
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
-
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt")
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst")
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines")
-
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-
+allow virtd_t virt_image_type:dir setattr;
allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
+allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
-# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
-append_files_pattern(virtd_t, virt_log_t, virt_log_t)
-create_files_pattern(virtd_t, virt_log_t, virt_log_t)
-read_files_pattern(virtd_t, virt_log_t, virt_log_t)
-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-kernel_setsched(virtd_t)
+kernel_dontaudit_setsched(virtd_t)
+kernel_write_proc_files(virtd_t)
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
-
-corenet_sendrecv_virt_server_packets(virtd_t)
corenet_tcp_bind_virt_port(virtd_t)
-corenet_tcp_sendrecv_virt_port(virtd_t)
-
-corenet_sendrecv_vnc_server_packets(virtd_t)
corenet_tcp_bind_vnc_port(virtd_t)
-corenet_sendrecv_vnc_client_packets(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
-corenet_tcp_sendrecv_vnc_port(virtd_t)
-
-corenet_sendrecv_soundd_client_packets(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-corenet_tcp_sendrecv_soundd_port(virtd_t)
-
corenet_rw_tun_tap_dev(virtd_t)
+corenet_relabel_tun_tap_dev(virtd_t)
+dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
+domain_signull_all_domains(virtd_t)
-files_read_usr_files(virtd_t)
+files_list_all_mountpoints(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+files_relabelfrom_boot_files(virtd_t)
+files_relabelto_boot_files(virtd_t)
+files_manage_boot_files(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
-# files_relabelto_system_conf_files(virtd_t)
-# files_relabelfrom_system_conf_files(virtd_t)
-# files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
+fs_read_tmpfs_symlinks(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-miscfiles_read_localization(virtd_t)
+init_dbus_chat(virtd_t)
+
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
logging_send_audit_msgs(virtd_t)
+logging_stream_connect_syslog(virtd_t)
selinux_validate_context(virtd_t)
@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
-
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
- fs_read_fusefs_symlinks(virtd_t)
-')
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files(virtd_t)
+ fs_manage_cifs_dirs(virtd_t)
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@@ -665,20 +635,12 @@ optional_policy(`
')
optional_policy(`
- firewalld_dbus_chat(virtd_t)
- ')
-
- optional_policy(`
hal_dbus_chat(virtd_t)
')
optional_policy(`
networkmanager_dbus_chat(virtd_t)
')
-
- optional_policy(`
- policykit_dbus_chat(virtd_t)
- ')
')
optional_policy(`
@@ -691,99 +653,450 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
dnsmasq_manage_pid_files(virtd_t)
')
optional_policy(`
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
')
optional_policy(`
- kerberos_read_keytab(virtd_t)
- kerberos_use(virtd_t)
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+')
+
+optional_policy(`
+ numad_domtrans(virtd_t)
+ numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
+
+optional_policy(`
+ qemu_exec(virtd_t)
+')
+
+optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+ xen_exec(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtd_t)
+ udev_read_db(virtd_t)
+ udev_read_pid_files(virtd_t)
+')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
+########################################
+#
+# virtlogd local policy
+#
+
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:dir search;
+
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
+
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
+
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
+
+kernel_read_network_state(virtlogd_t)
+
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow virtlogd_t to execute itself.
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
+
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
+
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
+
+append_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t)
+
+
+# Allow virtlogd to look at /proc/$PID/status
+# to authenticate the connecting libvirtd
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+tunable_policy(`virt_use_nfs',`
+ fs_append_nfs_files(virtlogd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virtlogd_t)
+')
+
+optional_policy(`
+ systemd_write_inhibit_pipes(virtlogd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+#allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
+
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
+
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
+append_files_pattern(virt_domain, virt_home_t, virt_home_t)
+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
+
+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
+allow virt_domain svirt_tmpfs_t:file map;
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
+
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
+dev_read_generic_symlinks(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_vfio_dev(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
+dev_rw_infiniband_dev(virt_domain)
+dev_rw_dri(virt_domain)
+dev_rw_tpm(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
+
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+ alsa_read_rw_config(virt_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_write_sock_file(virt_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_read_pid(virt_domain)
+')
+
+optional_policy(`
+ openvswitch_stream_connect(svirt_t)
+')
+
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_stream_connect(virt_domain)
+ sssd_dontaudit_read_lib(virt_domain)
+')
+
+optional_policy(`
+ sssd_read_public_files(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_read_state(virt_domain)
+')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
')
-optional_policy(`
- lvm_domtrans(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
')
-optional_policy(`
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
+ fs_manage_cifs_named_sockets(virt_domain)
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
')
-optional_policy(`
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
+ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
+ udev_read_db(virt_domain)
')
optional_policy(`
- qemu_exec(virtd_t)
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
')
optional_policy(`
- sasl_connect(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
')
-optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
- xen_exec(virtd_t)
- xen_stream_connect(virtd_t)
- xen_stream_connect_xenstore(virtd_t)
- xen_read_image_files(virtd_t)
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
')
optional_policy(`
- udev_domtrans(virtd_t)
- udev_read_db(virtd_t)
- udev_read_pid_files(virtd_t)
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
')
########################################
#
-# Virsh local policy
+# xm local policy
#
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:capability { setpcap dac_read_search ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
-
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-allow virsh_t svirt_lxc_domain:process transition;
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
can_exec(virsh_t, virsh_exec_t)
-
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
virt_manage_config(virsh_t)
virt_stream_connect(virsh_t)
-kernel_read_crypto_sysctls(virsh_t)
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+manage_dirs_pattern(virsh_t, container_file_t, container_file_t)
+manage_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t)
+virt_transition_svirt_sandbox(virsh_t, system_r)
+
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +1107,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
-corenet_all_recvfrom_unlabeled(virsh_t)
-corenet_all_recvfrom_netlabel(virsh_t)
corenet_tcp_sendrecv_generic_if(virsh_t)
corenet_tcp_sendrecv_generic_node(virsh_t)
-corenet_tcp_bind_generic_node(virsh_t)
-
-corenet_sendrecv_soundd_client_packets(virsh_t)
corenet_tcp_connect_soundd_port(virsh_t)
-corenet_tcp_sendrecv_soundd_port(virsh_t)
dev_read_rand(virsh_t)
dev_read_urand(virsh_t)
dev_read_sysfs(virsh_t)
files_read_etc_runtime_files(virsh_t)
-files_read_etc_files(virsh_t)
-files_read_usr_files(virsh_t)
files_list_mnt(virsh_t)
files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +1127,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
-term_use_all_terms(virsh_t)
+term_use_all_inherited_terms(virsh_t)
+term_dontaudit_use_generic_ptys(virsh_t)
+
+userdom_search_admin_dir(virsh_t)
+userdom_read_home_certs(virsh_t)
init_stream_connect_script(virsh_t)
init_rw_script_stream_sockets(virsh_t)
init_use_fds(virsh_t)
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-miscfiles_read_localization(virsh_t)
+auth_read_passwd(virsh_t)
+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virsh_t)
- fs_manage_fusefs_files(virsh_t)
- fs_read_fusefs_symlinks(virsh_t)
-')
+userdom_stream_connect(virsh_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1164,20 @@ optional_policy(`
')
optional_policy(`
+ rhcs_domtrans_fenced(virsh_t)
+')
+
+optional_policy(`
rpm_exec(virsh_t)
')
optional_policy(`
xen_manage_image_dirs(virsh_t)
+ xen_read_image_files(virsh_t)
+ xen_read_lib_files(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
- xen_read_xenstored_pid_files(virsh_t)
+ xen_read_pid_files_xenstored(virsh_t)
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1202,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
files_search_tmp(virsh_ssh_t)
fs_manage_xenfs_dirs(virsh_ssh_t)
fs_manage_xenfs_files(virsh_ssh_t)
+
+ userdom_search_admin_dir(virsh_ssh_t)
')
########################################
#
-# Lxc local policy
+# virt_lxc local policy
#
+allow virtd_lxc_t self:capability { dac_read_search net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
+allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
+#allow virtd_lxc_t self:capability2 compromise_kernel;
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
-allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
-allow virtd_lxc_t self:unix_stream_socket { accept listen };
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_lxc_t self:packet_socket create_socket_perms;
+ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+corecmd_entrypoint_all_executables(virtd_lxc_t)
+files_entrypoint_all_mountpoint(virtd_lxc_t)
allow virtd_lxc_t virt_image_type:dir mounton;
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
-
-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+allow virtd_lxc_t container_file_t:dir_file_class_set { relabelto relabelfrom };
+allow virtd_lxc_t container_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(container_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
kernel_read_all_sysctls(virtd_lxc_t)
kernel_read_network_state(virtd_lxc_t)
kernel_read_system_state(virtd_lxc_t)
+kernel_request_load_module(virtd_lxc_t)
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1273,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
-files_associate_rootfs(svirt_lxc_file_t)
files_search_all(virtd_lxc_t)
files_getattr_all_files(virtd_lxc_t)
-files_read_usr_files(virtd_lxc_t)
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,15 +1294,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
+logging_send_audit_msgs(virtd_lxc_t)
+
selinux_mount_fs(virtd_lxc_t)
selinux_unmount_fs(virtd_lxc_t)
-selinux_get_enforce_mode(virtd_lxc_t)
-selinux_get_fs_mount(virtd_lxc_t)
-selinux_validate_context(virtd_lxc_t)
-selinux_compute_access_vector(virtd_lxc_t)
-selinux_compute_create_context(virtd_lxc_t)
-selinux_compute_relabel_context(virtd_lxc_t)
-selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
@@ -982,186 +1308,307 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
-miscfiles_read_localization(virtd_lxc_t)
-
seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
seutil_read_default_contexts(virtd_lxc_t)
-sysnet_domtrans_ifconfig(virtd_lxc_t)
-
-########################################
-#
-# Common virt lxc domain local policy
-#
-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
-allow svirt_lxc_domain self:sem create_sem_perms;
-allow svirt_lxc_domain self:shm create_shm_perms;
-allow svirt_lxc_domain self:msgq create_msgq_perms;
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+selinux_get_enforce_mode(virtd_lxc_t)
+selinux_get_fs_mount(virtd_lxc_t)
+selinux_validate_context(virtd_lxc_t)
+selinux_compute_access_vector(virtd_lxc_t)
+selinux_compute_create_context(virtd_lxc_t)
+selinux_compute_relabel_context(virtd_lxc_t)
+selinux_compute_user_contexts(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+sysnet_exec_ifconfig(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+systemd_dbus_chat_machined(virtd_lxc_t)
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
+userdom_read_admin_home_files(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-kernel_getattr_proc(svirt_lxc_domain)
-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-corecmd_exec_all_executables(svirt_lxc_domain)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-files_list_var(svirt_lxc_domain)
-files_list_var_lib(svirt_lxc_domain)
-files_search_all(svirt_lxc_domain)
-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
-files_read_usr_symlinks(svirt_lxc_domain)
+########################################
+#
+# svirt_sandbox_domain local policy
+#
+allow svirt_sandbox_domain self:key manage_key_perms;
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
+allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
+allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+
+fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+fs_rw_onload_sockets(svirt_sandbox_domain)
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-fs_getattr_all_fs(svirt_lxc_domain)
-fs_list_inotifyfs(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto };
+allow svirt_sandbox_domain container_file_t:dir { execmod relabelfrom relabelto };
+allow svirt_sandbox_domain svirt_file_type:dir_file_class_set mounton;
+
+list_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+read_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+read_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+allow svirt_sandbox_domain container_file_t:file execmod;
+can_exec(svirt_sandbox_domain, container_file_t)
+
+allow svirt_sandbox_domain container_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+can_exec(svirt_sandbox_domain, container_file_t)
+allow svirt_sandbox_domain container_file_t:dir mounton;
+allow svirt_sandbox_domain container_file_t:filesystem { getattr remount };
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain)
+kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain)
+domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_search_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+
+files_entrypoint_all_mountpoint(svirt_sandbox_domain)
+corecmd_entrypoint_all_executables(svirt_sandbox_domain)
+
+files_search_all(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
+fs_search_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+init_dontaudit_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+optional_policy(`
+tunable_policy(`virt_sandbox_share_apache_content',`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
+')
-auth_dontaudit_read_login_records(svirt_lxc_domain)
-auth_dontaudit_write_login_records(svirt_lxc_domain)
-auth_search_pam_console_data(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
-clock_read_adjtime(svirt_lxc_domain)
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
-init_read_utmp(svirt_lxc_domain)
-init_dontaudit_write_utmp(svirt_lxc_domain)
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
-miscfiles_read_localization(svirt_lxc_domain)
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-miscfiles_read_fonts(svirt_lxc_domain)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
+ fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+ fs_manage_nfs_symlinks(svirt_sandbox_domain)
+ fs_mount_nfs(svirt_sandbox_domain)
+ fs_unmount_nfs(svirt_sandbox_domain)
+ fs_exec_nfs_files(svirt_sandbox_domain)
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
+')
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(svirt_sandbox_domain)
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
+ fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
+ fs_exec_cifs_files(svirt_sandbox_domain)
+')
-optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+tunable_policy(`virt_sandbox_use_fusefs',`
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+ fs_mount_fusefs(svirt_sandbox_domain)
+ fs_unmount_fusefs(svirt_sandbox_domain)
+ fs_exec_fusefs_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
+ container_use_ptys(svirt_sandbox_domain)
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
')
########################################
#
-# Lxc net local policy
+# container_t local policy
#
+virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t;
+# Policy moved to container-selinux policy package
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
-allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-allow svirt_lxc_net_t self:socket create_socket_perms;
-allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+########################################
+#
+# container_t local policy
+#
+virt_sandbox_domain_template(svirt_qemu_net)
+typeattribute svirt_qemu_net_t sandbox_net_domain;
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
+dev_rw_kvm(svirt_qemu_net_t)
-files_read_kernel_modules(svirt_lxc_net_t)
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-auth_use_nsswitch(svirt_lxc_net_t)
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-userdom_use_user_ptys(svirt_lxc_net_t)
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
+files_read_kernel_modules(svirt_qemu_net_t)
-#######################################
-#
-# Prot exec local policy
-#
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
-allow svirt_prot_exec_t self:process { execmem execstack };
+userdom_use_user_ptys(svirt_qemu_net_t)
########################################
#
-# Qmf local policy
+# virt_qmf local policy
#
-
allow virt_qmf_t self:capability { sys_nice sys_tty_config };
allow virt_qmf_t self:process { setsched signal };
allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
-allow virt_qmf_t self:unix_stream_socket { accept listen };
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
domain_use_interactive_fds(virt_qmf_t)
logging_send_syslog_msg(virt_qmf_t)
-miscfiles_read_localization(virt_qmf_t)
-
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,7 +1639,7 @@ optional_policy(`
########################################
#
-# Bridgehelper local policy
+# virt_bridgehelper local policy
#
allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1648,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
+allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
+
manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
kernel_read_network_state(virt_bridgehelper_t)
+kernel_read_system_state(virt_bridgehelper_t)
+
+dev_read_urand(virt_bridgehelper_t)
+dev_read_rand(virt_bridgehelper_t)
+dev_read_sysfs(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-userdom_search_user_home_dirs(virt_bridgehelper_t)
-userdom_use_user_ptys(virt_bridgehelper_t)
+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
+
+#######################################
+#
+# virt_qemu_ga local policy
+#
+
+allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
+
+allow virt_qemu_ga_t self:passwd passwd;
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
+allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
+can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
+files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
+
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
+
+kernel_read_system_state(virt_qemu_ga_t)
+kernel_rw_kernel_sysctl(virt_qemu_ga_t)
+
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
+clock_read_adjtime(virt_qemu_ga_t)
+
+dev_getattr_apm_bios_dev(virt_qemu_ga_t)
+dev_rw_sysfs(virt_qemu_ga_t)
+dev_rw_realtime_clock(virt_qemu_ga_t)
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
+
+fs_list_all(virt_qemu_ga_t)
+fs_getattr_all_fs(virt_qemu_ga_t)
+
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
+term_use_unallocated_ttys(virt_qemu_ga_t)
+
+auth_use_nsswitch(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
+logging_send_audit_msgs(virt_qemu_ga_t)
+
+modutils_exec_insmod(virt_qemu_ga_t)
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
+systemd_exec_systemctl(virt_qemu_ga_t)
+systemd_start_power_services(virt_qemu_ga_t)
+
+userdom_use_user_ptys(virt_qemu_ga_t)
+
+usermanage_domtrans_passwd(virt_qemu_ga_t)
+
+tunable_policy(`virt_read_qemu_ga_data',`
+ read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+ read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+')
+
+tunable_policy(`virt_rw_qemu_ga_data',`
+ manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+ manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+ manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+')
+
+optional_policy(`
+ bootloader_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ clock_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ cron_initrc_domtrans(virt_qemu_ga_t)
+ cron_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(virt_qemu_ga_t)
+ devicekit_read_log_files(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ fstools_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(virt_qemu_ga_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(virt_qemu_ga_t)
+')
+
+#######################################
+#
+# qemu-ga unconfined hook script local policy
+#
+
+optional_policy(`
+ type virt_qemu_ga_unconfined_t;
+ domain_type(virt_qemu_ga_unconfined_t)
+
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
+ role system_r types virt_qemu_ga_unconfined_t;
+
+ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
+
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(virt_qemu_ga_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(virt_qemu_ga_unconfined_t)
+ ')
+')
+
+#######################################
+#
+# tye for svirt sockets
+#
+
+type svirt_socket_t;
+domain_type(svirt_socket_t)
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+
+tunable_policy(`virt_transition_userdomain',`
+ userdom_transition(virtd_t)
+ userdom_transition(virtd_lxc_t)
+')
+
+########################################
+#
+# svirt_kvm_net_t local policy
+#
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
+
+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
+ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+term_use_generic_ptys(svirt_kvm_net_t)
+term_use_ptmx(svirt_kvm_net_t)
+
+dev_rw_kvm(svirt_kvm_net_t)
+
+manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t)
+
+list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t)
+
+kernel_read_network_state(svirt_kvm_net_t)
+kernel_read_irq_sysctls(svirt_kvm_net_t)
+
+dev_read_sysfs(svirt_kvm_net_t)
+dev_getattr_mtrr_dev(svirt_kvm_net_t)
+dev_read_rand(svirt_kvm_net_t)
+dev_read_urand(svirt_kvm_net_t)
+
+files_read_kernel_modules(svirt_kvm_net_t)
+
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_kvm_net_t)
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
+fs_manage_cgroup_files(svirt_kvm_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_kvm_net_t)
+
+rpm_read_db(svirt_kvm_net_t)
+
+logging_send_syslog_msg(svirt_kvm_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_kvm_net_t)
+')
+
+userdom_use_user_ptys(svirt_kvm_net_t)
+
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
+allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
+allow sandbox_net_domain self:packet_socket create_socket_perms;
+allow sandbox_net_domain self:socket create_socket_perms;
+allow sandbox_net_domain self:rawip_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
+corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
+
+optional_policy(`
+ sssd_stream_connect(sandbox_net_domain)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
+allow sandbox_caps_domain self:capability { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+allow sandbox_caps_domain self:cap_userns { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_lnk_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+allow svirt_sandbox_domain container_ro_file_t:file execmod;
+can_exec(svirt_sandbox_domain, container_ro_file_t)
diff --git a/vlock.te b/vlock.te
index 6b72968ea..de409cc61 100644
--- a/vlock.te
+++ b/vlock.te
@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
init_dontaudit_rw_utmp(vlock_t)
-miscfiles_read_localization(vlock_t)
+logging_send_syslog_msg(vlock_t)
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmtools.fc b/vmtools.fc
new file mode 100644
index 000000000..13ee573e4
--- /dev/null
+++ b/vmtools.fc
@@ -0,0 +1,6 @@
+/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
+/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmtools_exec_t,s0)
+
+/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
+
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
index 000000000..afd0c9791
--- /dev/null
+++ b/vmtools.if
@@ -0,0 +1,123 @@
+## <summary>VMware Tools daemon</summary>
+
+########################################
+## <summary>
+## Execute vmtools in the vmtools domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vmtools_domtrans',`
+ gen_require(`
+ type vmtools_t, vmtools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vmtools_exec_t, vmtools_t)
+')
+
+########################################
+## <summary>
+## Execute vmtools in the vmtools domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vmtools_domtrans_helper',`
+ gen_require(`
+ type vmtools_helper_t, vmtools_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
+')
+
+########################################
+## <summary>
+## Execute vmtools helpers in the vmtools_heler domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mozilla_plugin domain.
+## </summary>
+## </param>
+#
+interface(`vmtools_run_helper',`
+ gen_require(`
+ attribute_role vmtools_helper_roles;
+ ')
+
+ vmtools_domtrans_helper($1)
+ roleattribute $2 vmtools_helper_roles;
+')
+
+########################################
+## <summary>
+## Execute vmtools server in the vmtools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vmtools_systemctl',`
+ gen_require(`
+ type vmtools_t;
+ type vmtools_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 vmtools_unit_file_t:file read_file_perms;
+ allow $1 vmtools_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, vmtools_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an vmtools environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vmtools_admin',`
+ gen_require(`
+ type vmtools_t;
+ type vmtools_unit_file_t;
+ ')
+
+ allow $1 vmtools_t:process { signal_perms };
+ ps_process_pattern($1, vmtools_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vmtools_t:process ptrace;
+ ')
+
+ vmtools_systemctl($1)
+ admin_pattern($1, vmtools_unit_file_t)
+ allow $1 vmtools_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
index 000000000..f98f2885b
--- /dev/null
+++ b/vmtools.te
@@ -0,0 +1,100 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role vmtools_helper_roles;
+
+roleattribute system_r vmtools_helper_roles;
+
+type vmtools_t;
+type vmtools_exec_t;
+init_daemon_domain(vmtools_t, vmtools_exec_t)
+role vmtools_helper_roles types vmtools_t;
+
+type vmtools_helper_t;
+type vmtools_helper_exec_t;
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
+domain_system_change_exemption(vmtools_helper_t)
+role vmtools_helper_roles types vmtools_helper_t;
+
+type vmtools_unit_file_t;
+systemd_unit_file(vmtools_unit_file_t)
+
+type vmtools_tmp_t;
+files_tmp_file(vmtools_tmp_t)
+
+########################################
+#
+# vmtools local policy
+#
+
+allow vmtools_t self:capability { sys_time sys_rawio };
+allow vmtools_t self:fifo_file rw_fifo_file_perms;
+allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
+allow vmtools_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir })
+
+kernel_read_system_state(vmtools_t)
+kernel_read_network_state(vmtools_t)
+
+corecmd_exec_bin(vmtools_t)
+corecmd_exec_shell(vmtools_t)
+
+dev_read_urand(vmtools_t)
+dev_getattr_all_blk_files(vmtools_t)
+
+fs_getattr_all_fs(vmtools_t)
+
+auth_use_nsswitch(vmtools_t)
+
+#shutdown
+init_rw_utmp(vmtools_t)
+init_stream_connect(vmtools_t)
+init_telinit(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)
+
+systemd_exec_systemctl(vmtools_t)
+
+sysnet_domtrans_ifconfig(vmtools_t)
+
+xserver_stream_connect_xdm(vmtools_t)
+xserver_stream_connect(vmtools_t)
+
+optional_policy(`
+ networkmanager_dbus_chat(vmtools_t)
+')
+
+optional_policy(`
+ rpm_transition_script(vmtools_t,system_r)
+')
+
+optional_policy(`
+ unconfined_domain(vmtools_t)
+')
+
+########################################
+#
+# vmtools-helper local policy
+#
+
+domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
+can_exec(vmtools_helper_t, vmtools_helper_exec_t)
+
+corecmd_exec_bin(vmtools_helper_t)
+
+userdom_stream_connect(vmtools_helper_t)
+userdom_use_inherited_user_ttys(vmtools_helper_t)
+userdom_use_inherited_user_ptys(vmtools_helper_t)
+
+optional_policy(`
+ unconfined_domain(vmtools_helper_t)
+')
+
diff --git a/vmware.if b/vmware.if
index 20a1fb296..470ea9528 100644
--- a/vmware.if
+++ b/vmware.if
@@ -26,7 +26,11 @@ interface(`vmware_role',`
domtrans_pattern($2, vmware_exec_t, vmware_t)
ps_process_pattern($2, vmware_t)
- allow $2 vmware_t:process { ptrace signal_perms };
+ allow $2 vmware_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 vmware_t:process ptrace;
+ ')
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
index 4ad18944a..c3b3f8c0c 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
# Host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { net_admin sys_module };
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -91,11 +92,12 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, file)
can_exec(vmware_host_t, vmware_host_exec_t)
+kernel_load_module(vmware_host_t)
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
kernel_read_network_state(vmware_host_t)
+kernel_request_load_module(vmware_host_t)
-corenet_all_recvfrom_unlabeled(vmware_host_t)
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
@@ -115,14 +117,13 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
-files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
-files_read_usr_files(vmware_host_t)
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
@@ -138,23 +139,27 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
-miscfiles_read_localization(vmware_host_t)
-
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
+systemd_start_power_services(vmware_host_t)
+
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
- hostname_exec(vmware_host_t)
+ unconfined_domain(vmware_host_t)
')
optional_policy(`
+ hostname_exec(vmware_host_t)
+')
+
+optional_policy(`
modutils_domtrans_insmod(vmware_host_t)
-')
+')
optional_policy(`
samba_read_config(vmware_host_t)
@@ -182,7 +187,7 @@ optional_policy(`
# Guest local policy
#
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+allow vmware_t self:capability { dac_read_search setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
@@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t)
domain_use_interactive_fds(vmware_t)
-files_read_etc_files(vmware_t)
files_read_etc_runtime_files(vmware_t)
-files_read_usr_files(vmware_t)
files_list_home(vmware_t)
fs_getattr_all_fs(vmware_t)
@@ -258,9 +261,8 @@ storage_raw_write_removable_device(vmware_t)
libs_exec_ld_so(vmware_t)
libs_read_lib_files(vmware_t)
-miscfiles_read_localization(vmware_t)
-userdom_use_user_terminals(vmware_t)
+userdom_use_inherited_user_terminals(vmware_t)
userdom_list_user_home_dirs(vmware_t)
sysnet_dns_name_resolve(vmware_t)
diff --git a/vnstatd.if b/vnstatd.if
index 137ac4458..b644854c9 100644
--- a/vnstatd.if
+++ b/vnstatd.if
@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',`
## Role allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`vnstatd_admin',`
gen_require(`
@@ -165,9 +164,13 @@ interface(`vnstatd_admin',`
type vnstatd_var_run_t;
')
- allow $1 vnstatd_t:process { ptrace signal_perms };
+ allow $1 vnstatd_t:process signal_perms;
ps_process_pattern($1, vnstatd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vnstatd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 vnstatd_initrc_exec_t system_r;
diff --git a/vnstatd.te b/vnstatd.te
index e2220ae7f..85f393b41 100644
--- a/vnstatd.te
+++ b/vnstatd.te
@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
@@ -45,16 +45,14 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
kernel_read_network_state(vnstatd_t)
kernel_read_system_state(vnstatd_t)
-domain_use_interactive_fds(vnstatd_t)
+dev_read_sysfs(vnstatd_t)
-files_read_etc_files(vnstatd_t)
+domain_use_interactive_fds(vnstatd_t)
fs_getattr_xattr_fs(vnstatd_t)
logging_send_syslog_msg(vnstatd_t)
-miscfiles_read_localization(vnstatd_t)
-
########################################
#
# Client local policy
@@ -64,23 +62,19 @@ allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket { accept listen };
+files_search_var_lib(vnstat_t)
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
domain_use_interactive_fds(vnstat_t)
-files_read_etc_files(vnstat_t)
-
fs_getattr_xattr_fs(vnstat_t)
logging_send_syslog_msg(vnstat_t)
-miscfiles_read_localization(vnstat_t)
-
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
diff --git a/vpn.fc b/vpn.fc
index 524ac2f76..076dcc3e6 100644
--- a/vpn.fc
+++ b/vpn.fc
@@ -1,7 +1,13 @@
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+#
+# sbin
+#
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+#
+# /usr
+#
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
-/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/vpn.if b/vpn.if
index 7a7f34297..afedcba80 100644
--- a/vpn.if
+++ b/vpn.if
@@ -1,8 +1,8 @@
-## <summary>Virtual Private Networking client.</summary>
+## <summary>Virtual Private Networking client</summary>
########################################
## <summary>
-## Execute vpn clients in the vpnc domain.
+## Execute VPN clients in the vpnc domain.
## </summary>
## <param name="domain">
## <summary>
@@ -15,15 +15,13 @@ interface(`vpn_domtrans',`
type vpnc_t, vpnc_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, vpnc_exec_t, vpnc_t)
')
########################################
## <summary>
-## Execute vpn clients in the vpnc
-## domain, and allow the specified
-## role the vpnc domain.
+## Execute VPN clients in the vpnc domain, and
+## allow the specified role the vpnc domain.
## </summary>
## <param name="domain">
## <summary>
@@ -40,6 +38,7 @@ interface(`vpn_domtrans',`
interface(`vpn_run',`
gen_require(`
attribute_role vpnc_roles;
+ type vpnc_t;
')
vpn_domtrans($1)
@@ -48,7 +47,7 @@ interface(`vpn_run',`
########################################
## <summary>
-## Send kill signals to vpnc.
+## Send VPN clients the kill signal.
## </summary>
## <param name="domain">
## <summary>
@@ -66,7 +65,7 @@ interface(`vpn_kill',`
########################################
## <summary>
-## Send generic signals to vpnc.
+## Send generic signals to VPN clients.
## </summary>
## <param name="domain">
## <summary>
@@ -84,7 +83,7 @@ interface(`vpn_signal',`
########################################
## <summary>
-## Send null signals to vpnc.
+## Send signull to VPN clients.
## </summary>
## <param name="domain">
## <summary>
@@ -103,7 +102,7 @@ interface(`vpn_signull',`
########################################
## <summary>
## Send and receive messages from
-## vpnc over dbus.
+## Vpnc over dbus.
## </summary>
## <param name="domain">
## <summary>
diff --git a/vpn.te b/vpn.te
index 95b26d126..ac16df363 100644
--- a/vpn.te
+++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
#
attribute_role vpnc_roles;
+roleattribute system_r vpnc_roles;
type vpnc_t;
type vpnc_exec_t;
@@ -24,13 +25,17 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+allow vpnc_t self:capability { dac_read_search net_admin ipc_lock net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-allow vpnc_t self:tcp_socket { accept listen };
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
+# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t)
kernel_request_load_module(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
-corenet_all_recvfrom_unlabeled(vpnc_t)
corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_generic_if(vpnc_t)
corenet_udp_sendrecv_generic_if(vpnc_t)
@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_udp_bind_generic_node(vpnc_t)
-
-corenet_sendrecv_all_server_packets(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
-
-corenet_sendrecv_isakmp_server_packets(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
-
-corenet_sendrecv_generic_server_packets(vpnc_t)
corenet_udp_bind_ipsecnat_port(vpnc_t)
-
-corenet_sendrecv_all_client_packets(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
-
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
corenet_rw_tun_tap_dev(vpnc_t)
-corecmd_exec_all_executables(vpnc_t)
-
dev_read_rand(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
domain_use_interactive_fds(vpnc_t)
-files_exec_etc_files(vpnc_t)
-files_read_etc_runtime_files(vpnc_t)
-files_dontaudit_search_home(vpnc_t)
-
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
-term_use_all_ptys(vpnc_t)
-term_use_all_ttys(vpnc_t)
+term_use_all_inherited_ptys(vpnc_t)
+term_use_all_inherited_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
auth_use_nsswitch(vpnc_t)
@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
logging_dontaudit_search_logs(vpnc_t)
-miscfiles_read_localization(vpnc_t)
-
-seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
sysnet_run_ifconfig(vpnc_t, vpnc_roles)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
+userdom_search_admin_dir(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
@@ -124,8 +121,5 @@ optional_policy(`
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
-')
-
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
+ networkmanager_manage_pid_files(vpnc_t)
')
diff --git a/w3c.fc b/w3c.fc
index 463c799f4..227feaf34 100644
--- a/w3c.fc
+++ b/w3c.fc
@@ -1,4 +1,4 @@
-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
-/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
-/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
diff --git a/w3c.te b/w3c.te
index b14d6a948..d7c79382d 100644
--- a/w3c.te
+++ b/w3c.te
@@ -6,29 +6,37 @@ policy_module(w3c, 1.1.0)
#
apache_content_template(w3c_validator)
+apache_content_alias_template(w3c_validator, w3c_validator)
+
+type w3c_validator_tmp_t;
+files_tmp_file(w3c_validator_tmp_t)
########################################
#
# Local policy
#
+manage_dirs_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t)
+manage_files_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t)
+files_tmp_filetrans(w3c_validator_script_t, w3c_validator_tmp_t, { file dir })
+
-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
+corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
+corenet_all_recvfrom_netlabel(w3c_validator_script_t)
+corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
+corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_ftp_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_http_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_http_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(w3c_validator_script_t)
-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+sysnet_dns_name_resolve(w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e03b..8df2e8ce7 100644
--- a/watchdog.fc
+++ b/watchdog.fc
@@ -1,7 +1,12 @@
/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
+
+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
+
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
index 6461a7746..8fda2dd71 100644
--- a/watchdog.if
+++ b/watchdog.if
@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
files_search_pids($1)
admin_pattern($1, watchdog_var_run_t)
')
+
+#######################################
+## <summary>
+## Allow read watchdog_unconfined_t lnk files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`watchdog_unconfined_exec_read_lnk_files',`
+ gen_require(`
+ type watchdog_unconfined_exec_t;
+ ')
+
+ read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t)
+')
diff --git a/watchdog.te b/watchdog.te
index 3548317cf..fc3da17d6 100644
--- a/watchdog.te
+++ b/watchdog.te
@@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
+type watchdog_cache_t;
+files_type(watchdog_cache_t)
+
type watchdog_log_t;
logging_log_file(watchdog_log_t)
type watchdog_var_run_t;
files_pid_file(watchdog_var_run_t)
+type watchdog_unconfined_exec_t;
+application_executable_file(watchdog_unconfined_exec_t)
+
########################################
#
# Local policy
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
+allow watchdog_t self:rawip_socket create_socket_perms;
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+
+manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+kernel_read_network_state(watchdog_t)
kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
corecmd_exec_shell(watchdog_t)
+corecmd_exec_bin(watchdog_t)
corenet_all_recvfrom_unlabeled(watchdog_t)
corenet_all_recvfrom_netlabel(watchdog_t)
@@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
-files_read_etc_files(watchdog_t)
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
@@ -72,17 +84,20 @@ fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
+auth_read_passwd(watchdog_t)
logging_send_syslog_msg(watchdog_t)
-miscfiles_read_localization(watchdog_t)
-
sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_user_home_dirs(watchdog_t)
optional_policy(`
+ cron_system_entry(watchdog_t, watchdog_exec_t)
+')
+
+optional_policy(`
mta_send_mail(watchdog_t)
')
@@ -91,9 +106,42 @@ optional_policy(`
')
optional_policy(`
+ rhcs_domtrans_fenced(watchdog_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(watchdog_t)
')
optional_policy(`
udev_read_db(watchdog_t)
')
+
+optional_policy(`
+ watchdog_unconfined_exec_read_lnk_files(watchdog_t)
+')
+
+########################################
+#
+# watchdog_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type watchdog_unconfined_t;
+ domain_type(watchdog_unconfined_t)
+
+ domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t)
+ role system_r types watchdog_unconfined_t;
+
+ domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t)
+
+ allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms;
+ allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms;
+ allow watchdog_t watchdog_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(watchdog_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(watchdog_unconfined_t)
+ ')
+')
diff --git a/wdmd.fc b/wdmd.fc
index 66f11f724..e051997a6 100644
--- a/wdmd.fc
+++ b/wdmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
-/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+
+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
+/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0)
-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/wdmd.if b/wdmd.if
index 1e3aec07f..d17ff392f 100644
--- a/wdmd.if
+++ b/wdmd.if
@@ -1,29 +1,47 @@
-## <summary>Watchdog multiplexing daemon.</summary>
+
+## <summary>watchdog multiplexing daemon</summary>
########################################
## <summary>
-## Connect to wdmd with a unix
-## domain stream socket.
+## Execute a domain transition to run wdmd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_domtrans',`
+ gen_require(`
+ type wdmd_t, wdmd_exec_t;
+ ')
+
+ domtrans_pattern($1, wdmd_exec_t, wdmd_t)
+')
+
+
+########################################
+## <summary>
+## Execute wdmd server in the wdmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
## </summary>
## </param>
#
-interface(`wdmd_stream_connect',`
+interface(`wdmd_initrc_domtrans',`
gen_require(`
- type wdmd_t, wdmd_var_run_t;
+ type wdmd_initrc_exec_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an wdmd environment.
+## All of the rules required to administrate
+## an wdmd environment
## </summary>
## <param name="domain">
## <summary>
@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',`
#
interface(`wdmd_admin',`
gen_require(`
- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t;
+ type wdmd_t;
+ type wdmd_initrc_exec_t;
')
- allow $1 wdmd_t:process { ptrace signal_perms };
+ allow $1 wdmd_t:process signal_perms;
ps_process_pattern($1, wdmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 wdmd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+ wdmd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 wdmd_initrc_exec_t system_r;
allow $2 system_r;
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete wdmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_manage_pid_files',`
+ gen_require(`
+ type wdmd_var_run_t;
+ ')
+
files_search_pids($1)
- admin_pattern($1, wdmd_var_run_t)
+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to wdmd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_stream_connect',`
+ gen_require(`
+ type wdmd_t, wdmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+')
+
+
+####################################
+## <summary>
+## Allow the specified domain to read/write wdmd's tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_rw_tmpfs',`
+ gen_require(`
+ type wdmd_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
+
')
diff --git a/wdmd.te b/wdmd.te
index 4815a93f4..24dcf5174 100644
--- a/wdmd.te
+++ b/wdmd.te
@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
dev_read_watchdog(wdmd_t)
dev_write_watchdog(wdmd_t)
+fs_getattr_all_fs(wdmd_t)
fs_read_anon_inodefs_files(wdmd_t)
auth_use_nsswitch(wdmd_t)
logging_send_syslog_msg(wdmd_t)
-miscfiles_read_localization(wdmd_t)
-
optional_policy(`
- corosync_initrc_domtrans(wdmd_t)
- corosync_stream_connect(wdmd_t)
- corosync_rw_tmpfs(wdmd_t)
+ rhcs_initrc_domtrans_cluster(wdmd_t)
+ rhcs_stream_connect_cluster(wdmd_t)
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
index 2a6cae773..0b771ed70 100644
--- a/webadm.te
+++ b/webadm.te
@@ -25,12 +25,21 @@ role webadm_r;
userdom_base_user_template(webadm)
+type webadm_tmp_t;
+files_tmp_file(webadm_tmp_t)
+
########################################
#
# Local policy
#
-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+allow webadm_t self:capability { dac_read_search kill sys_nice sys_resource };
+
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)
@@ -38,12 +47,26 @@ files_list_var(webadm_t)
selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
+init_rw_pipes(webadm_t)
+init_status(webadm_t)
+
logging_send_audit_msgs(webadm_t)
logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
+userdom_dontaudit_manage_admin_files(webadm_t)
+
+optional_policy(`
+ apache_admin(webadm_t, webadm_r)
+')
+
+optional_policy(`
+ dbus_system_bus_client(webadm_t)
+')
-apache_admin(webadm_t, webadm_r)
+optional_policy(`
+ policykit_dbus_chat(webadm_t)
+')
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
diff --git a/webalizer.fc b/webalizer.fc
index 64baf679e..76c753b1a 100644
--- a/webalizer.fc
+++ b/webalizer.fc
@@ -6,4 +6,4 @@
/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
+/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0)
diff --git a/webalizer.te b/webalizer.te
index ae919b9a5..12097d0e4 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -33,7 +33,7 @@ files_type(webalizer_write_t)
# Local policy
#
-allow webalizer_t self:capability dac_override;
+allow webalizer_t self:capability { dac_read_search };
allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow webalizer_t self:fd use;
allow webalizer_t self:fifo_file rw_fifo_file_perms;
@@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
-files_read_etc_runtime_files(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
+corenet_tcp_sendrecv_generic_if(webalizer_t)
+corenet_tcp_sendrecv_generic_node(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
fs_rw_anon_inodefs_files(webalizer_t)
-auth_use_nsswitch(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
-miscfiles_read_localization(webalizer_t)
+auth_use_nsswitch(webalizer_t)
+
miscfiles_read_public_files(webalizer_t)
-userdom_use_user_terminals(webalizer_t)
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_inherited_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
optional_policy(`
apache_read_log(webalizer_t)
apache_content_template(webalizer)
- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ apache_content_alias_template(webalizer, webalizer)
+ apache_manage_sys_content(webalizer_t)
')
optional_policy(`
diff --git a/wine.if b/wine.if
index fd2b6cc1e..9c4f14b88 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,58 @@
-## <summary>Run Windows programs in Linux.</summary>
+## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
-########################################
+#######################################
## <summary>
-## Role access for wine.
+## The per role template for the wine module.
## </summary>
-## <param name="role">
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="user_role">
## <summary>
-## Role allowed access.
+## The role associated with the user domain.
## </summary>
## </param>
-## <param name="domain">
+## <param name="user_domain">
## <summary>
-## User domain for the role.
+## The type of the user domain.
## </summary>
## </param>
#
-interface(`wine_role',`
+template(`wine_role',`
gen_require(`
- attribute_role wine_roles;
- type wine_exec_t, wine_t, wine_tmp_t;
+ type wine_t;
type wine_home_t;
+ type wine_exec_t;
')
- roleattribute $1 wine_roles;
-
- domtrans_pattern($2, wine_exec_t, wine_t)
+ role $1 types wine_t;
+ domain_auto_trans($2, wine_exec_t, wine_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
- allow wine_t $2:process signull;
+ # Allow the user domain to signal/ps.
ps_process_pattern($2, wine_t)
- allow $2 wine_t:process { ptrace signal_perms };
+ allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
- allow $2 wine_t:shm { associate getattr };
- allow $2 wine_t:shm rw_shm_perms;
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
allow $2 wine_t:unix_stream_socket connectto;
- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
+ # X access, Home files
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
+ manage_files_pattern($2, wine_home_t, wine_home_t)
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
')
#######################################
@@ -72,31 +84,26 @@ interface(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
+ type wine_t;
+ attribute wine_domain;
type wine_exec_t;
')
- type $1_wine_t;
- userdom_user_application_domain($1_wine_t, wine_exec_t)
+ type $1_wine_t, wine_domain;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ ubac_constrained($1_wine_t)
role $2 types $1_wine_t;
-
- allow $1_wine_t self:process { execmem execstack };
-
- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
- ps_process_pattern($3, $1_wine_t)
-
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, wine_exec_t, $1_wine_t)
-
- corecmd_bin_domtrans($1_wine_t, $3)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmp_role($2, $1_wine_t)
+ userdom_manage_home_role($2 ,$1_wine_t)
domain_mmap_low($1_wine_t)
- tunable_policy(`wine_mmap_zero_ignore',`
- dontaudit $1_wine_t self:memprotect mmap_zero;
- ')
-
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
@@ -123,9 +130,8 @@ interface(`wine_domtrans',`
########################################
## <summary>
-## Execute wine in the wine domain,
-## and allow the specified role
-## the wine domain.
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
## </summary>
## <param name="domain">
## <summary>
@@ -140,11 +146,11 @@ interface(`wine_domtrans',`
#
interface(`wine_run',`
gen_require(`
- attribute_role wine_roles;
+ type wine_t;
')
wine_domtrans($1)
- roleattribute $2 wine_roles;
+ role $2 types wine_t;
')
########################################
@@ -165,3 +171,22 @@ interface(`wine_rw_shm',`
allow $1 wine_t:shm rw_shm_perms;
')
+
+########################################
+## <summary>
+## Transition to wine named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_filetrans_named_content',`
+ gen_require(`
+ type wine_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
+')
+
diff --git a/wine.te b/wine.te
index 491b87b44..2a79df407 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
## </desc>
gen_tunable(wine_mmap_zero_ignore, false)
+attribute wine_domain;
attribute_role wine_roles;
roleattribute system_r wine_roles;
-type wine_t;
+type wine_t, wine_domain;
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
@@ -25,56 +26,63 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
-type wine_tmp_t;
-userdom_user_tmp_file(wine_tmp_t)
-
########################################
#
# Local policy
#
+domain_mmap_low(wine_t)
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
-can_exec(wine_t, wine_exec_t)
+########################################
+#
+# Common wine domain policy
+#
-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+allow wine_domain self:process { execstack execmem execheap };
+allow wine_domain self:fifo_file manage_fifo_file_perms;
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+can_exec(wine_domain, wine_exec_t)
-domain_mmap_low(wine_t)
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
+userdom_tmpfs_filetrans(wine_domain, file)
+wine_filetrans_named_content(wine_domain)
-files_execmod_all_files(wine_t)
+files_execmod_all_files(wine_domain)
-userdom_use_user_terminals(wine_t)
+userdom_use_inherited_user_terminals(wine_domain)
tunable_policy(`wine_mmap_zero_ignore',`
- dontaudit wine_t self:memprotect mmap_zero;
+ dontaudit wine_domain self:memprotect mmap_zero;
')
optional_policy(`
- dbus_system_bus_client(wine_t)
+ dbus_system_bus_client(wine_domain)
optional_policy(`
- hal_dbus_chat(wine_t)
+ hal_dbus_chat(wine_domain)
')
optional_policy(`
- policykit_dbus_chat(wine_t)
+ policykit_dbus_chat(wine_domain)
')
')
optional_policy(`
- rtkit_scheduled(wine_t)
+ gnome_create_generic_cache_dir(wine_domain)
')
optional_policy(`
- unconfined_domain(wine_t)
+ rtkit_scheduled(wine_domain)
')
optional_policy(`
- xserver_read_xdm_pid(wine_t)
- xserver_rw_shm(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
+
diff --git a/wireshark.te b/wireshark.te
index ff6ef3859..436d3bf5a 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
# Local Policy
#
-allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:capability { net_admin net_raw };
allow wireshark_t self:process { signal getsched };
allow wireshark_t self:fifo_file rw_fifo_file_perms;
allow wireshark_t self:shm create_shm_perms;
@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t)
dev_read_sysfs(wireshark_t)
dev_read_urand(wireshark_t)
-files_read_usr_files(wireshark_t)
fs_getattr_all_fs(wireshark_t)
fs_list_inotifyfs(wireshark_t)
@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t)
auth_use_nsswitch(wireshark_t)
-libs_read_lib_files(wireshark_t)
-
miscfiles_read_fonts(wireshark_t)
-miscfiles_read_localization(wireshark_t)
userdom_use_user_terminals(wireshark_t)
userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(wireshark_t)
- fs_manage_nfs_files(wireshark_t)
- fs_manage_nfs_symlinks(wireshark_t)
-')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(wireshark_t)
- fs_manage_cifs_files(wireshark_t)
- fs_manage_cifs_symlinks(wireshark_t)
-')
+userdom_filetrans_home_content(wireshark_t)
-optional_policy(`
- seutil_use_newrole_fds(wireshark_t)
-')
+userdom_home_manager(wireshark_t)
optional_policy(`
userhelper_use_fd(wireshark_t)
diff --git a/wm.fc b/wm.fc
index 304ae09d3..c1d10a11b 100644
--- a/wm.fc
+++ b/wm.fc
@@ -1,4 +1,4 @@
/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
index 95f888d16..48fe249e1 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
-## <summary>X Window Managers.</summary>
+## <summary>X Window Managers</summary>
#######################################
## <summary>
@@ -29,69 +29,58 @@
#
template(`wm_role_template',`
gen_require(`
- attribute wm_domain;
type wm_exec_t;
+ class dbus send_msg;
+ attribute wm_domain;
')
- ########################################
- #
- # Declarations
- #
-
type $1_wm_t, wm_domain;
- userdom_user_application_domain($1_wm_t, wm_exec_t)
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t, wm_exec_t)
role $2 types $1_wm_t;
- ########################################
- #
- # Policy
- #
-
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld signull };
+ allow $1_wm_t $3:process { signull sigkill };
- allow $3 $1_wm_t:process { ptrace signal_perms };
- ps_process_pattern($3, $1_wm_t)
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
- allow $1_wm_t $3:process { signull sigkill };
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+ userdom_exec_user_tmp_files($1_wm_t)
domtrans_pattern($3, wm_exec_t, $1_wm_t)
corecmd_bin_domtrans($1_wm_t, $3)
corecmd_shell_domtrans($1_wm_t, $3)
+ auth_use_nsswitch($1_wm_t)
+
+ kernel_read_system_state($1_wm_t)
+
+ auth_use_nsswitch($1_wm_t)
+
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
mls_xwin_write_all_levels($1_wm_t)
mls_fd_use_all_levels($1_wm_t)
- auth_use_nsswitch($1_wm_t)
-
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
-
- optional_policy(`
- dbus_spec_session_bus_client($1, $1_wm_t)
- dbus_system_bus_client($1_wm_t)
-
- optional_policy(`
- wm_dbus_chat($1, $3)
- ')
- ')
-
optional_policy(`
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ pulseaudio_run($1_wm_t, $2)
')
optional_policy(`
- pulseaudio_run($1_wm_t, $2)
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
')
')
########################################
## <summary>
-## Execute wm in the caller domain.
+## Execute the wm program in the wm domain.
## </summary>
## <param name="domain">
## <summary>
@@ -104,33 +93,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, wm_exec_t)
')
-
-########################################
-## <summary>
-## Send and receive messages from
-## specified wm over dbus.
-## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`wm_dbus_chat',`
- gen_require(`
- type $1_wm_t;
- class dbus send_msg;
- ')
-
- allow $2 $1_wm_t:dbus send_msg;
- allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
index 638d10fc6..5fb996008 100644
--- a/wm.te
+++ b/wm.te
@@ -1,12 +1,12 @@
policy_module(wm, 1.3.3)
+attribute wm_domain;
+
########################################
#
# Declarations
#
-attribute wm_domain;
-
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
@@ -18,11 +18,11 @@ corecmd_executable_file(wm_exec_t)
allow wm_domain self:fifo_file rw_fifo_file_perms;
allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
-kernel_read_system_state(wm_domain)
-
+corecmd_dontaudit_access_all_executables(wm_domain)
corecmd_getattr_all_executables(wm_domain)
dev_read_sound(wm_domain)
@@ -31,12 +31,18 @@ dev_read_urand(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
-files_read_usr_files(wm_domain)
-
fs_getattr_all_fs(wm_domain)
+application_signull(wm_domain)
+
+init_read_state(wm_domain)
+
miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
+
+systemd_dbus_chat_logind(wm_domain)
+systemd_read_logind_sessions_files(wm_domain)
+systemd_write_inhibit_pipes(wm_domain)
+systemd_login_read_pid_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
@@ -45,24 +51,38 @@ userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
-optional_policy(`
- accountsd_dbus_chat(wm_domain)
-')
-
-optional_policy(`
- bluetooth_dbus_chat(wm_domain)
-')
+udev_read_pid_files(wm_domain)
optional_policy(`
- devicekit_dbus_chat_power(wm_domain)
+ gnome_stream_connect_gkeyringd(wm_domain)
')
optional_policy(`
- networkmanager_dbus_chat(wm_domain)
-')
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
+ optional_policy(`
+ accountsd_dbus_chat(wm_domain)
+ ')
+
+ optional_policy(`
+ bluetooth_dbus_chat(wm_domain)
+ ')
-optional_policy(`
- policykit_dbus_chat(wm_domain)
+ optional_policy(`
+ devicekit_dbus_chat_power(wm_domain)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(wm_domain)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(wm_domain)
+ ')
+
+ optional_policy(`
+ systemd_dbus_chat_logind(wm_domain)
+ ')
')
optional_policy(`
@@ -72,3 +92,7 @@ optional_policy(`
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
+
+optional_policy(`
+ xserver_manage_core_devices(wm_domain)
+')
diff --git a/xen.fc b/xen.fc
index 42d83b02f..651d1cb61 100644
--- a/xen.fc
+++ b/xen.fc
@@ -1,38 +1,42 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+',`
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+')
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0)
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
-/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/xen.if b/xen.if
index f93558c5a..16e29c141 100644
--- a/xen.if
+++ b/xen.if
@@ -1,13 +1,13 @@
-## <summary>Xen hypervisor.</summary>
+## <summary>Xen hypervisor</summary>
########################################
## <summary>
## Execute a domain transition to run xend.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`xen_domtrans',`
@@ -15,18 +15,18 @@ interface(`xen_domtrans',`
type xend_t, xend_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, xend_exec_t, xend_t)
')
########################################
## <summary>
-## Execute xend in the caller domain.
+## Allow the specified domain to execute xend
+## in the caller domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`xen_exec',`
@@ -34,7 +34,6 @@ interface(`xen_exec',`
type xend_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, xend_exec_t)
')
@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
+#######################################
+## <summary>
+## Read xend pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_read_pid_files_xenstored',`
+ gen_require(`
+ type xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+
+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
+')
+
########################################
## <summary>
-## Create, read, write, and delete
-## xend image directories.
+## Read xend lib files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`xen_manage_image_dirs',`
+interface(`xen_read_lib_files',`
gen_require(`
type xend_var_lib_t;
')
- files_search_var_lib($1)
- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ files_list_var_lib($1)
+ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
')
########################################
@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',`
## Read xend image files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`xen_read_image_files',`
@@ -111,18 +129,40 @@ interface(`xen_read_image_files',`
')
files_list_var_lib($1)
+
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
')
########################################
## <summary>
-## Read and write xend image files.
+## Allow the specified domain to read/write
+## xend image files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
+## </param>
+#
+interface(`xen_manage_image_dirs',`
+ gen_require(`
+ type xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`xen_rw_image_files',`
@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',`
########################################
## <summary>
-## Append xend log files.
+## Allow the specified domain to append
+## xend log files.
## </summary>
## <param name="domain">
## <summary>
@@ -157,13 +198,13 @@ interface(`xen_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
+## Create, read, write, and delete the
## xend log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`xen_manage_log',`
@@ -176,29 +217,11 @@ interface(`xen_manage_log',`
manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
')
-#######################################
-## <summary>
-## Read xenstored pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_read_xenstored_pid_files',`
- gen_require(`
- type xenstored_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
-')
-
########################################
## <summary>
## Do not audit attempts to read and write
-## Xen unix domain stream sockets.
+## Xen unix domain stream sockets. These
+## are leaked file descriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
-## Connect to xenstored with a unix
-## domain stream socket.
+## Connect to xenstored over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
-## Connect to xend with a unix
-## domain stream socket.
+## Connect to xend over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -270,16 +291,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
+ attribute virsh_transition_domain;
')
-
- corecmd_search_bin($1)
+ typeattribute $1 virsh_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
########################################
## <summary>
-## Connect to xm with a unix
-## domain stream socket.
+## Connect to xm over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
- type xm_t;
+ type xm_t, xenstored_var_run_t;
')
files_search_pids($1)
diff --git a/xen.te b/xen.te
index 6f736a993..ca29783fb 100644
--- a/xen.te
+++ b/xen.te
@@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
#
# Declarations
#
+attribute xm_transition_domain;
## <desc>
-## <p>
-## Determine whether xend can
-## run blktapctrl and tapdisk.
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
## </p>
## </desc>
-gen_tunable(xend_run_blktap, false)
+gen_tunable(xend_run_blktap, true)
## <desc>
-## <p>
-## Determine whether xen can
-## use fusefs file systems.
-## </p>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
## </desc>
-gen_tunable(xen_use_fusefs, false)
+gen_tunable(xend_run_qemu, true)
## <desc>
-## <p>
-## Determine whether xen can
-## use nfs file systems.
-## </p>
+## <p>
+## Allow xen to manage nfs files
+## </p>
## </desc>
gen_tunable(xen_use_nfs, false)
-## <desc>
-## <p>
-## Determine whether xen can
-## use samba file systems.
-## </p>
-## </desc>
-gen_tunable(xen_use_samba, false)
-
type blktap_t;
type blktap_exec_t;
domain_type(blktap_t)
@@ -50,41 +42,55 @@ type evtchnd_t;
type evtchnd_exec_t;
init_daemon_domain(evtchnd_t, evtchnd_exec_t)
+# log files
type evtchnd_var_log_t;
logging_log_file(evtchnd_var_log_t)
+# pid files
type evtchnd_var_run_t;
files_pid_file(evtchnd_var_run_t)
+type qemu_dm_t;
+type qemu_dm_exec_t;
+domain_type(qemu_dm_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+# console ptys
type xen_devpts_t;
term_pty(xen_devpts_t)
files_type(xen_devpts_t)
+# Xen Image files
type xen_image_t; # customizable
files_type(xen_image_t)
+# xen_image_t can be assigned to blk devices
dev_node(xen_image_t)
-
-optional_policy(`
- virt_image(xen_image_t)
-')
+virt_image(xen_image_t)
type xenctl_t;
files_type(xenctl_t)
type xend_t;
type xend_exec_t;
+domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
+# tmp files
type xend_tmp_t;
files_tmp_file(xend_tmp_t)
+# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
+# for mounting an NFS store
files_mountpoint(xend_var_lib_t)
+# log files
type xend_var_log_t;
logging_log_file(xend_var_log_t)
+# pid files
type xend_var_run_t;
files_pid_file(xend_var_run_t)
files_mountpoint(xend_var_run_t)
@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
type xenstored_tmp_t;
files_tmp_file(xenstored_tmp_t)
+# var/lib files
type xenstored_var_lib_t;
files_type(xenstored_var_lib_t)
files_mountpoint(xenstored_var_lib_t)
+# log files
type xenstored_var_log_t;
logging_log_file(xenstored_var_log_t)
+# pid files
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)
-init_daemon_run_dir(xenstored_var_run_t, "xenstored")
type xenconsoled_t;
type xenconsoled_exec_t;
init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+# pid files
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)
-type xm_t;
-type xm_exec_t;
-init_system_domain(xm_t, xm_exec_t)
-
########################################
#
# blktap local policy
#
-
+# Do we need to allow execution of blktap?
tunable_policy(`xend_run_blktap',`
+ # If yes, transition to its own domain.
domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
- allow blktap_t self:fifo_file { read write };
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
- dev_read_sysfs(blktap_t)
- dev_rw_xen(blktap_t)
+allow blktap_t self:fifo_file { read write };
- files_read_etc_files(blktap_t)
+dev_read_sysfs(blktap_t)
+dev_rw_xen(blktap_t)
- logging_send_syslog_msg(blktap_t)
- miscfiles_read_localization(blktap_t)
+logging_send_syslog_msg(blktap_t)
- xen_stream_connect_xenstore(blktap_t)
-',`
- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
-')
+xen_stream_connect_xenstore(blktap_t)
#######################################
#
@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',`
#
manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
########################################
#
+# qemu-dm local policy
+#
+
+# TODO: This part of policy should be removed
+# qemu-dm should run in xend_t domain
+
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+ allow qemu_dm_t self:capability sys_resource;
+ allow qemu_dm_t self:process setrlimit;
+ allow qemu_dm_t self:fifo_file { read write };
+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+
+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+
+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+
+ corenet_tcp_bind_generic_node(qemu_dm_t)
+ corenet_tcp_bind_vnc_port(qemu_dm_t)
+
+ dev_rw_xen(qemu_dm_t)
+
+
+ fs_manage_xenfs_dirs(qemu_dm_t)
+ fs_manage_xenfs_files(qemu_dm_t)
+
+
+ xen_stream_connect_xenstore(qemu_dm_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
-dontaudit xend_t self:capability { sys_ptrace };
-allow xend_t self:process { setrlimit signal sigkill };
-dontaudit xend_t self:process ptrace;
+allow xend_t self:capability { dac_read_search ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
+allow xend_t self:process { signal sigkill };
+
+# needed by qemu_dm
+allow xend_t self:capability sys_resource;
+allow xend_t self:process setrlimit;
+
+# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_fifo_file_perms;
-allow xend_t self:unix_stream_socket { accept listen };
-allow xend_t self:tcp_socket { accept listen };
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
allow xend_t self:tun_socket create_socket_perms;
allow xend_t xen_image_t:dir list_dir_perms;
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
manage_files_pattern(xend_t, xen_image_t, xen_image_t)
read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t)
-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t)
rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file)
allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(xend_t, xenctl_t, fifo_file)
@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+# pid file
manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
+# log files
manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
+# var/lib files for xend
manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
+# transition to store
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+
+# manage xenstored pid file
manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
-allow xend_t xenstored_var_lib_t:dir list_dir_perms;
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+# transition to console
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
-
-xen_stream_connect_xenstore(xend_t)
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_request_load_module(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
-corenet_all_recvfrom_unlabeled(xend_t)
corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_generic_if(xend_t)
corenet_tcp_sendrecv_generic_node(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
corenet_tcp_bind_generic_node(xend_t)
-
-corenet_sendrecv_xen_server_packets(xend_t)
corenet_tcp_bind_xen_port(xend_t)
-
-corenet_sendrecv_soundd_server_packets(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
-
-corenet_sendrecv_generic_server_packets(xend_t)
corenet_tcp_bind_generic_port(xend_t)
-
-corenet_sendrecv_vnc_server_packets(xend_t)
corenet_tcp_bind_vnc_port(xend_t)
-
-corenet_sendrecv_xserver_client_packets(xend_t)
corenet_tcp_connect_xserver_port(xend_t)
-
-corenet_sendrecv_xen_client_packets(xend_t)
corenet_tcp_connect_xen_port(xend_t)
-
+corenet_sendrecv_xserver_client_packets(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
-dev_getattr_all_chr_files(xend_t)
dev_read_urand(xend_t)
+# run lsscsi
+dev_getattr_all_chr_files(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
dev_rw_xen(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
-domain_dontaudit_ptrace_all_domains(xend_t)
-files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
files_read_kernel_img(xend_t)
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t, file)
-files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
-files_search_mnt(xend_t)
-fs_getattr_all_fs(xend_t)
-fs_list_auto_mountpoints(xend_t)
-fs_read_dos_files(xend_t)
fs_read_removable_blk_files(xend_t)
-fs_manage_xenfs_dirs(xend_t)
-fs_manage_xenfs_files(xend_t)
storage_read_scsi_generic(xend_t)
@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
-miscfiles_read_localization(xend_t)
+auth_read_passwd(xend_t)
+
miscfiles_read_hwdata(xend_t)
sysnet_domtrans_dhcpc(xend_t)
@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
userdom_dontaudit_search_user_home_dirs(xend_t)
-tunable_policy(`xen_use_fusefs',`
- fs_manage_fusefs_dirs(xend_t)
- fs_manage_fusefs_files(xend_t)
- fs_read_fusefs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_nfs',`
- fs_manage_nfs_dirs(xend_t)
- fs_manage_nfs_files(xend_t)
- fs_read_nfs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_samba',`
- fs_manage_cifs_dirs(xend_t)
- fs_manage_cifs_files(xend_t)
- fs_read_cifs_symlinks(xend_t)
-')
+xen_stream_connect_xenstore(xend_t)
optional_policy(`
brctl_domtrans(xend_t)
@@ -342,7 +357,7 @@ optional_policy(`
mount_domtrans(xend_t)
')
-optional_policy(`
+optional_policy(`
netutils_domtrans(xend_t)
')
@@ -351,6 +366,7 @@ optional_policy(`
')
optional_policy(`
+ virt_manage_default_image_type(xend_t)
virt_search_images(xend_t)
virt_read_config(xend_t)
')
@@ -360,18 +376,14 @@ optional_policy(`
# Xen console local policy
#
-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:capability { dac_read_search fsetid ipc_lock };
allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
-
-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
+# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
-domain_dontaudit_ptrace_all_domains(xenconsoled_t)
-
-files_read_etc_files(xenconsoled_t)
-files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
fs_manage_xenfs_dirs(xenconsoled_t)
@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
term_create_pty(xenconsoled_t, xen_devpts_t)
term_use_generic_ptys(xenconsoled_t)
-term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
-logging_search_logs(xenconsoled_t)
-
-miscfiles_read_localization(xenconsoled_t)
+auth_read_passwd(xenconsoled_t)
+xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
optional_policy(`
@@ -415,25 +421,27 @@ optional_policy(`
# Xen store local policy
#
-allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
-allow xenstored_t self:unix_stream_socket { accept listen };
+allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+# pid file
manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
+# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
+# var/lib files for xenstored
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
-files_read_etc_files(xenstored_t)
-files_read_usr_files(xenstored_t)
+
fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
logging_send_syslog_msg(xenstored_t)
-miscfiles_read_localization(xenstored_t)
-
xen_append_log(xenstored_t)
-########################################
-#
-# xm local policy
-#
-
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
-allow xm_t self:fifo_file rw_fifo_file_perms;
-allow xm_t self:unix_stream_socket { accept connectto listen };
-allow xm_t self:tcp_socket { accept listen };
-
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-
-manage_files_pattern(xm_t, xen_image_t, xen_image_t)
-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t)
-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t)
-
-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t)
-
-xen_manage_image_dirs(xm_t)
-xen_append_log(xm_t)
-xen_domtrans(xm_t)
-xen_stream_connect(xm_t)
-xen_stream_connect_xenstore(xm_t)
-
-can_exec(xm_t, xm_exec_t)
-
-kernel_read_system_state(xm_t)
-kernel_read_network_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_sysctl(xm_t)
-kernel_read_xen_state(xm_t)
-kernel_write_xen_state(xm_t)
-
-corecmd_exec_bin(xm_t)
-corecmd_exec_shell(xm_t)
-
-corenet_all_recvfrom_unlabeled(xm_t)
-corenet_all_recvfrom_netlabel(xm_t)
-corenet_tcp_sendrecv_generic_if(xm_t)
-corenet_tcp_sendrecv_generic_node(xm_t)
-
-corenet_sendrecv_soundd_client_packets(xm_t)
-corenet_tcp_connect_soundd_port(xm_t)
-corenet_tcp_sendrecv_soundd_port(xm_t)
-
-dev_read_rand(xm_t)
-dev_read_urand(xm_t)
-dev_read_sysfs(xm_t)
-
-files_read_etc_runtime_files(xm_t)
-files_read_etc_files(xm_t)
-files_read_usr_files(xm_t)
-files_search_pids(xm_t)
-files_search_var_lib(xm_t)
-files_list_mnt(xm_t)
-files_list_tmp(xm_t)
-
-fs_getattr_all_fs(xm_t)
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
-fs_search_auto_mountpoints(xm_t)
-
-storage_raw_read_fixed_disk(xm_t)
-
-term_use_all_terms(xm_t)
-
-init_stream_connect_script(xm_t)
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
-logging_send_syslog_msg(xm_t)
-
-miscfiles_read_localization(xm_t)
-
-sysnet_dns_name_resolve(xm_t)
-
-tunable_policy(`xen_use_fusefs',`
- fs_manage_fusefs_dirs(xm_t)
- fs_manage_fusefs_files(xm_t)
- fs_read_fusefs_symlinks(xm_t)
-')
-
-tunable_policy(`xen_use_nfs',`
- fs_manage_nfs_dirs(xm_t)
- fs_manage_nfs_files(xm_t)
- fs_read_nfs_symlinks(xm_t)
-')
-
-tunable_policy(`xen_use_samba',`
- fs_manage_cifs_dirs(xm_t)
- fs_manage_cifs_files(xm_t)
- fs_read_cifs_symlinks(xm_t)
-')
-
optional_policy(`
- cron_system_entry(xm_t, xm_exec_t)
+ virt_read_config(xenstored_t)
')
+########################################
+#
+# SSH component local policy
+#
optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`
- hal_dbus_chat(xm_t)
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+ fs_getattr_all_fs(xend_t)
+ fs_read_dos_files(xend_t)
+ fs_manage_xenfs_dirs(xend_t)
+ fs_manage_xenfs_files(xend_t)
+
+ tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
')
')
-
-optional_policy(`
- rpm_exec(xm_t)
-')
-
-optional_policy(`
- vhostmd_rw_tmpfs_files(xm_t)
- vhostmd_stream_connect(xm_t)
- vhostmd_dontaudit_rw_stream_connect(xm_t)
-')
-
-optional_policy(`
- virt_domtrans(xm_t)
- virt_manage_images(xm_t)
- virt_manage_config(xm_t)
- virt_stream_connect(xm_t)
-')
-
-optional_policy(`
- ssh_basic_client_template(xm, xm_t, system_r)
-
- kernel_read_xen_state(xm_ssh_t)
- kernel_write_xen_state(xm_ssh_t)
-
- files_search_tmp(xm_ssh_t)
-
- fs_manage_xenfs_dirs(xm_ssh_t)
- fs_manage_xenfs_files(xm_ssh_t)
-')
diff --git a/xfs.te b/xfs.te
index 0928c5d6a..99a430031 100644
--- a/xfs.te
+++ b/xfs.te
@@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t)
# Local policy
#
-allow xfs_t self:capability { dac_override setgid setuid };
+allow xfs_t self:capability { dac_read_search setgid setuid };
dontaudit xfs_t self:capability sys_tty_config;
allow xfs_t self:process { signal_perms setpgid };
allow xfs_t self:unix_stream_socket { accept listen };
@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
-corenet_all_recvfrom_unlabeled(xfs_t)
corenet_all_recvfrom_netlabel(xfs_t)
corenet_tcp_sendrecv_generic_if(xfs_t)
corenet_tcp_sendrecv_generic_node(xfs_t)
@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t)
domain_use_interactive_fds(xfs_t)
files_read_etc_runtime_files(xfs_t)
-files_read_usr_files(xfs_t)
auth_use_nsswitch(xfs_t)
@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
logging_send_syslog_msg(xfs_t)
-miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.if b/xguest.if
index 4f1d07d71..5c819abe8 100644
--- a/xguest.if
+++ b/xguest.if
@@ -1,4 +1,4 @@
-## <summary>Least privledge xwindows user role.</summary>
+## <summary>Least privileged xwindows user role.</summary>
########################################
## <summary>
diff --git a/xguest.te b/xguest.te
index a64aad347..12dc86b2f 100644
--- a/xguest.te
+++ b/xguest.te
@@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0)
#
## <desc>
-## <p>
-## Determine whether xguest can
-## mount removable media.
-## </p>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
## </desc>
-gen_tunable(xguest_mount_media, false)
+gen_tunable(xguest_mount_media, true)
## <desc>
-## <p>
-## Determine whether xguest can
-## configure network manager.
-## </p>
+## <p>
+## Allow xguest users to configure Network Manager and connect to apache ports
+## </p>
## </desc>
-gen_tunable(xguest_connect_network, false)
+gen_tunable(xguest_connect_network, true)
## <desc>
-## <p>
-## Determine whether xguest can
-## use blue tooth devices.
-## </p>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
## </desc>
-gen_tunable(xguest_use_bluetooth, false)
+gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
+
+init_dbus_chat(xguest_t)
+init_status(xguest_t)
+systemd_dontaudit_dbus_chat(xguest_t)
########################################
#
# Local policy
#
-kernel_dontaudit_request_load_module(xguest_t)
+dontaudit xguest_t xguest_t : tcp_socket { listen };
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
- tunable_policy(`user_rw_noexattrfile',`
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
fs_manage_noxattr_fs_files(xguest_t)
fs_manage_noxattr_fs_dirs(xguest_t)
+ # Write floppies
storage_raw_read_removable_device(xguest_t)
storage_raw_write_removable_device(xguest_t)
',`
@@ -54,9 +57,25 @@ ifndef(`enable_mls',`
')
optional_policy(`
+ # Dontaudit fusermount
+ mount_dontaudit_exec_fusermount(xguest_t)
+')
+
+kernel_dontaudit_request_load_module(xguest_t)
+kernel_read_software_raid_state(xguest_t)
+
+#GDM runs the X server as the unprivileged user.
+dev_rw_input_dev(xguest_t)
+
+tunable_policy(`selinuxuser_execstack',`
+ allow xguest_t self:process execstack;
+')
+
+# Allow mounting of file systems
+optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
-
+ kernel_request_load_module(xguest_t)
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
@@ -65,10 +84,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
-
- init_read_utmp(xguest_t)
')
')
@@ -84,12 +102,25 @@ optional_policy(`
')
')
+
optional_policy(`
- apache_role(xguest_r, xguest_t)
+ abrt_dontaudit_read_config(xguest_t)
+')
+
+optional_policy(`
+ colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ thumb_role(xguest_r, xguest_t)
')
optional_policy(`
- gnomeclock_dontaudit_dbus_chat(xguest_t)
+ dbus_dontaudit_chat_system_bus(xguest_t)
')
optional_policy(`
@@ -97,75 +128,78 @@ optional_policy(`
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
')
optional_policy(`
- tunable_policy(`xguest_connect_network',`
- kernel_read_network_state(xguest_t)
+ mount_run_fusermount(xguest_t, xguest_r)
+')
+
+optional_policy(`
+ pcscd_read_pid_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
+')
+
+optional_policy(`
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
+')
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
networkmanager_read_lib_files(xguest_t)
+ ')
+')
- corenet_all_recvfrom_unlabeled(xguest_t)
- corenet_all_recvfrom_netlabel(xguest_t)
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_t)
+
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
corenet_tcp_sendrecv_generic_if(xguest_t)
corenet_raw_sendrecv_generic_if(xguest_t)
corenet_tcp_sendrecv_generic_node(xguest_t)
corenet_raw_sendrecv_generic_node(xguest_t)
-
- corenet_sendrecv_pulseaudio_client_packets(xguest_t)
- corenet_tcp_connect_pulseaudio_port(xguest_t)
- corenet_tcp_sendrecv_pulseaudio_port(xguest_t)
-
- corenet_sendrecv_http_client_packets(xguest_t)
- corenet_tcp_connect_http_port(xguest_t)
+ corenet_tcp_connect_commplex_link_port(xguest_t)
corenet_tcp_sendrecv_http_port(xguest_t)
-
- corenet_sendrecv_http_cache_client_packets(xguest_t)
- corenet_tcp_connect_http_cache_port(xguest_t)
corenet_tcp_sendrecv_http_cache_port(xguest_t)
-
- corenet_sendrecv_squid_client_packets(xguest_t)
- corenet_tcp_connect_squid_port(xguest_t)
corenet_tcp_sendrecv_squid_port(xguest_t)
-
- corenet_sendrecv_ftp_client_packets(xguest_t)
- corenet_tcp_connect_ftp_port(xguest_t)
corenet_tcp_sendrecv_ftp_port(xguest_t)
-
- corenet_sendrecv_ipp_client_packets(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
corenet_tcp_sendrecv_ipp_port(xguest_t)
-
- corenet_sendrecv_generic_client_packets(xguest_t)
+ corenet_tcp_connect_http_port(xguest_t)
+ corenet_tcp_connect_http_cache_port(xguest_t)
+ corenet_tcp_connect_squid_port(xguest_t)
+ corenet_tcp_connect_flash_port(xguest_t)
+ corenet_tcp_connect_ftp_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
corenet_tcp_connect_generic_port(xguest_t)
- corenet_tcp_sendrecv_generic_port(xguest_t)
-
- corenet_sendrecv_soundd_client_packets(xguest_t)
corenet_tcp_connect_soundd_port(xguest_t)
- corenet_tcp_sendrecv_soundd_port(xguest_t)
-
- corenet_sendrecv_speech_client_packets(xguest_t)
- corenet_tcp_connect_speech_port(xguest_t)
- corenet_tcp_sendrecv_speech_port(xguest_t)
-
- corenet_sendrecv_transproxy_client_packets(xguest_t)
- corenet_tcp_connect_transproxy_port(xguest_t)
- corenet_tcp_sendrecv_transproxy_port(xguest_t)
-
+ corenet_sendrecv_http_client_packets(xguest_t)
+ corenet_sendrecv_http_cache_client_packets(xguest_t)
+ corenet_sendrecv_squid_client_packets(xguest_t)
+ corenet_sendrecv_ftp_client_packets(xguest_t)
+ corenet_sendrecv_ipp_client_packets(xguest_t)
+ corenet_sendrecv_generic_client_packets(xguest_t)
+ # Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
corenet_dontaudit_tcp_bind_generic_port(xguest_t)
+ corenet_tcp_connect_speech_port(xguest_t)
+ corenet_tcp_sendrecv_transproxy_port(xguest_t)
+ corenet_tcp_connect_transproxy_port(xguest_t)
')
')
optional_policy(`
- pcscd_read_pid_files(xguest_t)
- pcscd_stream_connect(xguest_t)
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/xprint.te b/xprint.te
index 3c44d8493..ce5e69d69 100644
--- a/xprint.te
+++ b/xprint.te
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
-corenet_all_recvfrom_unlabeled(xprint_t)
corenet_all_recvfrom_netlabel(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
@@ -46,9 +45,7 @@ dev_read_urand(xprint_t)
domain_use_interactive_fds(xprint_t)
-files_read_etc_files(xprint_t)
files_read_etc_runtime_files(xprint_t)
-files_read_usr_files(xprint_t)
files_search_var_lib(xprint_t)
files_search_tmp(xprint_t)
@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t)
logging_send_syslog_msg(xprint_t)
miscfiles_read_fonts(xprint_t)
-miscfiles_read_localization(xprint_t)
sysnet_read_config(xprint_t)
diff --git a/xscreensaver.te b/xscreensaver.te
index 04096a050..98a8205a7 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(xscreensaver_t)
-files_read_usr_files(xscreensaver_t)
auth_use_nsswitch(xscreensaver_t)
auth_domtrans_chk_passwd(xscreensaver_t)
@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t)
logging_send_audit_msgs(xscreensaver_t)
logging_send_syslog_msg(xscreensaver_t)
-miscfiles_read_localization(xscreensaver_t)
-
-userdom_use_user_terminals(xscreensaver_t)
+userdom_use_inherited_user_ptys(xscreensaver_t)
+#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
index 2695db25c..311159866 100644
--- a/yam.te
+++ b/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
# Local policy
#
-allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:capability { chown fowner fsetid dac_read_search };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
logging_send_syslog_msg(yam_t)
-miscfiles_read_localization(yam_t)
-
seutil_read_config(yam_t)
-userdom_use_user_terminals(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_inherited_user_terminals(yam_t)
userdom_use_unpriv_users_fds(yam_t)
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
index c3b5a819e..c384947f3 100644
--- a/zabbix.fc
+++ b/zabbix.fc
@@ -4,12 +4,22 @@
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+/usr/lib/zabbix/externalscripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0)
+
+/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+/var/lib/zabbix/externalscripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0)
-/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0)
/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
index dd63de028..38ce6208e 100644
--- a/zabbix.if
+++ b/zabbix.if
@@ -1,4 +1,4 @@
-## <summary>Distributed infrastructure monitoring.</summary>
+## <summary>Distributed infrastructure monitoring</summary>
########################################
## <summary>
@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',`
type zabbix_t, zabbix_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, zabbix_exec_t, zabbix_t)
')
########################################
## <summary>
-## Connect to zabbit on the TCP network.
+## Allow connectivity to the zabbix server
## </summary>
## <param name="domain">
## <summary>
@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',`
type zabbix_t;
')
- corenet_sendrecv_zabbix_client_packets($1)
+ corenet_sendrecv_zabbix_agent_client_packets($1)
corenet_tcp_connect_zabbix_port($1)
corenet_tcp_recvfrom_labeled($1, zabbix_t)
corenet_tcp_sendrecv_zabbix_port($1)
@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',`
########################################
## <summary>
-## Read zabbix log files.
+## Allow the specified domain to read zabbix's log files.
## </summary>
## <param name="domain">
## <summary>
@@ -62,13 +61,34 @@ interface(`zabbix_read_log',`
########################################
## <summary>
-## Append zabbix log files.
+## Allow the specified domain to read zabbix's tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
+#
+interface(`zabbix_read_tmp',`
+ gen_require(`
+ type zabbix_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## zabbix log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
#
interface(`zabbix_append_log',`
gen_require(`
@@ -81,7 +101,7 @@ interface(`zabbix_append_log',`
########################################
## <summary>
-## Read zabbix pid files.
+## Read zabbix PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',`
########################################
## <summary>
-## Connect to zabbix agent on the TCP network.
+## Allow connectivity to a zabbix agent
## </summary>
## <param name="domain">
## <summary>
@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
#
interface(`zabbix_agent_tcp_connect',`
gen_require(`
- type zabbix_agent_t;
+ type zabbix_t, zabbix_agent_t;
')
corenet_sendrecv_zabbix_agent_client_packets($1)
@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an zabbix environment.
+## All of the rules required to administrate
+## an zabbix environment
## </summary>
## <param name="domain">
## <summary>
@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the zabbix domain.
## </summary>
## </param>
## <rolecap/>
@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',`
interface(`zabbix_admin',`
gen_require(`
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
- type zabbit_tmpfs_t;
+ type zabbix_initrc_exec_t;
')
- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { zabbix_t zabbix_agent_t })
+ allow $1 zabbix_t:process signal_perms;
+ ps_process_pattern($1, zabbix_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 zabbix_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
+ role_transition $2 zabbix_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
@@ -156,10 +178,4 @@ interface(`zabbix_admin',`
files_list_pids($1)
admin_pattern($1, zabbix_var_run_t)
-
- files_list_tmp($1)
- admin_pattern($1, zabbix_tmp_t)
-
- fs_list_tmpfs($1)
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
index 7f496c617..9c540d761 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
#
## <desc>
-## <p>
+## <p>
## Determine whether zabbix can
## connect to all TCP ports
## </p>
## </desc>
gen_tunable(zabbix_can_network, false)
-type zabbix_t;
+attribute zabbix_domain;
+
+type zabbix_t, zabbix_domain;
type zabbix_exec_t;
init_daemon_domain(zabbix_t, zabbix_exec_t)
type zabbix_initrc_exec_t;
init_script_file(zabbix_initrc_exec_t)
-type zabbix_agent_t;
+type zabbix_agent_t, zabbix_domain;
type zabbix_agent_exec_t;
init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
type zabbix_agent_initrc_exec_t;
init_script_file(zabbix_agent_initrc_exec_t)
+type zabbixd_var_lib_t;
+files_type(zabbixd_var_lib_t)
+
type zabbix_log_t;
logging_log_file(zabbix_log_t)
@@ -36,27 +41,62 @@ files_tmp_file(zabbix_tmp_t)
type zabbix_tmpfs_t;
files_tmpfs_file(zabbix_tmpfs_t)
+type zabbix_var_lib_t;
+files_type(zabbix_var_lib_t)
+
type zabbix_var_run_t;
files_pid_file(zabbix_var_run_t)
+type zabbix_script_t;
+type zabbix_script_exec_t;
+domain_type(zabbix_script_t)
+domain_entry_file(zabbix_script_t, zabbix_script_exec_t)
+application_executable_file(zabbix_script_exec_t)
+role system_r types zabbix_script_t;
+
+########################################
+#
+# zabbix domain local policy
+#
+
+allow zabbix_domain self:capability { setuid setgid };
+allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
+allow zabbix_domain self:fifo_file rw_fifo_file_perms;
+allow zabbix_domain self:sem create_sem_perms;
+allow zabbix_domain self:shm create_shm_perms;
+allow zabbix_domain self:tcp_socket { accept listen };
+allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_all_sysctls(zabbix_domain)
+kernel_read_network_state(zabbix_domain)
+
+corenet_tcp_sendrecv_generic_if(zabbix_domain)
+corenet_tcp_sendrecv_generic_node(zabbix_domain)
+corenet_tcp_bind_generic_node(zabbix_domain)
+
+corecmd_exec_shell(zabbix_domain)
+corecmd_exec_bin(zabbix_domain)
+
+dev_read_sysfs(zabbix_domain)
+dev_read_urand(zabbix_domain)
+
########################################
#
# Local policy
#
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
-allow zabbix_t self:process { setsched signal_perms };
-allow zabbix_t self:fifo_file rw_fifo_file_perms;
-allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
-allow zabbix_t self:sem create_sem_perms;
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search };
+allow zabbix_t self:process { setrlimit };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file })
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
@@ -70,13 +110,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
kernel_read_system_state(zabbix_t)
-kernel_read_kernel_sysctls(zabbix_t)
corenet_all_recvfrom_unlabeled(zabbix_t)
corenet_all_recvfrom_netlabel(zabbix_t)
-corenet_tcp_sendrecv_generic_if(zabbix_t)
-corenet_tcp_sendrecv_generic_node(zabbix_t)
-corenet_tcp_bind_generic_node(zabbix_t)
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
@@ -85,24 +121,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t)
+corenet_tcp_connect_smtp_port(zabbix_t)
corenet_sendrecv_zabbix_server_packets(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_t)
-corecmd_exec_bin(zabbix_t)
-corecmd_exec_shell(zabbix_t)
-
-dev_read_urand(zabbix_t)
-
-files_read_usr_files(zabbix_t)
-
auth_use_nsswitch(zabbix_t)
-miscfiles_read_localization(zabbix_t)
-
zabbix_agent_tcp_connect(zabbix_t)
+logging_send_syslog_msg(zabbix_t)
+
tunable_policy(`zabbix_can_network',`
corenet_sendrecv_all_client_packets(zabbix_t)
corenet_tcp_connect_all_ports(zabbix_t)
@@ -110,12 +140,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
- netutils_domtrans_ping(zabbix_t)
+ mysql_stream_connect(zabbix_t)
')
optional_policy(`
- mysql_stream_connect(zabbix_t)
- mysql_tcp_connect(zabbix_t)
+ netutils_domtrans_ping(zabbix_t)
')
optional_policy(`
@@ -125,6 +154,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
+ snmp_read_snmp_var_lib_dirs(zabbix_t)
')
########################################
@@ -132,18 +162,9 @@ optional_policy(`
# Agent local policy
#
-allow zabbix_agent_t self:capability { setuid setgid };
-allow zabbix_agent_t self:process { setsched getsched signal };
-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
-allow zabbix_agent_t self:sem create_sem_perms;
-allow zabbix_agent_t self:shm create_shm_perms;
-allow zabbix_agent_t self:tcp_socket { accept listen };
-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_agent_t self:process { setrlimit };
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@@ -151,16 +172,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
-kernel_read_all_sysctls(zabbix_agent_t)
kernel_read_system_state(zabbix_agent_t)
-
-corecmd_read_all_executables(zabbix_agent_t)
+kernel_read_network_state(zabbix_agent_t)
corenet_all_recvfrom_unlabeled(zabbix_agent_t)
corenet_all_recvfrom_netlabel(zabbix_agent_t)
-corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
-corenet_tcp_sendrecv_generic_node(zabbix_agent_t)
-corenet_tcp_bind_generic_node(zabbix_agent_t)
+
+corecmd_read_all_executables(zabbix_agent_t)
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -170,6 +188,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
corenet_tcp_connect_ssh_port(zabbix_agent_t)
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
+corenet_sendrecv_ftp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_ftp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_ftp_port(zabbix_agent_t)
+
+corenet_sendrecv_http_client_packets(zabbix_agent_t)
+corenet_tcp_connect_http_port(zabbix_agent_t)
+corenet_tcp_sendrecv_http_port(zabbix_agent_t)
+
+corenet_sendrecv_innd_client_packets(zabbix_agent_t)
+corenet_tcp_connect_innd_port(zabbix_agent_t)
+corenet_tcp_sendrecv_innd_port(zabbix_agent_t)
+
+corenet_sendrecv_pop_client_packets(zabbix_agent_t)
+corenet_tcp_connect_pop_port(zabbix_agent_t)
+corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
+
+corenet_sendrecv_postgresql_client_packets(zabbix_agent_t)
+corenet_tcp_connect_postgresql_port(zabbix_agent_t)
+corenet_tcp_sendrecv_postgresql_port(zabbix_agent_t)
+
+corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_smtp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
+
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
@@ -177,21 +219,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
-domain_search_all_domains_state(zabbix_agent_t)
+domain_read_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
-files_read_etc_files(zabbix_agent_t)
fs_getattr_all_fs(zabbix_agent_t)
+auth_use_nsswitch(zabbix_agent_t)
+
init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
-miscfiles_read_localization(zabbix_agent_t)
-
sysnet_dns_name_resolve(zabbix_agent_t)
zabbix_tcp_connect(zabbix_agent_t)
+
+optional_policy(`
+ dmidecode_domtrans(zabbix_agent_t)
+')
+
+optional_policy(`
+ hostname_exec(zabbix_agent_t)
+')
+
+########################################
+#
+# zabbix_script_t local policy
+#
+
+domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)
+
+allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
+allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
+allow zabbix_t zabbix_script_exec_t:file ioctl;
+allow zabbix_t zabbix_script_t:process signal;
+
+init_domtrans_script(zabbix_script_t)
+
+optional_policy(`
+ mta_send_mail(zabbix_script_t)
+')
+
+optional_policy(`
+ unconfined_domain(zabbix_script_t)
+')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed51..44e94fad9 100644
--- a/zarafa.fc
+++ b/zarafa.fc
@@ -1,33 +1,34 @@
-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
-/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0)
+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
-/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
-/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
-/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
-/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
-/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
-/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-
-/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
+/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
-/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-search\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/zarafa.if b/zarafa.if
index 36e32df6d..3d089626e 100644
--- a/zarafa.if
+++ b/zarafa.if
@@ -1,55 +1,59 @@
## <summary>Zarafa collaboration platform.</summary>
-#######################################
+######################################
## <summary>
-## The template to define a zarafa domain.
+## Creates types and rules for a basic
+## zararfa init daemon domain.
## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
## <summary>
-## Domain prefix to be used.
+## Prefix for the domain.
## </summary>
## </param>
#
template(`zarafa_domain_template',`
gen_require(`
- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
+ attribute zarafa_domain;
')
- ########################################
+ ##############################
#
- # Declarations
+ # $1_t declarations
#
type zarafa_$1_t, zarafa_domain;
type zarafa_$1_exec_t;
init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
- type zarafa_$1_log_t, zarafa_logfile;
+ type zarafa_$1_log_t;
logging_log_file(zarafa_$1_log_t)
- type zarafa_$1_var_run_t, zarafa_pidfile;
+ type zarafa_$1_var_run_t;
files_pid_file(zarafa_$1_var_run_t)
- ########################################
+ ##############################
#
- # Policy
+ # $1_t local policy
#
manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file)
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+
+ kernel_read_system_state(zarafa_$1_t)
auth_use_nsswitch(zarafa_$1_t)
+
+ logging_send_syslog_msg(zarafa_$1_t)
')
######################################
## <summary>
-## search zarafa configuration directories.
+## Allow the specified domain to search
+## zarafa configuration dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -68,7 +72,7 @@ interface(`zarafa_search_config',`
########################################
## <summary>
-## Execute a domain transition to run zarafa deliver.
+## Execute a domain transition to run zarafa_deliver.
## </summary>
## <param name="domain">
## <summary>
@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',`
type zarafa_deliver_t, zarafa_deliver_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
')
########################################
## <summary>
-## Execute a domain transition to run zarafa server.
+## Execute a domain transition to run zarafa_server.
## </summary>
## <param name="domain">
## <summary>
@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',`
type zarafa_server_t, zarafa_server_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
')
#######################################
## <summary>
-## Connect to zarafa server with a unix
-## domain stream socket.
+## Connect to zarafa-server unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',`
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
-########################################
+####################################
## <summary>
-## All of the rules required to
-## administrate an zarafa environment.
+## Allow the specified domain to manage
+## zarafa /var/lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
-## <rolecap/>
#
-interface(`zarafa_admin',`
- gen_require(`
- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t;
- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t;
- type zarafa_var_lib_t;
- ')
-
- allow $1 zarafa_domain:process { ptrace signal_perms };
- ps_process_pattern($1, zarafa_domain)
-
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, zarafa_etc_t)
-
- files_search_tmp($1)
- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
-
- logging_search_log($1)
- admin_pattern($1, zarafa_logfile)
-
- files_search_var_lib($1)
- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t })
-
- files_search_pids($1)
- admin_pattern($1, zarafa_pidfile)
+interface(`zarafa_manage_lib_files',`
+ gen_require(`
+ type zarafa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
index 3fded1c4d..7bcf05a6c 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow zarafa domains to setrlimit/sys_resource.
+## </p>
+## </desc>
+gen_tunable(zarafa_setrlimit, false)
+
attribute zarafa_domain;
-attribute zarafa_logfile;
-attribute zarafa_pidfile;
zarafa_domain_template(deliver)
@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
type zarafa_etc_t;
files_config_file(zarafa_etc_t)
-type zarafa_initrc_exec_t;
-init_script_file(zarafa_initrc_exec_t)
-
zarafa_domain_template(gateway)
zarafa_domain_template(ical)
zarafa_domain_template(indexer)
@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t)
########################################
#
-# Deliver local policy
+# zarafa-deliver local policy
#
manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+auth_use_nsswitch(zarafa_deliver_t)
+
+corenet_tcp_bind_lmtp_port(zarafa_deliver_t)
+
########################################
#
-# Gateway local policy
+# zarafa_gateway local policy
#
-
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
-
-corenet_sendrecv_pop_server_packets(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t)
+
+######################################
+#
+# zarafa-indexer local policy
+#
+
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
+auth_use_nsswitch(zarafa_indexer_t)
#######################################
#
-# Ical local policy
+# zarafa-ical local policy
#
-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+
corenet_all_recvfrom_netlabel(zarafa_ical_t)
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
+corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
corenet_tcp_bind_generic_node(zarafa_ical_t)
-
-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t)
corenet_tcp_bind_http_cache_port(zarafa_ical_t)
-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t)
+
+auth_use_nsswitch(zarafa_ical_t)
######################################
#
-# Indexer local policy
+# zarafa-monitor local policy
#
-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+auth_use_nsswitch(zarafa_monitor_t)
########################################
#
-# Server local policy
+# zarafa_server local policy
#
+allow zarafa_server_t self:capability net_bind_service;
+
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
-corenet_all_recvfrom_unlabeled(zarafa_server_t)
corenet_all_recvfrom_netlabel(zarafa_server_t)
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
+corenet_tcp_sendrecv_all_ports(zarafa_server_t)
corenet_tcp_bind_generic_node(zarafa_server_t)
-
-corenet_sendrecv_zarafa_server_packets(zarafa_server_t)
corenet_tcp_bind_zarafa_port(zarafa_server_t)
-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t)
-files_read_usr_files(zarafa_server_t)
+auth_use_nsswitch(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
logging_send_audit_msgs(zarafa_server_t)
+sysnet_dns_name_resolve(zarafa_server_t)
+
optional_policy(`
kerberos_use(zarafa_server_t)
')
optional_policy(`
mysql_stream_connect(zarafa_server_t)
- mysql_tcp_connect(zarafa_server_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(zarafa_server_t)
- postgresql_tcp_connect(zarafa_server_t)
')
########################################
#
-# Spooler local policy
+# zarafa_spooler local policy
#
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-
-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t)
+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
+
+auth_use_nsswitch(zarafa_spooler_t)
########################################
#
-# Zarafa domain local policy
+# zarafa_gateway local policy
#
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
-allow zarafa_domain self:process { setrlimit signal };
+#######################################
+#
+# zarafa-ical local policy
+#
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { kill dac_read_search chown setgid setuid };
+allow zarafa_domain self:process { signal_perms };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
-allow zarafa_domain self:tcp_socket { accept listen };
-allow zarafa_domain self:unix_stream_socket { accept listen };
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+tunable_policy(`zarafa_setrlimit',`
+ allow zarafa_domain self:capability sys_resource;
+ allow zarafa_domain self:process setrlimit;
+')
stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
-kernel_read_system_state(zarafa_domain)
-
dev_read_rand(zarafa_domain)
dev_read_urand(zarafa_domain)
-logging_send_syslog_msg(zarafa_domain)
-
-miscfiles_read_localization(zarafa_domain)
+dev_read_sysfs(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc
index 28ee4cac9..bc37f7691 100644
--- a/zebra.fc
+++ b/zebra.fc
@@ -1,21 +1,34 @@
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-
/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/babeld.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/bgpd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/isisd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospf6d.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospfd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripngd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/zebra.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/babeld -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/isisd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
index 34164017b..e364caf4b 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
-## <summary>Zebra border gateway protocol network routing service.</summary>
+## <summary>Zebra border gateway protocol network routing service</summary>
########################################
## <summary>
-## Read zebra configuration content.
+## Read the configuration files for zebra.
## </summary>
## <param name="domain">
## <summary>
@@ -18,14 +18,13 @@ interface(`zebra_read_config',`
files_search_etc($1)
allow $1 zebra_conf_t:dir list_dir_perms;
- allow $1 zebra_conf_t:file read_file_perms;
- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
')
########################################
## <summary>
-## Connect to zebra with a unix
-## domain stream socket.
+## Connect to zebra over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -42,10 +41,34 @@ interface(`zebra_stream_connect',`
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
+#######################################
+## <summary>
+## Execute zebra services in the zebra domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zebra_systemctl',`
+ gen_require(`
+ type zebra_t;
+ type zebra_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 zebra_unit_file_t:file read_file_perms;
+ allow $1 zebra_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, zebra_t)
+')
+
########################################
## <summary>
-## All of the rules required to
-## administrate an zebra environment.
+## All of the rules required to administrate
+## an zebra environment
## </summary>
## <param name="domain">
## <summary>
@@ -54,7 +77,7 @@ interface(`zebra_stream_connect',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the zebra domain.
## </summary>
## </param>
## <rolecap/>
@@ -62,13 +85,16 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
- type zebra_conf_t, zebra_var_run_t;
- type zebra_initrc_exec_t;
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
- allow $1 zebra_t:process { ptrace signal_perms };
+ allow $1 zebra_t:process signal_perms;
ps_process_pattern($1, zebra_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 zebra_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
@@ -85,4 +111,8 @@ interface(`zebra_admin',`
files_list_pids($1)
admin_pattern($1, zebra_var_run_t)
+
+ zebra_systemctl($1)
+ admin_pattern($1, zebra_unit_file_t)
+ allow $1 zebra_unit_file_t:service all_service_perms;
')
diff --git a/zebra.te b/zebra.te
index 2e80d04fc..5bf04b2d0 100644
--- a/zebra.te
+++ b/zebra.te
@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
#
## <desc>
-## <p>
-## Determine whether zebra daemon can
-## manage its configuration files.
-## </p>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
## </desc>
-gen_tunable(allow_zebra_write_config, false)
+#
+gen_tunable(zebra_write_config, false)
type zebra_t;
type zebra_exec_t;
init_daemon_domain(zebra_t, zebra_exec_t)
type zebra_conf_t;
-files_type(zebra_conf_t)
+files_config_file(zebra_conf_t)
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
+type zebra_unit_file_t;
+systemd_unit_file(zebra_unit_file_t)
+
type zebra_log_t;
logging_log_file(zebra_log_t)
@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
-allow zebra_t self:fifo_file rw_fifo_file_perms;
-allow zebra_t self:unix_stream_socket { accept connectto listen };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
allow zebra_t self:udp_socket create_socket_perms;
allow zebra_t self:rawip_socket create_socket_perms;
allow zebra_t zebra_conf_t:dir list_dir_perms;
-allow zebra_t zebra_conf_t:file read_file_perms;
-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
allow zebra_t zebra_log_t:dir setattr_dir_perms;
-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+# /tmp/.bgpd is such a bad idea!
+manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file })
manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
-corenet_all_recvfrom_unlabeled(zebra_t)
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
corenet_tcp_sendrecv_generic_node(zebra_t)
corenet_udp_sendrecv_generic_node(zebra_t)
corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
corenet_tcp_bind_generic_node(zebra_t)
corenet_udp_bind_generic_node(zebra_t)
-
-corenet_sendrecv_bgp_server_packets(zebra_t)
corenet_tcp_bind_bgp_port(zebra_t)
-corenet_sendrecv_bgp_client_packets(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
corenet_tcp_connect_bgp_port(zebra_t)
-corenet_tcp_sendrecv_bgp_port(zebra_t)
-
corenet_sendrecv_zebra_server_packets(zebra_t)
-corenet_tcp_bind_zebra_port(zebra_t)
-corenet_tcp_sendrecv_zebra_port(zebra_t)
-
corenet_sendrecv_router_server_packets(zebra_t)
-corenet_udp_bind_router_port(zebra_t)
-corenet_udp_sendrecv_router_port(zebra_t)
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
+dev_read_rand(zebra_t)
+dev_read_urand(zebra_t)
dev_read_sysfs(zebra_t)
dev_rw_zero(zebra_t)
-domain_use_interactive_fds(zebra_t)
-
-files_read_etc_files(zebra_t)
-files_read_etc_runtime_files(zebra_t)
-
fs_getattr_all_fs(zebra_t)
fs_search_auto_mountpoints(zebra_t)
term_list_ptys(zebra_t)
-logging_send_syslog_msg(zebra_t)
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_runtime_files(zebra_t)
-miscfiles_read_localization(zebra_t)
+auth_use_nsswitch(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
sysnet_read_config(zebra_t)
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
userdom_dontaudit_search_user_home_dirs(zebra_t)
-tunable_policy(`allow_zebra_write_config',`
+tunable_policy(`zebra_write_config',`
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
@@ -139,3 +138,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')
+
+optional_policy(`
+ unconfined_sigchld(zebra_t)
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
index 000000000..ceaa219dc
--- /dev/null
+++ b/zoneminder.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
+
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
+
+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+
+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
+
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
index 000000000..fb0519ebf
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
+## <summary>policy for zoneminder</summary>
+
+########################################
+## <summary>
+## Transition to zoneminder.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zoneminder_domtrans',`
+ gen_require(`
+ type zoneminder_t, zoneminder_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute zoneminder
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zoneminder_exec',`
+ gen_require(`
+ type zoneminder_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, zoneminder_exec_t)
+')
+
+
+########################################
+## <summary>
+## Execute zoneminder server in the zoneminder domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_initrc_domtrans',`
+ gen_require(`
+ type zoneminder_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Read zoneminder's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zoneminder_read_log',`
+ gen_require(`
+ type zoneminder_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+## Append to zoneminder log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_append_log',`
+ gen_require(`
+ type zoneminder_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_log',`
+ gen_require(`
+ type zoneminder_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
+ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+## Search zoneminder lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_search_lib',`
+ gen_require(`
+ type zoneminder_var_lib_t;
+ ')
+
+ allow $1 zoneminder_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read zoneminder lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_read_lib_files',`
+ gen_require(`
+ type zoneminder_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_files',`
+ gen_require(`
+ type zoneminder_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_dirs',`
+ gen_require(`
+ type zoneminder_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder sock_files files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(`
+ type zoneminder_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+## Search zoneminder spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_search_spool',`
+ gen_require(`
+ type zoneminder_spool_t;
+ ')
+
+ allow $1 zoneminder_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read zoneminder spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_read_spool_files',`
+ gen_require(`
+ type zoneminder_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_spool_files',`
+ gen_require(`
+ type zoneminder_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+## Manage zoneminder spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_manage_spool_dirs',`
+ gen_require(`
+ type zoneminder_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+## Connect to zoneminder over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_stream_connect',`
+ gen_require(`
+ type zoneminder_t, zoneminder_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
+')
+
+######################################
+## <summary>
+## Read/write zonerimender tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zoneminder_rw_tmpfs_files',`
+ gen_require(`
+ type zoneminder_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an zoneminder environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zoneminder_admin',`
+ gen_require(`
+ type zoneminder_t;
+ type zoneminder_initrc_exec_t;
+ type zoneminder_log_t;
+ type zoneminder_var_lib_t;
+ type zoneminder_spool_t;
+ ')
+
+ allow $1 zoneminder_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zoneminder_t)
+
+ zoneminder_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 zoneminder_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, zoneminder_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, zoneminder_var_lib_t)
+
+ files_search_spool($1)
+ admin_pattern($1, zoneminder_spool_t)
+
+')
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
index 000000000..ba9ab9a8a
--- /dev/null
+++ b/zoneminder.te
@@ -0,0 +1,187 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ZoneMinder to run su/sudo.
+## </p>
+## </desc>
+gen_tunable(zoneminder_run_sudo, false)
+
+
+## <desc>
+## <p>
+## Allow ZoneMinder to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(zoneminder_anon_write, false)
+
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+ ')
+
+type zoneminder_t;
+type zoneminder_exec_t;
+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
+
+type zoneminder_unit_file_t;
+systemd_unit_file(zoneminder_unit_file_t)
+
+type zoneminder_initrc_exec_t;
+init_script_file(zoneminder_initrc_exec_t)
+
+type zoneminder_log_t;
+logging_log_file(zoneminder_log_t)
+
+type zoneminder_tmpfs_t;
+files_tmpfs_file(zoneminder_tmpfs_t)
+
+type zoneminder_spool_t;
+files_type(zoneminder_spool_t)
+
+type zoneminder_var_lib_t;
+files_type(zoneminder_var_lib_t)
+
+type zoneminder_var_run_t;
+files_pid_file(zoneminder_var_run_t)
+
+########################################
+#
+# zoneminder local policy
+#
+allow zoneminder_t self:capability { chown dac_read_search };
+allow zoneminder_t self:process { signal_perms setpgid };
+allow zoneminder_t self:shm create_shm_perms;
+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow zoneminder_t self:netlink_selinux_socket create_socket_perms;
+
+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
+logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
+
+kernel_read_system_state(zoneminder_t)
+
+domain_read_all_domains_state(zoneminder_t)
+
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
+corenet_tcp_bind_http_cache_port(zoneminder_t)
+corenet_tcp_bind_transproxy_port(zoneminder_t)
+corenet_tcp_connect_http_port(zoneminder_t)
+
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
+dev_read_urand(zoneminder_t)
+dev_read_video_dev(zoneminder_t)
+dev_write_video_dev(zoneminder_t)
+
+auth_use_nsswitch(zoneminder_t)
+#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule.
+
+logging_send_syslog_msg(zoneminder_t)
+logging_send_audit_msgs(zoneminder_t)
+
+mta_send_mail(zoneminder_t)
+
+tunable_policy(`zoneminder_anon_write',`
+ miscfiles_manage_public_files(zoneminder_t)
+')
+
+tunable_policy(`zoneminder_run_sudo',`
+ allow zoneminder_t self:capability { setuid setgid sys_resource };
+ allow zoneminder_t self:process { setrlimit setsched };
+ allow zoneminder_t self:key write;
+ allow zoneminder_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(zoneminder_t)
+ auth_rw_faillog(zoneminder_t)
+ auth_exec_chkpwd(zoneminder_t)
+
+ selinux_compute_access_vector(zoneminder_t)
+
+ systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
+ systemd_dbus_chat_logind(zoneminder_t)
+
+ xserver_exec_xauth(zoneminder_t)
+')
+
+optional_policy(`
+ tunable_policy(`zoneminder_run_sudo',`
+ sudo_exec(zoneminder_t)
+ su_exec(zoneminder_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(zoneminder_t)
+')
+
+
+optional_policy(`
+ mysql_stream_connect(zoneminder_t)
+')
+
+optional_policy(`
+ fprintd_dbus_chat(zoneminder_t)
+')
+
+optional_policy(`
+ motion_manage_all_files(zoneminder_t)
+')
+
+########################################
+#
+# zoneminder cgi local policy
+#
+
+optional_policy(`
+ apache_content_template(zoneminder)
+ apache_content_alias_template(zoneminder, zoneminder)
+
+ # need more testing
+ #allow zoneminder_script_t self:shm create_shm_perms;
+
+ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+
+ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+
+ zoneminder_stream_connect(zoneminder_script_t)
+
+ can_exec(zoneminder_t, zoneminder_script_exec_t)
+
+ files_search_var_lib(zoneminder_script_t)
+
+ logging_send_syslog_msg(zoneminder_script_t)
+
+ optional_policy(`
+ mysql_stream_connect(zoneminder_script_t)
+ ')
+')
diff --git a/zosremote.if b/zosremote.if
index b14698c4f..16e1581a0 100644
--- a/zosremote.if
+++ b/zosremote.if
@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`zosremote_run',`
gen_require(`
diff --git a/zosremote.te b/zosremote.te
index bc6a5db70..0abdcebcb 100644
--- a/zosremote.te
+++ b/zosremote.te
@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
auth_use_nsswitch(zos_remote_t)
-miscfiles_read_localization(zos_remote_t)
-
logging_send_syslog_msg(zos_remote_t)