diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..bea575523
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc578..e948aef59 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,47 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
+
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908e4..1b643bfb5 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
-## Automated bug-reporting tool.
+## ABRT - automated bug-reporting tool
+
+######################################
+##
+## Creates types and rules for a basic
+## ABRT daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`abrt_basic_types_template',`
+ gen_require(`
+ attribute abrt_domain;
+ ')
+
+ type $1_t, abrt_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
######################################
##
@@ -17,6 +39,26 @@ interface(`abrt_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, abrt_exec_t, abrt_t)
+ allow $1 abrt_exec_t:file map;
+')
+
+######################################
+##
+## Execute abrt_dump_oops in the abrt_dump_oops_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`abrt_dump_oops_domtrans',`
+ gen_require(`
+ type abrt_dump_oops_t, abrt_dump_oops_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
')
######################################
@@ -36,11 +78,12 @@ interface(`abrt_exec',`
corecmd_search_bin($1)
can_exec($1, abrt_exec_t)
+ allow $1 abrt_exec_t:file map;
')
########################################
##
-## Send null signals to abrt.
+## Send a null signal to abrt.
##
##
##
@@ -58,7 +101,7 @@ interface(`abrt_signull',`
########################################
##
-## Read process state of abrt.
+## Allow the domain to read abrt state files in /proc.
##
##
##
@@ -71,12 +114,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
')
########################################
##
-## Connect to abrt over an unix stream socket.
+## Connect to abrt over a unix stream socket.
##
##
##
@@ -116,8 +160,7 @@ interface(`abrt_dbus_chat',`
#####################################
##
-## Execute abrt-helper in the abrt
-## helper domain.
+## Execute abrt-helper in the abrt-helper domain.
##
##
##
@@ -130,15 +173,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
')
########################################
##
-## Execute abrt helper in the abrt
-## helper domain, and allow the
-## specified role the abrt helper domain.
+## Execute abrt helper in the abrt_helper domain, and
+## allow the specified role the abrt_helper domain.
##
##
##
@@ -163,8 +204,45 @@ interface(`abrt_run_helper',`
########################################
##
-## Create, read, write, and delete
-## abrt cache files.
+## Read abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+##
+## Append abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+')
+
+########################################
+##
+## Read/Write inherited abrt cache
##
##
##
@@ -172,15 +250,18 @@ interface(`abrt_run_helper',`
##
##
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
+interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## abrt cache content.
+## Manage abrt cache
##
##
##
@@ -193,7 +274,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
- files_search_var($1)
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +281,7 @@ interface(`abrt_manage_cache',`
####################################
##
-## Read abrt configuration files.
+## Read abrt configuration file.
##
##
##
@@ -218,9 +298,29 @@ interface(`abrt_read_config',`
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
+####################################
+##
+## Dontaudit read abrt configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_dontaudit_read_config',`
+ gen_require(`
+ type abrt_etc_t;
+ ')
+
+ files_search_etc($1)
+ dontaudit $1 abrt_etc_t:dir list_dir_perms;
+ dontaudit $1 abrt_etc_t:file read_file_perms;
+')
+
######################################
##
-## Read abrt log files.
+## Read abrt logs.
##
##
##
@@ -258,8 +358,7 @@ interface(`abrt_read_pid_files',`
######################################
##
-## Create, read, write, and delete
-## abrt PID files.
+## Create, read, write, and delete abrt PID files.
##
##
##
@@ -276,10 +375,52 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+##
+## Read and write abrt fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Execute abrt server in the abrt domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`abrt_systemctl',`
+ gen_require(`
+ type abrt_t;
+ type abrt_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, abrt_t)
+')
+
#####################################
##
-## All of the rules required to
-## administrate an abrt environment,
+## All of the rules required to administrate
+## an abrt environment
##
##
##
@@ -288,39 +429,174 @@ interface(`abrt_manage_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the abrt domain.
##
##
##
#
interface(`abrt_admin',`
gen_require(`
- attribute abrt_domain;
- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+ type abrt_t, abrt_etc_t;
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
+ type abrt_unit_file_t;
')
- allow $1 abrt_domain:process { ptrace signal_perms };
- ps_process_pattern($1, abrt_domain)
+ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 abrt_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, abrt_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
+
+ abrt_systemctl($1)
+ admin_pattern($1, abrt_unit_file_t)
+ allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+##
+## Execute abrt-retrace in the abrt-retrace domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`abrt_domtrans_retrace_worker',`
+ gen_require(`
+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+##
+## Manage abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_manage_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
+##
+## Read abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
')
+
+
+#####################################
+##
+## Read abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_cache_retrace',`
+ gen_require(`
+ type abrt_retrace_cache_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+##
+## Do not audit attempts to write abrt sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`abrt_dontaudit_write_sock_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+##
+## Transition to abrt named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_filetrans_named_content',`
+ gen_require(`
+ type abrt_tmp_t;
+ type abrt_etc_t;
+ type abrt_var_cache_t;
+ type abrt_var_run_t;
+ ')
+
+ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f070f..a00644903 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
#
##
-##
-## Determine whether ABRT can modify
-## public files used for public file
-## transfer services.
-##
+##
+## Allow ABRT to modify public files
+## used for public file transfer services.
+##
##
gen_tunable(abrt_anon_write, false)
@@ -37,87 +36,99 @@ attribute abrt_domain;
attribute_role abrt_helper_roles;
roleattribute system_r abrt_helper_roles;
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
init_daemon_domain(abrt_t, abrt_exec_t)
type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
type abrt_etc_t;
files_config_file(abrt_etc_t)
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
+type abrt_var_lib_t;
+files_type(abrt_var_lib_t)
+
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+domain_obj_id_change_exemption(abrt_dump_oops_t)
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
role system_r types abrt_handle_event_t;
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
application_domain(abrt_helper_t, abrt_helper_exec_t)
role abrt_helper_roles types abrt_helper_t;
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
-
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
type abrt_retrace_cache_t;
files_type(abrt_retrace_cache_t)
type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+abrt_basic_types_template(abrt_watch_log)
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-type abrt_upload_watch_t, abrt_domain;
-type abrt_upload_watch_exec_t;
+abrt_basic_types_template(abrt_upload_watch)
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
+
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# abrt local policy
#
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
+# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+allow abrt_t abrt_var_cache_t:file map;
+# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+kernel_read_all_proc(abrt_t)
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
+kernel_read_software_raid_state(abrt_t)
kernel_request_load_module(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
+# needed by docker BZ #1194280
+kernel_read_net_sysctls(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory(abrt_t)
+dev_write_kmsg(abrt_t)
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
@@ -176,29 +199,45 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t)
logging_read_generic_logs(abrt_t)
+logging_mmap_journal(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+auth_use_nsswitch(abrt_t)
+auth_map_passwd(abrt_t)
+
+init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
+miscfiles_dontaudit_write_generic_cert_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
@@ -206,15 +245,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
- apache_read_module_files(abrt_t)
+ apache_read_modules(abrt_t)
')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(abrt_t)
- ')
')
optional_policy(`
@@ -222,6 +257,28 @@ optional_policy(`
')
optional_policy(`
+ container_stream_connect(abrt_t)
+')
+
+optional_policy(`
+ kdump_manage_crash(abrt_t)
+')
+
+optional_policy(`
+ mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+ pcp_read_lib_files(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -233,6 +290,11 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
+optional_policy(`
+ puppet_read_lib(abrt_t)
+')
+
+# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
@@ -243,6 +305,14 @@ optional_policy(`
rpm_signull(abrt_t)
')
+optional_policy(`
+ rhsmcertd_manage_pid_files(abrt_t)
+ rhsmcertd_read_log(abrt_t)
+ rhsmcertd_read_lib_files(abrt_t)
+
+')
+
+# to run mailx plugin
optional_policy(`
sendmail_domtrans(abrt_t)
')
@@ -253,9 +323,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
+optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+ xserver_read_log(abrt_t)
+')
+
+optional_policy(`
+ udev_read_db(abrt_t)
+')
+
#######################################
#
-# Handle-event local policy
+# abrt-handle-event local policy
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +348,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
+optional_policy(`
+ unconfined_domain(abrt_handle_event_t)
+')
+
########################################
#
-# Helper local policy
+# abrt--helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +367,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +376,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
auth_use_nsswitch(abrt_helper_t)
+logging_send_syslog_msg(abrt_helper_t)
+
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +397,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
')
#######################################
#
-# Retrace coredump policy
+# abrt retrace coredump policy
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +433,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +451,11 @@ optional_policy(`
#######################################
#
-# Retrace worker policy
+# abrt retrace worker policy
#
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +474,83 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
sysnet_dns_name_resolve(abrt_retrace_worker_t)
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
+ mock_manage_lib_files(abrt_t)
+')
+
########################################
#
-# Dump oops local policy
+# abrt_dump_oops local policy
#
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid };
+allow abrt_dump_oops_t self:process setfscreate;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
files_search_spool(abrt_dump_oops_t)
manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+kernel_read_debugfs(abrt_dump_oops_t)
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
+kernel_read_security_state(abrt_dump_oops_t)
+
+auth_read_passwd(abrt_dump_oops_t)
+
+corecmd_getattr_all_executables(abrt_dump_oops_t)
+
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
domain_use_interactive_fds(abrt_dump_oops_t)
+domain_signull_all_domains(abrt_dump_oops_t)
+domain_read_all_domains_state(abrt_dump_oops_t)
+domain_getattr_all_domains(abrt_dump_oops_t)
+
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(abrt_dump_oops_t)
+')
+
+files_manage_non_security_dirs(abrt_dump_oops_t)
+files_manage_non_security_files(abrt_dump_oops_t)
+files_map_non_security_files(abrt_dump_oops_t)
+fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
+
+selinux_compute_create_context(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
+
+init_read_var_lib_files(abrt_dump_oops_t)
+
+optional_policy(`
+ nscd_dontaudit_write_sock_file(abrt_dump_oops_t)
+')
#######################################
#
@@ -404,25 +558,63 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
+auth_read_passwd(abrt_watch_log_t)
+auth_use_nsswitch(abrt_watch_log_t)
+
domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+allow abrt_watch_log_t abrt_dump_oops_exec_t:file map;
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+optional_policy(`
+ gnome_list_home_config(abrt_watch_log_t)
+')
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
#######################################
#
# Upload watch local policy
#
+allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+abrt_dbus_chat(abrt_upload_watch_t)
+
corecmd_exec_bin(abrt_upload_watch_t)
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
+miscfiles_read_certs(abrt_upload_watch_t)
+
tunable_policy(`abrt_upload_watch_anon_write',`
- miscfiles_manage_public_files(abrt_upload_watch_t)
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(abrt_upload_watch_t)
')
#######################################
@@ -430,10 +622,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a92..068271030 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9ab0..554177cd2 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
+#
+interface(`accountsd_systemctl',`
+ gen_require(`
+ type accountsd_t;
+ type accountsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 accountsd_unit_file_t:file read_file_perms;
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an accountsd environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`accountsd_admin',`
gen_require(`
type accountsd_t;
+ type accountsd_unit_file_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms };
+ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 accountsd_t:process ptrace;
+ ')
+
accountsd_manage_lib_files($1)
+
+ accountsd_systemctl($1)
+ admin_pattern($1, accountsd_unit_file_t)
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
index 3593510d8..7c13845fd 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -11,17 +15,21 @@ gen_require(`
type accountsd_t;
type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
########################################
#
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
dev_read_sysfs(accountsd_t)
files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
+userdom_dontaudit_create_admin_dir(accountsd_t)
+userdom_dontaudit_manage_admin_dir(accountsd_t)
+
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
@@ -65,10 +75,17 @@ optional_policy(`
consolekit_read_log(accountsd_t)
')
+optional_policy(`
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
optional_policy(`
xserver_read_xdm_tmp_files(accountsd_t)
+ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
')
diff --git a/acct.if b/acct.if
index 81280d008..bc4038b45 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
########################################
##
+## Dontaudit Attempts to list acct_data directory
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`acct_dontaudit_list_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
+
+#######################################
+##
## All of the rules required to
## administrate an acct environment.
##
@@ -103,9 +121,13 @@ interface(`acct_admin',`
type acct_t, acct_initrc_exec_t, acct_data_t;
')
- allow $1 acct_t:process { ptrace signal_perms };
+ allow $1 acct_t:process { signal_perms };
ps_process_pattern($1, acct_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 acct_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, acct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 8b9ad83c5..f4f24864b 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
-domain_use_interactive_fds(acct_t)
-
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
auth_use_nsswitch(acct_t)
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
-miscfiles_read_localization(acct_t)
-
userdom_dontaudit_search_user_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
index 8d42c97ae..2377f8f82 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.fc b/afs.fc
index 8926c1696..206ea16fd 100644
--- a/afs.fc
+++ b/afs.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
/etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/usr/afs(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+
/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
@@ -10,6 +12,10 @@
/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
diff --git a/afs.if b/afs.if
index 3b41be699..97d99f979 100644
--- a/afs.if
+++ b/afs.if
@@ -38,6 +38,24 @@ interface(`afs_rw_udp_sockets',`
allow $1 afs_t:udp_socket { read write };
')
+########################################
+##
+## Read AFS config data
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`afs_read_config',`
+ gen_require(`
+ type afs_config_t;
+ ')
+
+ read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
########################################
##
## Read and write afs cache files.
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
interface(`afs_admin',`
gen_require(`
attribute afs_domain;
- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
type afs_ka_db_t, afs_vl_db_t, afs_config_t;
type afs_logfile_t, afs_cache_t, afs_files_t;
')
- allow $1 afs_domain:process { ptrace signal_perms };
- ps_process_pattern($1, afs_domain)
+ allow $1 afs_t:process signal_perms;
+ ps_process_pattern($1, afs_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 afs_t:process ptrace;
+ ')
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 90ce63748..8cf712d15 100644
--- a/afs.te
+++ b/afs.te
@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
# afs client local policy
#
-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
+allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config };
allow afs_t self:process { setsched signal };
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket { accept listen };
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
logging_send_syslog_msg(afs_t)
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t)
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local")
-allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db")
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
+optional_policy(`
+ kerberos_read_config(afs_bosserver_t)
+')
+
########################################
#
# fileserver local policy
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
seutil_read_config(afs_kaserver_t)
@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+sysnet_read_config(afs_ptserver_t)
+
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
allow afs_domain self:udp_socket create_socket_perms;
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb947..fbe187fe1 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
type aiccu_var_run_t;
')
- allow $1 aiccu_t:process { ptrace signal_perms };
+ allow $1 aiccu_t:process signal_perms;
ps_process_pattern($1, aiccu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aiccu_t:process ptrace;
+ ')
+
aiccu_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 5d2b90e04..7374df0b9 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
corenet_tcp_sendrecv_generic_node(aiccu_t)
-
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,16 +59,23 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
-files_read_etc_files(aiccu_t)
+
+auth_read_passwd(aiccu_t)
logging_send_syslog_msg(aiccu_t)
-miscfiles_read_localization(aiccu_t)
+optional_policy(`
+ gnome_dontaudit_search_config(aiccu_t)
+')
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
')
+optional_policy(`
+ pcscd_stream_connect(aiccu_t)
+')
+
optional_policy(`
sysnet_dns_name_resolve(aiccu_t)
sysnet_domtrans_ifconfig(aiccu_t)
diff --git a/aide.if b/aide.if
index 01cbb67df..94a4a2406 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
- allow $1 aide_t:process { ptrace signal_perms };
+ allow $1 aide_t:process signal_perms;
ps_process_pattern($1, aide_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aide_t:process ptrace;
+ ')
+
aide_run($1, $2)
files_list_etc($1)
diff --git a/aide.te b/aide.te
index 03831e6e5..e7d9dd97e 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
role aide_roles types aide_t;
type aide_log_t;
@@ -23,22 +24,35 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin };
+allow aide_t self:process signal;
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
+dev_read_rand(aide_t)
+dev_read_urand(aide_t)
+
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+files_mmap_usr_files(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+ prelink_domtrans(aide_t)
+')
optional_policy(`
seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
index a2997fa57..861cebdf9 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
- allow $1 aisexec_t:process { ptrace signal_perms };
+ allow $1 aisexec_t:process signal_perms;
ps_process_pattern($1, aisexec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aisexec_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 4e4f06364..808e067e8 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
corenet_all_recvfrom_unlabeled(aisexec_t)
corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
logging_send_syslog_msg(aisexec_t)
-miscfiles_read_localization(aisexec_t)
-
userdom_rw_unpriv_user_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)
@@ -105,6 +104,11 @@ optional_policy(`
')
optional_policy(`
+ corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
rhcs_rw_dlm_controld_semaphores(aisexec_t)
rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 000000000..aeb1888a7
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 000000000..7abe946d4
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## policy for ajaxterm
+
+########################################
+##
+## Execute a domain transition to run ajaxterm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+##
+## Execute ajaxterm server in the ajaxterm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+##
+## Read and write the ajaxterm pty type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_rw_ptys',`
+ gen_require(`
+ type ajaxterm_devpts_t;
+ ')
+
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ajaxterm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process signal_perms;
+ ps_process_pattern($1, ajaxterm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ajaxterm_t:process ptrace;
+ ')
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 000000000..a95a4adf3
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 33d9d3111..58bf1829a 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index ca8d8cf3b..053a30ad4 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
+ alsa_filetrans_home_content($1)
')
########################################
@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
########################################
##
-## Create objects in user home
-## directories with the generic alsa
-## home type.
+## Read Alsa lib files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+##
+## Transition to alsa named content
+##
+##
##
-## Class of the object being created.
+## Domain allowed access.
##
##
-##
+#
+interface(`alsa_filetrans_home_content',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+##
+## Transition to alsa named content
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
gen_require(`
type alsa_home_t;
+ type alsa_etc_rw_t;
+ type alsa_var_lib_t;
')
- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
')
########################################
##
-## Read Alsa lib files.
+## Execute alsa server in the alsa domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
gen_require(`
- type alsa_var_lib_t;
+ type alsa_t;
+ type alsa_unit_file_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, alsa_t)
')
#########################################
diff --git a/alsa.te b/alsa.te
index 4b153f179..a799cd394 100644
--- a/alsa.te
+++ b/alsa.te
@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)
+type alsa_lock_t;
+files_lock_file(alsa_lock_t)
+
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
########################################
#
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
+manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
+files_lock_filetrans(alsa_t, alsa_lock_t, file)
+
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
+kernel_signal(alsa_t)
corecmd_exec_bin(alsa_t)
@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
-files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
-miscfiles_read_localization(alsa_t)
-
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbca3..e5c9f45b8 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
index 519051c7d..5f838c4dd 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
type amanda_t;
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
+type amanda_tmpfs_t;
+files_tmpfs_file(amanda_tmpfs_t)
+
type amanda_amandates_t;
files_type(amanda_amandates_t)
@@ -59,8 +65,8 @@ optional_policy(`
# Local policy
#
-allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:capability { chown dac_read_search dac_override setuid setgid kill sys_admin };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
@@ -90,23 +98,30 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir file })
+
can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
kernel_read_kernel_sysctls(amanda_t)
kernel_read_system_state(amanda_t)
+kernel_read_network_state(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
-corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +129,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
@@ -126,6 +142,7 @@ files_getattr_all_sockets(amanda_t)
fs_getattr_xattr_fs(amanda_t)
fs_list_all(amanda_t)
+fs_getattr_tmpfs(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t)
# Recover local policy
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
logging_search_logs(amanda_recover_t)
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a707..8aa684917 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
')
-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c90..18ef0772c 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
files_search_spool($1)
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ allow $1 amavis_spool_t:dir list_dir_perms;
')
########################################
@@ -151,6 +152,26 @@ interface(`amavis_read_lib_files',`
files_search_var_lib($1)
')
+########################################
+##
+## Read and write amavis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`amavis_rw_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
########################################
##
## Create, read, write, and delete
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
')
- allow $1 amavis_t:process { ptrace signal_perms };
+ allow $1 amavis_t:process signal_perms;
ps_process_pattern($1, amavis_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 amavis_t:process ptrace;
+ ')
+
amavis_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index 91fa72ae1..be1f9677d 100644
--- a/amavis.te
+++ b/amavis.te
@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
type amavis_t;
type amavis_exec_t;
init_daemon_domain(amavis_t, amavis_exec_t)
+init_nnp_daemon_domain(amavis_t)
type amavis_etc_t;
files_config_file(amavis_etc_t)
@@ -39,14 +40,14 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
########################################
#
# Local policy
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_read_search dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
-corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_sendrecv_razor_client_packets(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_sysfs(amavis_t)
@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
domain_dontaudit_read_all_domains_state(amavis_t)
files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
files_search_spool(amavis_t)
fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
tunable_policy(`amavis_use_jit',`
- allow amavis_t self:process execmem;
+ allow amavis_t self:process execmem;
',`
- dontaudit amavis_t self:process execmem;
+ dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(amavis_t)
')
optional_policy(`
@@ -172,6 +181,10 @@ optional_policy(`
mta_read_config(amavis_t)
')
+optional_policy(`
+ nslcd_stream_connect(amavis_t)
+')
+
optional_policy(`
postfix_read_config(amavis_t)
postfix_list_spool(amavis_t)
diff --git a/amtu.te b/amtu.te
index 16d0d66eb..60abfd080 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
index b098089d0..fe35bebfd 100644
--- a/anaconda.fc
+++ b/anaconda.fc
@@ -1 +1,13 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/libexec/rpm-ostreed -- gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
+/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
+/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7e1..76d93294d 100644
--- a/anaconda.if
+++ b/anaconda.if
@@ -1 +1,132 @@
## Anaconda installer.
+
+########################################
+##
+## Execute a domain transition to run install.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`anaconda_domtrans_install',`
+ gen_require(`
+ type install_t, install_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, install_exec_t, install_t)
+')
+
+########################################
+##
+## Execute install in the install
+## domain, and allow the specified
+## role the install domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`anaconda_run_install',`
+ gen_require(`
+ type install_t;
+ type install_exec_t;
+ attribute_role install_roles;
+ ')
+
+ anaconda_domtrans_install($1)
+ roleattribute $2 install_roles;
+ role_transition $2 install_exec_t system_r;
+
+ optional_policy(`
+ rpm_transition_script(install_t, $2)
+ ')
+')
+
+########################################
+##
+## Execute preupgrade in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`anaconda_exec_preupgrade',`
+ gen_require(`
+ type preupgrade_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, preupgrade_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run preupgrade.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`anaconda_domtrans_preupgrade',`
+ gen_require(`
+ type preupgrade_t, preupgrade_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
+')
+
+########################################
+##
+## Read preupgrade lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`anaconda_read_lib_files_preupgrade',`
+ gen_require(`
+ type preupgrade_data_t;
+ ')
+
+ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage preupgrade lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`anaconda_manage_lib_files_preupgrade',`
+ gen_require(`
+ type preupgrade_data_t;
+ ')
+
+ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+ files_search_var_lib($1)
+')
diff --git a/anaconda.te b/anaconda.te
index aa44abfe4..9efa1f20b 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+type install_t;
+type install_exec_t;
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
+type preupgrade_t;
+type preupgrade_exec_t;
+application_domain(preupgrade_t, preupgrade_exec_t)
+role system_r types preupgrade_t;
+
+type preupgrade_data_t;
+files_type(preupgrade_data_t)
+
########################################
#
# Local policy
@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
optional_policy(`
rpm_domtrans(anaconda_t)
@@ -53,3 +74,54 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
+
+########################################
+#
+# Local policy
+#
+
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(install_t)
+')
+
+optional_policy(`
+ iscsid_run(install_t, install_roles)
+')
+
+optional_policy(`
+ mount_run(install_t, install_roles)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(install_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(install_t)
+')
+
+optional_policy(`
+ seutil_run_setfiles_mac(install_t, install_roles)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(install_t)
+')
+
+
+########################################
+#
+# Local policy
+#
+
+manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+
+optional_policy(`
+ unconfined_domain_noaudit(preupgrade_t)
+')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 000000000..219f32db0
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,44 @@
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 000000000..36251b926
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,325 @@
+## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan
+
+######################################
+##
+## Creates types and rules for a basic
+## antivirus domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+interface(`antivirus_domain_template',`
+ gen_require(`
+ attribute antivirus_domain;
+ ')
+
+ typeattribute $1 antivirus_domain;
+
+ kernel_read_system_state($1)
+')
+
+#######################################
+##
+## Execute a domain transition to run antivirus program.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`antivirus_domtrans',`
+ gen_require(`
+ type antivirus_t, antivirus_exec_t;
+ ')
+
+ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+##
+## Execute antivirus program without a transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_exec',`
+ gen_require(`
+ type antivirus_exec_t;
+ ')
+
+ can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+##
+## Connect to run antivirus program.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_stream_connect',`
+ gen_require(`
+ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+##
+## Allow the specified domain to append
+## to antivirus log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_append_log',`
+ gen_require(`
+ type antivirus_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 antivirus_log_t:dir list_dir_perms;
+ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+##
+## Read antivirus configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_config',`
+ gen_require(`
+ type antivirus_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+##
+## Search antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_search_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+##
+## Read antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+##
+## Read and write antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_rw_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+##
+## Manage antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_manage_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+##
+## Manage antivirus pid content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_manage_pid',`
+ gen_require(`
+ type antivirus_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+##
+## Read antivirus state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_state_clamd',`
+ gen_require(`
+ type antivirus_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+##
+## Execute antivirus server in the antivirus domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`antivirus_systemctl',`
+ gen_require(`
+ type antivirus_t;
+ type antivirus_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 antivirus_unit_file_t:file read_file_perms;
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## an antivirus programs environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the clamav domain.
+##
+##
+##
+#
+interface(`antivirus_admin',`
+ gen_require(`
+ attribute antivirus_domain;
+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+ type antivirus_initrc_exec_t, antivirus_unit_file_t;
+ ')
+
+ allow $1 antivirus_t:process signal_perms;
+ ps_process_pattern($1, antivirus_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 antivirus_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 antivirus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ antivirus_systemctl($1)
+ admin_pattern($1, antivirus_unit_file_t)
+ allow $1 antivirus_unit_file_t:service all_service_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, antivirus_conf_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, antivirus_db_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, antivirus_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, antivirus_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, antivirus_tmp_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 000000000..784eeb11a
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,272 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow antivirus programs to read non security files on a system
+##
+##
+gen_tunable(antivirus_can_scan_system, false)
+
+##
+##
+## Determine whether can antivirus programs use JIT compiler.
+##
+##
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+allow antivirus_t antivirus_db_t:file map;
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_read_all_domains_state(antivirus_domain)
+
+files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
+ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+ allow antivirus_domain self:process execmem;
+ allow antivirus_domain self:process execmem;
+',`
+ dontaudit antivirus_domain self:process execmem;
+ dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+ apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+ antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+ cron_system_entry(antivirus_t, antivirus_exec_t)
+ cron_use_fds(antivirus_domain)
+ cron_use_system_job_fds(antivirus_domain)
+ cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+ dcc_domtrans_client(antivirus_domain)
+ dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+ exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+ mta_read_config(antivirus_domain)
+ mta_read_queue(antivirus_domain)
+ mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ mysql_stream_connect(antivirus_domain)
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+ postfix_read_config(antivirus_domain)
+ postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+ pyzor_domtrans(antivirus_domain)
+ pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+ razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+ snmp_manage_var_lib_dirs(antivirus_domain)
+ snmp_manage_var_lib_files(antivirus_domain)
+ snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_exec(antivirus_domain)
+ spamassassin_exec_client(antivirus_domain)
+ spamassassin_read_lib_files(antivirus_domain)
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc353..1edf14e25 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,219 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/local/nagios/sbin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/shibboleth-www(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+')
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb4851f..94c92bab0 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## Various web servers.
+## Apache web server
########################################
##
-## Create a set of derived types for
-## httpd web content.
+## Create a set of derived types for apache
+## web content.
##
##
##
@@ -11,120 +11,237 @@
##
##
#
-template(`apache_content_template',`
+template(`apache_user_content_template',`
gen_require(`
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_user_content_type;
')
- ########################################
- #
- # Declarations
- #
-
- ##
- ##
- ## Determine whether the script domain can
- ## modify public files used for public file
- ## transfer services. Directories/Files must
- ## be labeled public_content_rw_t.
- ##
- ##
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- files_type(httpd_$1_content_t)
-
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
- files_type(httpd_$1_htaccess_t)
-
- type httpd_$1_script_t, httpd_script_domains;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
- type httpd_$1_rw_content_t, httpdcontent; # customizable
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
- files_type(httpd_$1_rw_content_t)
+ #This type is for webpages
+ type $1_content_t; # customizable;
+ typeattribute $1_content_t httpd_user_content_type;
+ typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t };
+ files_type($1_content_t)
+
+ # This type is used for .htaccess files
+ type $1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute $1_htaccess_t httpd_user_content_type;
+ typealias $1_htaccess_t alias {httpd_$1_htaccess_t };
+ files_type($1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type $1_script_t, httpd_script_type;
+ typealias $1_script_t alias { httpd_$1_script_t };
+ domain_type($1_script_t)
+ role system_r types $1_script_t;
+
+ kernel_read_system_state($1_script_t)
+
+ # This type is used for executable scripts files
+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
+ typeattribute $1_script_exec_t httpd_user_content_type;
+ typealias $1_script_exec_t alias { httpd_$1_script_exec_t };
+ domain_entry_file($1_script_t, $1_script_exec_t)
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_user_content_type;
+ typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
+ typeattribute $1_ra_content_t httpd_user_content_type;
+ typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t };
+ files_type($1_ra_content_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow $1_script_t $1_content_t:dir search_dir_perms;
+
+ can_exec($1_script_t, $1_script_exec_t)
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+ allow $1_script_t $1_content_t:dir list_dir_perms;
+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
- files_type(httpd_$1_ra_content_t)
+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
- ########################################
- #
- # Policy
- #
+ ')
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ tunable_policy(`httpd_enable_cgi',`
+ allow $1_script_t $1_script_exec_t:file entrypoint;
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
+ ')
+')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`apache_content_template',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_content_type;
')
+ #This type is for webpages
+ type $1_content_t; # customizable;
+ typeattribute $1_content_t httpd_content_type;
+ typealias $1_content_t alias httpd_$1_script_ro_t;
+ files_type($1_content_t)
+
+ # This type is used for .htaccess files
+ type $1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute $1_htaccess_t httpd_content_type;
+ files_type($1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type $1_script_t, httpd_script_type;
+ typealias $1_script_t alias { httpd_$1_script_t };
+ domain_type($1_script_t)
+ role system_r types $1_script_t;
+
+ kernel_read_system_state($1_script_t)
+
+ # This type is used for executable scripts files
+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
+ typeattribute $1_script_exec_t httpd_content_type;
+ domain_entry_file($1_script_t, $1_script_exec_t)
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_content_type;
+ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
+ typeattribute $1_ra_content_t httpd_content_type;
+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+ files_type($1_ra_content_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow $1_script_t $1_content_t:dir search_dir_perms;
+
+ can_exec($1_script_t, $1_script_exec_t)
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+ allow $1_script_t $1_content_t:dir list_dir_perms;
+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
- ')
+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
- can_exec(httpd_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
- ')
+ allow $1_script_t $1_script_exec_t:file entrypoint;
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
- ')
+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
')
')
########################################
##
-## Role access for apache.
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving new type names.
+##
+##
+##
+##
+## The prefix to be used for deriving old type names.
+##
+##
+#
+template(`apache_content_alias_template',`
+ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
+ #typealias $1_script_t alias httpd_$2_script_t;
+ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
+ typealias $1_content_t alias httpd_$2_content_t;
+ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
+ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
+')
+
+########################################
+##
+## Role access for apache
##
##
##
@@ -133,47 +250,61 @@ template(`apache_content_template',`
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+ apache_exec_modules($2)
+ apache_filetrans_home_content($2)
tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
@@ -184,7 +315,7 @@ interface(`apache_role',`
########################################
##
-## Read user httpd script executable files.
+## Read httpd user scripts executables.
##
##
##
@@ -204,7 +335,7 @@ interface(`apache_read_user_scripts',`
########################################
##
-## Read user httpd content.
+## Read user web content.
##
##
##
@@ -224,7 +355,27 @@ interface(`apache_read_user_content',`
########################################
##
-## Execute httpd with a domain transition.
+## Manage user web content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_user_content',`
+ gen_require(`
+ type httpd_user_content_t;
+ ')
+
+ allow $1 httpd_user_content_t:dir manage_dir_perms;
+ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+##
+## Transition to apache.
##
##
##
@@ -241,27 +392,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
-########################################
+######################################
##
-## Execute httpd server in the httpd domain.
+## Allow the specified domain to execute apache
+## in the caller domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
gen_require(`
- type httpd_initrc_exec_t;
+ type httpd_exec_t;
')
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ can_exec($1, httpd_exec_t)
+')
+
+######################################
+##
+## Allow the specified domain to execute apache suexec
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_exec_suexec',`
+ gen_require(`
+ type httpd_suexec_exec_t;
+ ')
+
+ can_exec($1, httpd_suexec_exec_t)
')
#######################################
##
-## Send generic signals to httpd.
+## Send a generic signal to apache.
##
##
##
@@ -279,7 +450,7 @@ interface(`apache_signal',`
########################################
##
-## Send null signals to httpd.
+## Send a null signal to apache.
##
##
##
@@ -297,7 +468,7 @@ interface(`apache_signull',`
########################################
##
-## Send child terminated signals to httpd.
+## Send a SIGCHLD signal to apache.
##
##
##
@@ -315,8 +486,7 @@ interface(`apache_sigchld',`
########################################
##
-## Inherit and use file descriptors
-## from httpd.
+## Inherit and use file descriptors from Apache.
##
##
##
@@ -334,8 +504,8 @@ interface(`apache_use_fds',`
########################################
##
-## Do not audit attempts to read and
-## write httpd unnamed pipes.
+## Do not audit attempts to read and write Apache
+## unnamed pipes.
##
##
##
@@ -348,13 +518,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
##
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
##
##
##
@@ -367,13 +556,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
type httpd_t;
')
- dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
##
-## Do not audit attempts to read and
-## write httpd TCP sockets.
+## Do not audit attempts to read and write Apache
+## TCP sockets.
##
##
##
@@ -391,8 +580,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
##
-## Create, read, write, and delete
-## all httpd content.
+## Create, read, write, and delete all web content.
##
##
##
@@ -417,7 +605,8 @@ interface(`apache_manage_all_content',`
########################################
##
-## Set attributes httpd cache directories.
+## Allow domain to set the attributes
+## of the APACHE cache directory.
##
##
##
@@ -435,7 +624,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
##
-## List httpd cache directories.
+## Allow the specified domain to list
+## Apache cache.
##
##
##
@@ -453,7 +643,8 @@ interface(`apache_list_cache',`
########################################
##
-## Read and write httpd cache files.
+## Allow the specified domain to read
+## and write Apache cache files.
##
##
##
@@ -471,7 +662,8 @@ interface(`apache_rw_cache_files',`
########################################
##
-## Delete httpd cache directories.
+## Allow the specified domain to delete
+## Apache cache dirs.
##
##
##
@@ -489,7 +681,8 @@ interface(`apache_delete_cache_dirs',`
########################################
##
-## Delete httpd cache files.
+## Allow the specified domain to delete
+## Apache cache.
##
##
##
@@ -507,49 +700,51 @@ interface(`apache_delete_cache_files',`
########################################
##
-## Read httpd configuration files.
+## Allow the specified domain to search
+## apache configuration dirs.
##
##
##
## Domain allowed access.
##
##
-##
#
-interface(`apache_read_config',`
+interface(`apache_search_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir list_dir_perms;
- read_files_pattern($1, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ allow $1 httpd_config_t:dir search_dir_perms;
')
########################################
##
-## Search httpd configuration directories.
+## Allow the specified domain to read
+## apache configuration files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`apache_search_config',`
+interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir search_dir_perms;
+ allow $1 httpd_config_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
')
########################################
##
-## Create, read, write, and delete
-## httpd configuration files.
+## Allow the specified domain to manage
+## apache configuration files.
##
##
##
@@ -570,8 +765,8 @@ interface(`apache_manage_config',`
########################################
##
-## Execute the Apache helper program
-## with a domain transition.
+## Execute the Apache helper program with
+## a domain transition.
##
##
##
@@ -608,16 +803,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
- attribute_role httpd_helper_roles;
+ type httpd_helper_t;
')
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
+')
+
+########################################
+##
+## dontaudit attempts to read
+## apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_dontaudit_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
##
##
##
@@ -639,7 +856,8 @@ interface(`apache_read_log',`
########################################
##
-## Append httpd log files.
+## Allow the specified domain to append
+## to apache log files.
##
##
##
@@ -657,10 +875,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
+#######################################
+##
+## Allow the specified domain to write
+## to apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_write_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ allow $1 httpd_log_t:file write;
+')
+
########################################
##
-## Do not audit attempts to append
-## httpd log files.
+## Do not audit attempts to append to the
+## Apache logs.
##
##
##
@@ -678,8 +915,8 @@ interface(`apache_dontaudit_append_log',`
########################################
##
-## Create, read, write, and delete
-## httpd log files.
+## Allow the specified domain to manage
+## to apache var lib files.
##
##
##
@@ -687,20 +924,21 @@ interface(`apache_dontaudit_append_log',`
##
##
#
-interface(`apache_manage_log',`
+interface(`apache_manage_lib',`
gen_require(`
- type httpd_log_t;
+ type httpd_var_lib_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
- manage_files_pattern($1, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
')
-#######################################
+########################################
##
-## Write apache log files.
+## Allow the specified domain to manage
+## to apache log files.
##
##
##
@@ -708,19 +946,21 @@ interface(`apache_manage_log',`
##
##
#
-interface(`apache_write_log',`
+interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
+ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+ manage_files_pattern($1, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
########################################
##
-## Do not audit attempts to search
-## httpd module directories.
+## Do not audit attempts to search Apache
+## module directories.
##
##
##
@@ -738,7 +978,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
-## List httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
##
##
##
@@ -746,17 +987,19 @@ interface(`apache_dontaudit_search_modules',`
##
##
#
-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
gen_require(`
type httpd_modules_t;
')
- allow $1 httpd_modules_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
##
-## Execute httpd module files.
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
##
##
##
@@ -764,19 +1007,19 @@ interface(`apache_list_modules',`
##
##
#
-interface(`apache_exec_modules',`
+interface(`apache_list_modules',`
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
- can_exec($1, httpd_modules_t)
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
##
-## Read httpd module files.
+## Allow the specified domain to execute
+## apache modules.
##
##
##
@@ -784,19 +1027,19 @@ interface(`apache_exec_modules',`
##
##
#
-interface(`apache_read_module_files',`
+interface(`apache_exec_modules',`
gen_require(`
type httpd_modules_t;
')
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ allow $1 httpd_modules_t:dir list_dir_perms;
+ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+ can_exec($1, httpd_modules_t)
')
########################################
##
-## Execute a domain transition to
-## run httpd_rotatelogs.
+## Execute a domain transition to run httpd_rotatelogs.
##
##
##
@@ -809,13 +1052,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
+#######################################
+##
+## Execute httpd_rotatelogs in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
+ ')
+
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+##
+## Execute httpd system scripts in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_exec_sys_script',`
+ gen_require(`
+ type httpd_sys_script_exec_t;
+ ')
+
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
+')
+
########################################
##
-## List httpd system content directories.
+## Allow the specified domain to list
+## apache system content files.
##
##
##
@@ -829,13 +1109,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
########################################
##
-## Create, read, write, and delete
-## httpd system content files.
+## Allow the specified domain to manage
+## apache system content files.
##
##
##
@@ -844,6 +1125,7 @@ interface(`apache_list_sys_content',`
##
##
#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
@@ -855,32 +1137,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
+##
+## Allow the specified domain to read
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
+## Allow the specified domain to read
+## apache system content rw dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
##
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to manage
+## apache system content rw files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
########################################
##
-## Execute all httpd scripts in the
-## system script domain.
+## Allow the specified domain to delete
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+##
+## Execute all web scripts in the system
+## script domain.
##
##
##
@@ -888,10 +1236,17 @@ interface(`apache_manage_sys_rw_content',`
##
##
#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1256,8 @@ interface(`apache_domtrans_sys_script',`
########################################
##
-## Do not audit attempts to read and
-## write httpd system script unix
-## domain stream sockets.
+## Do not audit attempts to read and write Apache
+## system script unix domain stream sockets.
##
##
##
@@ -916,7 +1270,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
type httpd_sys_script_t;
')
- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
')
########################################
@@ -941,7 +1295,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
##
## Execute all user scripts in the user
-## script domain. Add user script domains
+## script domain. Add user script domains
## to the specified role.
##
##
@@ -954,6 +1308,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
##
##
+##
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -966,7 +1321,8 @@ interface(`apache_run_all_scripts',`
########################################
##
-## Read httpd squirrelmail data files.
+## Allow the specified domain to read
+## apache squirrelmail data.
##
##
##
@@ -979,12 +1335,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
##
-## Append httpd squirrelmail data files.
+## Allow the specified domain to append
+## apache squirrelmail data.
##
##
##
@@ -1002,7 +1359,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
##
-## Search httpd system content.
+## Search apache system content.
##
##
##
@@ -1015,13 +1372,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
- files_search_var($1)
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
##
-## Read httpd system content.
+## Read apache system content.
##
##
##
@@ -1041,7 +1397,7 @@ interface(`apache_read_sys_content',`
########################################
##
-## Search httpd system CGI directories.
+## Search apache system CGI directories.
##
##
##
@@ -1059,8 +1415,7 @@ interface(`apache_search_sys_scripts',`
########################################
##
-## Create, read, write, and delete all
-## user httpd content.
+## Create, read, write, and delete all user web content.
##
##
##
@@ -1071,18 +1426,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
- type httpd_user_htaccess_t, httpd_user_script_exec_t;
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
')
- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
')
########################################
##
-## Search system script state directories.
+## Search system script state directory.
##
##
##
@@ -1100,7 +1458,48 @@ interface(`apache_search_sys_script_state',`
########################################
##
-## Read httpd tmp files.
+## Allow the specified domain to read
+## apache pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_read_pid_files',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## apache tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_read_tmp_dirs',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## apache tmp files.
##
##
##
@@ -1119,8 +1518,47 @@ interface(`apache_read_tmp_files',`
########################################
##
-## Do not audit attempts to write
-## httpd tmp files.
+## Allow the specified domain to read
+## apache tmp lnk files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_read_tmp_symlinks',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+######################################
+##
+## Dontaudit attempts to read and write
+## apache tmp files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+##
+## Dontaudit attempts to write
+## apache tmp files.
##
##
##
@@ -1133,7 +1571,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1142,6 +1580,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
+## Execute CGI in the specified domain.
+##
+##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1171,8 +1612,31 @@ interface(`apache_cgi_domain',`
########################################
##
-## All of the rules required to
-## administrate an apache environment.
+## Execute httpd server in the httpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_systemctl',`
+ gen_require(`
+ type httpd_t;
+ type httpd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, httpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate an apache environment
##
##
##
@@ -1189,18 +1653,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_keytab_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_unit_file_t;
')
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+ allow $1 httpd_t:process signal_perms;
+ ps_process_pattern($1, httpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1210,10 +1675,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
- admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1689,165 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+
+ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ apache_filetrans_named_content($1)
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+##
+## Transition to apache named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+##
+## Allow any httpd_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_entrypoint',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+ allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+##
+## Execute a httpd_exec_t in the specified domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`apache_exec_domtrans',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+##
+## Transition to apache home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
+
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+########################################
+##
+## Send and receive messages from
+## httpd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_dbus_chat',`
+ gen_require(`
+ type httpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 httpd_t:dbus send_msg;
+ allow httpd_t $1:dbus send_msg;
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
index 6649962b6..e51965af4 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
-##
-## Determine whether httpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+##
##
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
##
-##
-## Determine whether httpd can use mod_auth_pam.
-##
+##
+## Dontaudit Apache to search dirs.
+##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
##
-##
-## Determine whether httpd can use built in scripting.
-##
+##
+## Allow Apache to use mod_auth_pam
+##
##
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
##
-##
-## Determine whether httpd can check spam.
-##
+##
+## Allow Apache to use mod_auth_ntlm_winbind
+##
##
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to the network using TCP.
-##
+##
+## Allow httpd scripts and modules execmem/execstack
+##
+##
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow httpd processes to manage IPA content
+##
+##
+gen_tunable(httpd_manage_ipa, false)
+
+##
+##
+## Allow httpd processes to run IPA helper.
+##
+##
+gen_tunable(httpd_run_ipa, false)
+
+##
+##
+## Allow httpd to use built in scripting (usually php)
+##
+##
+gen_tunable(httpd_builtin_scripting, false)
+
+##
+##
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+##
##
gen_tunable(httpd_can_network_connect, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to cobbler over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
##
gen_tunable(httpd_can_network_connect_cobbler, false)
##
-##
-## Determine whether scripts and modules can
-## connect to databases over the network.
-##
+##
+## Allow HTTPD scripts and modules to server cobbler files.
+##
##
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
##
-##
-## Determine whether httpd can connect to
-## ldap over the network.
-##
+##
+## Allow HTTPD to connect to port 80 for graceful shutdown
+##
##
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
##
-##
-## Determine whether httpd can connect
-## to memcache server over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to databases over the network.
+##
+##
+gen_tunable(httpd_can_network_connect_db, false)
+
+##
+##
+## Allow httpd to connect to memcache server
+##
##
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_memcache, false)
##
-##
-## Determine whether httpd can act as a relay.
-##
+##
+## Allow httpd to act as a relay
+##
##
gen_tunable(httpd_can_network_relay, false)
##
-##
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-##
+##
+## Allow http daemon to connect to zabbix
+##
##
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
##
-##
-## Determine whether httpd can send mail.
-##
+##
+## Allow http daemon to connect to mythtv
+##
+##
+gen_tunable(httpd_can_connect_mythtv, false)
+
+##
+##
+## Allow http daemon to check spam
+##
+##
+gen_tunable(httpd_can_check_spam, false)
+
+##
+##
+## Allow http daemon to send mail
+##
##
gen_tunable(httpd_can_sendmail, false)
##
-##
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
##
gen_tunable(httpd_dbus_avahi, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
+## Allow Apache to communicate with sssd service via dbus
+##
##
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_dbus_sssd, false)
##
-##
-## Determine whether httpd can act as a
-## FTP server by listening on the ftp port.
-##
+##
+## Allow httpd cgi support
+##
##
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_enable_cgi, false)
##
-##
-## Determine whether httpd can traverse
-## user home directories.
-##
+##
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+##
##
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_enable_ftp_server, false)
##
-##
-## Determine whether httpd gpg can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd can execute
-## its temporary content.
-##
+##
+## Allow httpd to connect to the ldap port
+##
##
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_can_connect_ldap, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
+##
+## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_homedirs, false)
##
-##
-## Determine whether httpd can connect
-## to port 80 for graceful shutdown.
-##
+##
+## Allow httpd to read user content
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can
-## manage IPA content files.
-##
+##
+## Allow Apache to run in stickshift mode, not transition to passenger
+##
##
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_run_stickshift, false)
+
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
+## Allow Apache to run preupgrade
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_run_preupgrade, false)
##
-##
-## Determine whether httpd can read
-## generic user home content files.
-##
+##
+## Allow Apache to query NS records
+##
##
-gen_tunable(httpd_read_user_content, false)
+gen_tunable(httpd_verify_dns, false)
##
-##
-## Determine whether httpd can change
-## its resource limits.
-##
+##
+## Allow httpd daemon to change its resource limits
+##
##
gen_tunable(httpd_setrlimit, false)
##
-##
-## Determine whether httpd can run
-## SSI executables in the same domain
-## as system CGI scripts.
-##
+##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
gen_tunable(httpd_ssi_exec, false)
##
-##
-## Determine whether httpd can communicate
-## with the terminal. Needed for entering the
-## passphrase for certificates at the terminal.
-##
+##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+##
##
gen_tunable(httpd_tty_comm, false)
##
-##
-## Determine whether httpd can have full access
-## to its content types.
-##
+##
+## Unify HTTPD handling of all content files.
+##
##
gen_tunable(httpd_unified, false)
##
-##
-## Determine whether httpd can use
-## cifs file systems.
-##
+##
+## Allow httpd to access openstack ports
+##
+##
+gen_tunable(httpd_use_openstack, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
##
gen_tunable(httpd_use_cifs, false)
##
##
-## Determine whether httpd can
-## use fuse file systems.
+## Allow httpd to access FUSE file systems
##
##
gen_tunable(httpd_use_fusefs, false)
##
-##
-## Determine whether httpd can use gpg.
-##
+##
+## Allow httpd to run gpg
+##
##
gen_tunable(httpd_use_gpg, false)
##
-##
-## Determine whether httpd can use
-## nfs file systems.
-##
+##
+## Allow httpd to connect to sasl
+##
+##
+gen_tunable(httpd_use_sasl, false)
+
+##
+##
+## Allow httpd to access nfs file systems
+##
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
-# domains that can exec all scripts
+# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
-# all script domains
+# user script domains
attribute httpd_script_domains;
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
type httpd_t;
type httpd_exec_t;
+ifdef(`distro_redhat',`
+ typealias httpd_t alias phpfpm_t;
+ typealias httpd_exec_t alias phpfpm_exec_t;
+')
init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
+# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
+ifdef(`distro_redhat',`
+ typealias httpd_log_t alias phpfpm_log_t;
+')
logging_log_file(httpd_log_t)
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
-apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+# setup the system domain for system CGI scripts
+apache_content_template(httpd_sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -324,14 +418,16 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
-apache_content_template(user)
+apache_user_content_template(httpd_user)
ubac_constrained(httpd_user_script_t)
-userdom_user_home_content(httpd_user_content_t)
-userdom_user_home_content(httpd_user_htaccess_t)
-userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_ra_content_t)
-userdom_user_home_content(httpd_user_rw_content_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
+typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
+ifdef(`distro_redhat',`
+ typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
files_pid_file(httpd_var_run_t)
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
-# Local policy
+# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +484,41 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+allow httpd_t httpd_cache_t:file map;
+# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
+
+can_exec(httpd_t, httpd_exec_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +526,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
+
+allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_sys_content_t:file map;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
@@ -428,6 +551,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
+allow httpd_t httpd_tmp_t:file map;
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -435,9 +559,11 @@ manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow httpd_t httpd_tmpfs_t:file map;
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +576,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+ corenet_tcp_connect_http_port(httpd_t)
+')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
-domain_use_interactive_fds(httpd_t)
-
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_rw_hugetlbfs_files(httpd_t)
+fs_exec_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
+files_search_all(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
files_read_var_lib_symlinks(httpd_t)
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_map_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+userdom_rw_inherited_user_tmp_files(httpd_t)
+userdom_map_tmp_files(httpd_t)
-ifdef(`TODO',`
- tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
- logging_send_audit_msgs(httpd_t)
- ')
+tunable_policy(`httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
')
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+ files_dontaudit_search_non_security_dirs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
- corenet_sendrecv_all_client_packets(httpd_t)
corenet_tcp_connect_all_ports(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_t)
corenet_tcp_connect_gds_db_port(httpd_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
- corenet_tcp_sendrecv_mssql_port(httpd_t)
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
+ corenet_tcp_connect_mongod_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
- corenet_sendrecv_gopher_client_packets(httpd_t)
+ # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_sendrecv_gopher_port(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_t)
- corenet_sendrecv_squid_client_packets(httpd_t)
corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_sendrecv_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
- allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +758,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+ corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
tunable_policy(`httpd_enable_ftp_server',`
- corenet_sendrecv_ftp_server_packets(httpd_t)
corenet_tcp_bind_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +810,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
+
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ automount_search_tmp_dirs(httpd_t)
+ ')
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_t)
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
- corenet_tcp_connect_smtp_port(httpd_t)
- corenet_tcp_sendrecv_smtp_port(httpd_t)
- corenet_sendrecv_pop_client_packets(httpd_t)
- corenet_tcp_connect_pop_port(httpd_t)
- corenet_tcp_sendrecv_pop_port(httpd_t)
-
- mta_send_mail(httpd_t)
- mta_signal_system_mail(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+ ')
')
optional_policy(`
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+ tunable_policy(`httpd_can_sendmail',`
+ postfix_rw_spool_maildrop_files(httpd_t)
+ ')
')
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+ fs_manage_fusefs_dirs(httpd_t)
+ fs_manage_fusefs_files(httpd_t)
+ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_setrlimit',`
@@ -695,49 +869,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
')
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
- can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
')
optional_policy(`
@@ -749,24 +922,32 @@ optional_policy(`
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
+ cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
+ cvs_read_data(httpd_t)
')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
+ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
')
optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
')
optional_policy(`
@@ -775,6 +956,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
+
+ tunable_policy(`httpd_dbus_sssd',`
+ sssd_dbus_chat(httpd_t)
+ ')
')
optional_policy(`
@@ -786,35 +971,62 @@ optional_policy(`
')
optional_policy(`
- kerberos_manage_host_rcache(httpd_t)
- kerberos_read_keytab(httpd_t)
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
- kerberos_use(httpd_t)
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
')
optional_policy(`
- ldap_stream_connect(httpd_t)
+ gssproxy_stream_connect(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ ipa_read_lib(httpd_t)
+ ipa_manage_pid_files(httpd_t)
+')
+
+optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_manage_pid_sock_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+ jetty_admin(httpd_t)
+')
+
+optional_policy(`
+ kerberos_manage_host_rcache(httpd_t)
+ kerberos_read_keytab(httpd_t)
+ kerberos_read_kdc_config(httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+ kerberos_use(httpd_t)
+')
+
+optional_policy(`
+ # needed by FreeIPA
+ ldap_stream_connect(httpd_t)
+ ldap_read_certs(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
+ # should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- memcached_stream_connect(httpd_t)
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_memcache',`
- memcached_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ memcached_stream_connect(httpd_t)
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +1034,31 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ ipa_domtrans_helper(httpd_t)
+ ')
+ ipa_cert_filetrans_named_content(httpd_t)
+')
+
+optional_policy(`
+ munin_read_config(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with mysql
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_t)
+ ')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +1067,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_lib(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -841,38 +1078,77 @@ optional_policy(`
openca_kill(httpd_t)
')
+optional_policy(`
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+ passenger_exec(httpd_t)
+ passenger_kill(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
optional_policy(`
pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
+ pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+ realmd_read_var_lib(httpd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
+optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
+')
+
optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
smokeping_read_lib_files(httpd_t)
+ smokeping_read_pid_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
')
optional_policy(`
- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ thin_stream_connect(httpd_t)
')
optional_policy(`
@@ -883,65 +1159,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+ zoneminder_stream_connect(httpd_t)
+ zoneminder_exec(httpd_t)
+')
+
########################################
#
-# Helper local policy
+# Apache helper local policy
#
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
-logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
+tunable_policy(`httpd_verify_dns',`
+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ passenger_manage_lib_files(httpd_t)
+ passenger_getattr_log_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_read_lib_files(httpd_t)
+ passenger_stream_connect(httpd_t)
+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_preupgrade', `
+ anaconda_manage_lib_files_preupgrade(httpd_t)
+ anaconda_domtrans_preupgrade(httpd_t)
+ ',`
+ anaconda_read_lib_files_preupgrade(httpd_t)
+ anaconda_exec_preupgrade(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_preupgrade', `
+ corenet_tcp_bind_preupgrade_port(httpd_t)
+ ')
+')
+
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
#
-# Suexec local policy
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
+')
+
+########################################
+#
+# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
dev_read_urand(httpd_suexec_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1350,78 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
-miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
- allow httpd_suexec_t httpdcontent:file read_file_perms;
- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
- corenet_tcp_connect_smtp_port(httpd_suexec_t)
- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
- corenet_tcp_connect_pop_port(httpd_suexec_t)
- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
mta_send_mail(httpd_suexec_t)
- mta_signal_system_mail(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_suexec_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_cifs_dirs(httpd_suexec_t)
- fs_manage_cifs_files(httpd_suexec_t)
- fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_fusefs_dirs(httpd_suexec_t)
- fs_manage_fusefs_files(httpd_suexec_t)
- fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+optional_policy(`
+ apache_rw_stream_sockets(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
- mailman_domtrans_cgi(httpd_suexec_t)
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ # dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
optional_policy(`
mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1438,108 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
########################################
#
-# Common script local policy
+# Apache system script local policy
#
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_send_syslog_msg(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
- can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_script_domains self:process { setsched signal_perms };
- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(httpd_script_domains)
-
- fs_getattr_all_fs(httpd_script_domains)
-
- files_read_etc_runtime_files(httpd_script_domains)
- files_read_usr_files(httpd_script_domains)
-
- libs_read_lib_files(httpd_script_domains)
-
- miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
')
optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_script_domains)
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
')
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
- corenet_tcp_connect_gds_db_port(httpd_script_domains)
- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
- corenet_tcp_connect_mssql_port(httpd_script_domains)
- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mongod_port(httpd_sys_script_t)
')
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
-')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
-optional_policy(`
- nscd_use(httpd_script_domains)
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_sys_script_t)
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
- allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1547,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
+ fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- postgresql_unpriv_client(httpd_sys_script_t)
+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
')
########################################
#
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
#
-allow httpd_rotatelogs_t self:capability dac_override;
+allow httpd_rotatelogs_t self:capability { dac_read_search dac_override };
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-files_read_etc_files(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
-miscfiles_read_localization(httpd_rotatelogs_t)
########################################
#
@@ -1321,8 +1622,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
- apache_content_template(unconfined)
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
########################################
@@ -1330,49 +1638,43 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
- fs_read_cifs_symlinks(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
- fs_read_nfs_symlinks(httpd_user_script_t)
-')
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ allow httpd_t httpd_user_content_type:file map;
')
tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
-optional_policy(`
- postgresql_unpriv_client(httpd_user_script_t)
-')
-
########################################
#
-# Passwd local policy
+# httpd_passwd local policy
#
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1684,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
+
auth_use_nsswitch(httpd_passwd_t)
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
')
optional_policy(`
- apache_manage_sys_rw_content(httpd_gpg_t)
+ nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+allow httpd_t httpd_content_type:file map;
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
+ corenet_tcp_bind_commplex_main_port(httpd_t)
')
optional_policy(`
- gpg_entry_type(httpd_gpg_t)
- gpg_exec(httpd_gpg_t)
+ tunable_policy(`httpd_use_openstack',`
+ keystone_read_log(httpd_t)
+ ')
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13c8..97c204fe5 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,18 +1,23 @@
+/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
+
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0abac6..f6e25eda4 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
########################################
##
## Execute a domain transition to
-## run httpd_apcupsd_cgi_script.
+## run apcupsd_cgi_script.
##
##
##
@@ -112,17 +112,61 @@ interface(`apcupsd_append_log',`
#
interface(`apcupsd_cgi_script_domtrans',`
gen_require(`
- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
')
files_search_var($1)
- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
optional_policy(`
apache_search_sys_content($1)
')
')
+########################################
+##
+## Execute apcupsd server in the apcupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apcupsd_systemctl',`
+ gen_require(`
+ type apcupsd_t;
+ type apcupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+##
+## Create configuration files in /var/lock
+## with a named file type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apcupsd_filetrans_named_content',`
+ gen_require(`
+ type apcupsd_lock_t;
+ ')
+
+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
########################################
##
## All of the rules required to
@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
+ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
+ allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apcupsd_t:process ptrace;
+ ')
+
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
+
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4ddb..b295381b8 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
#
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config };
allow apcupsd_t self:process signal;
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
-corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
corenet_udp_sendrecv_snmp_port(apcupsd_t)
+fs_getattr_xattr_fs(apcupsd_t)
+
+dev_read_sysfs(apcupsd_t)
+
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+auth_use_nsswitch(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +119,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
+optional_policy(`
+ systemd_start_power_services(apcupsd_t)
+ systemd_status_power_services(apcupsd_t)
+')
+
########################################
#
# CGI local policy
@@ -108,20 +131,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
-
- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-
- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
+
+ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
+ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
+ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
+
+ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
')
diff --git a/apm.fc b/apm.fc
index ce27d2fb3..b2ba16a04 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
@@ -7,6 +8,8 @@
/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/subsys/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
diff --git a/apm.if b/apm.if
index 1a7a97e5c..2c7252a39 100644
--- a/apm.if
+++ b/apm.if
@@ -139,6 +139,30 @@ interface(`apm_stream_connect',`
stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
+########################################
+##
+## Execute apmd server in the apmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apmd_systemctl',`
+ gen_require(`
+ type apmd_t;
+ type apmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apmd_t)
+')
+
########################################
##
## All of the rules required to
@@ -163,9 +187,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
+ allow $1 apmd_t:process { signal_perms };
ps_process_pattern($1, apmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apmd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431bcd..f944eccf1 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
# Client local policy
#
-allow apm_t self:capability { dac_override sys_admin };
+allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource };
kernel_read_system_state(apm_t)
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
allow apmd_t self:unix_stream_socket { accept listen };
allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
corecmd_exec_all_executables(apmd_t)
@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
+init_dbus_chat(apmd_t)
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
-miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_config(apmd_t)
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
optional_policy(`
automount_domtrans(apmd_t)
@@ -206,11 +212,20 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
')
optional_policy(`
- shutdown_domtrans(apmd_t)
+ sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(apmd_t)
+')
+
+optional_policy(`
+ systemd_start_power_services(apmd_t)
+ systemd_status_power_services(apmd_t)
')
optional_policy(`
diff --git a/apt.if b/apt.if
index cde81d248..2fe02018a 100644
--- a/apt.if
+++ b/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
')
diff --git a/apt.te b/apt.te
index efa853059..ae5d0c9f2 100644
--- a/apt.te
+++ b/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
-miscfiles_read_localization(apt_t)
-
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
backup_manage_store_files(apt_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0fb8..9a1a61f82 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c87..533a555a2 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -117,6 +117,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
dontaudit $1 arpwatch_t:packet_socket { read write };
')
+########################################
+##
+## Execute arpwatch server in the arpwatch domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`arpwatch_systemctl',`
+ gen_require(`
+ type arpwatch_t;
+ type arpwatch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, arpwatch_t)
+')
+
########################################
##
## All of the rules required to
@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms };
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 arpwatch_t:process ptrace;
+ ')
+
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
+
+ arpwatch_systemctl($1)
+ admin_pattern($1, arpwatch_unit_file_t)
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf345b..04d3ea1c8 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
########################################
#
# Local policy
@@ -31,8 +34,11 @@ dontaudit arpwatch_t self:capability sys_tty_config;
allow arpwatch_t self:process signal_perms;
allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
-allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:packet_socket { create_socket_perms map };
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
+allow arpwatch_t self:bluetooth_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,13 +51,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
+# meminfo
kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
+dev_map_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
@@ -59,15 +78,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
-files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
auth_use_nsswitch(arpwatch_t)
logging_send_syslog_msg(arpwatch_t)
-miscfiles_read_localization(arpwatch_t)
-
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
index 2077053ea..198a02ab4 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms };
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 asterisk_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e4135022..1e0f4c49b 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk")
# Local policy
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
-corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
corenet_sendrecv_sip_client_packets(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_http_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-files_read_usr_files(asterisk_t)
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
-
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 000000000..4579cfe17
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 000000000..316c324f2
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## policy for authconfig
+
+########################################
+##
+## Execute TEMPLATE in the authconfig domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`authconfig_domtrans',`
+ gen_require(`
+ type authconfig_t, authconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+##
+## Search authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_search_lib',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_read_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_dirs',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an authconfig environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_admin',`
+ gen_require(`
+ type authconfig_t;
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, authconfig_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, authconfig_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 000000000..dca8e7905
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,37 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
+
+optional_policy(`
+ policykit_dbus_chat(authconfig_t)
+')
diff --git a/automount.fc b/automount.fc
index 92adb37e1..0a2ffc62d 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index f24e36960..4484a98da 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
##
##
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -112,6 +111,25 @@ interface(`automount_dontaudit_write_pipes',`
dontaudit $1 automount_t:fifo_file write;
')
+########################################
+##
+## Allow domain to search of automount temporary
+## directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`automount_search_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
########################################
##
## Do not audit attempts to get
@@ -132,6 +150,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
')
+########################################
+##
+## Execute automount server in the automount domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`automount_systemctl',`
+ gen_require(`
+ type automount_t;
+ type automount_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, automount_t)
+')
+
########################################
##
## All of the rules required to
@@ -153,12 +195,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
- type automount_keytab_t;
+ type automount_unit_file_t, automount_keytab_t;
')
- allow $1 automount_t:process { ptrace signal_perms };
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 automount_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
@@ -175,4 +221,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
+
+ automount_systemctl($1)
+ admin_pattern($1, automount_unit_file_t)
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
index 27d2f400b..f74f75f1b 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_all_recvfrom_unlabeled(automount_t)
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
@@ -135,14 +139,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
-miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
+optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+ mount_rw_pid_files(automount_t)
+')
+
optional_policy(`
fstools_domtrans(automount_t)
')
@@ -166,3 +174,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
+
+tunable_policy(`mount_anyfile',`
+ files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2cac1..4c2d0769e 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index 9078c3d85..2f6b2503e 100644
--- a/avahi.if
+++ b/avahi.if
@@ -209,6 +209,30 @@ interface(`avahi_dontaudit_search_pid',`
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
')
+########################################
+##
+## Execute avahi server in the avahi domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`avahi_systemctl',`
+ gen_require(`
+ type avahi_t;
+ type avahi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
+')
+
########################################
##
## Create specified objects in generic
@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ type avahi_unit_file_t;
type avahi_var_lib_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
@@ -274,4 +303,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
+
+ avahi_systemctl($1)
+ admin_pattern($1, avahi_unit_file_t)
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
index b8355b32f..51ce1b60f 100644
--- a/avahi.te
+++ b/avahi.te
@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
type avahi_var_lib_t;
-files_pid_file(avahi_var_lib_t)
+files_type(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
########################################
#
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
auth_use_nsswitch(avahi_t)
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
-miscfiles_read_localization(avahi_t)
miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
sysnet_etc_filetrans_config(avahi_t)
+systemd_login_signull(avahi_t)
+
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --git a/awstats.fc b/awstats.fc
index 11e6d5ffe..73b4ea47c 100644
--- a/awstats.fc
+++ b/awstats.fc
@@ -1,5 +1,5 @@
/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/awstats.te b/awstats.te
index c1b16c392..ffbf2cb8f 100644
--- a/awstats.te
+++ b/awstats.te
@@ -26,6 +26,7 @@ type awstats_var_lib_t;
files_type(awstats_var_lib_t)
apache_content_template(awstats)
+apache_content_alias_template(awstats, awstats)
########################################
#
@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
kernel_dontaudit_read_system_state(awstats_t)
@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
fs_list_inotifyfs(awstats_t)
@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
-miscfiles_read_localization(awstats_t)
-
sysnet_dns_name_resolve(awstats_t)
tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +87,13 @@ optional_policy(`
# CGI local policy
#
-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+apache_read_log(awstats_script_t)
+
+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-files_search_var_lib(httpd_awstats_script_t)
+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-apache_read_log(httpd_awstats_script_t)
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450b6..e78703340 100644
--- a/backup.te
+++ b/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { dac_read_search dac_override };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
-corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.fc b/bacula.fc
index 27ec3d519..65aa71bf6 100644
--- a/bacula.fc
+++ b/bacula.fc
@@ -8,6 +8,8 @@
/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0)
+
/var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0)
/var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0)
diff --git a/bacula.if b/bacula.if
index dcd774ee4..c240ffaf6 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
type bacula_t, bacula_etc_t, bacula_log_t;
type bacula_spool_t, bacula_var_lib_t;
type bacula_var_run_t, bacula_initrc_exec_t;
+ attribute_role bacula_admin_roles;
')
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b00008..1a7c80f01 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
files_type(bacula_store_t)
files_mountpoint(bacula_store_t)
+type bacula_tmp_t;
+files_tmp_file(bacula_tmp_t)
+
type bacula_var_lib_t;
files_type(bacula_var_lib_t)
@@ -38,21 +41,30 @@ type bacula_admin_exec_t;
application_domain(bacula_admin_t, bacula_admin_exec_t)
role bacula_admin_roles types bacula_admin_t;
+type bacula_unconfined_script_exec_t;
+application_executable_file(bacula_unconfined_script_exec_t)
+
########################################
#
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
+
+manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t)
corenet_sendrecv_generic_server_packets(bacula_t)
corenet_udp_bind_generic_port(bacula_t)
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t)
dev_getattr_all_blk_files(bacula_t)
dev_getattr_all_chr_files(bacula_t)
+files_getattr_all_pipes(bacula_t)
+files_getattr_all_sockets(bacula_t)
+
files_dontaudit_getattr_all_sockets(bacula_t)
+files_dontaudit_getattr_all_pipes(bacula_t)
files_read_all_files(bacula_t)
files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
+storage_raw_read_fixed_disk(bacula_t)
+storage_read_tape(bacula_t)
+storage_write_tape(bacula_t)
+
+auth_use_nsswitch(bacula_t)
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
sysnet_dns_name_resolve(bacula_t)
+userdom_home_manager(bacula_t)
+
optional_policy(`
mysql_stream_connect(bacula_t)
mysql_tcp_connect(bacula_t)
@@ -125,6 +152,12 @@ optional_policy(`
ldap_stream_connect(bacula_t)
')
+optional_policy(`
+ postgresql_tcp_connect(bacula_t)
+ postgresql_stream_connect(bacula_t)
+')
+
+
########################################
#
# Client local policy
@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
-files_read_etc_files(bacula_admin_t)
-
-miscfiles_read_localization(bacula_admin_t)
-
sysnet_dns_name_resolve(bacula_admin_t)
userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
userdom_use_user_ptys(bacula_admin_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+ type bacula_unconfined_script_t;
+ domain_type(bacula_unconfined_script_t)
+
+ domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t)
+ role system_r types bacula_unconfined_script_t;
+
+ allow bacula_t bacula_unconfined_script_t:process signal_perms;
+
+ domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t)
+
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms;
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms;
+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl;
+
+ optional_policy(`
+ unconfined_domain(bacula_unconfined_script_t)
+ ')
+')
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e352b..8af0e14ce 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d361e..186271b74 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -115,6 +115,32 @@ interface(`bcfg2_manage_lib_dirs',`
manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
')
+########################################
+##
+## Execute bcfg2 server in the bcfg2 domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bcfg2_systemctl',`
+ gen_require(`
+ type bcfg2_t;
+ type bcfg2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bcfg2_t)
+')
+
+
########################################
##
## All of the rules required to
@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
+ type bcfg2_unit_file_t;
')
- allow $1 bcfg2_t:process { ptrace signal_perms };
+ allow $1 bcfg2_t:process { signal_perms };
ps_process_pattern($1, bcfg2_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bcfg2_t:process ptrace;
+ ')
+
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
+
+ bcfg2_systemctl($1)
+ admin_pattern($1, bcfg2_unit_file_t)
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
index c3fd7b148..e18959384 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
type bcfg2_var_run_t;
files_pid_file(bcfg2_var_run_t)
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
domain_use_interactive_fds(bcfg2_t)
-files_read_usr_files(bcfg2_t)
auth_use_nsswitch(bcfg2_t)
logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a10d..982ce9b71 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,78 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-pkcs11 -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/softhsm(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/proc(/.*)? <>
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 531a8f244..3fcf18722 100644
--- a/bind.if
+++ b/bind.if
@@ -18,6 +18,30 @@ interface(`bind_initrc_domtrans',`
init_labeled_script_domtrans($1, named_initrc_exec_t)
')
+########################################
+##
+## Execute bind server in the bind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bind_systemctl',`
+ gen_require(`
+ type named_unit_file_t;
+ type named_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
+
########################################
##
## Execute ndc in the ndc domain.
@@ -169,6 +193,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
+ allow $1 named_conf_t:dir list_dir_perms;
read_files_pattern($1, named_conf_t, named_conf_t)
')
@@ -210,6 +235,25 @@ interface(`bind_manage_config_dirs',`
manage_dirs_pattern($1, named_conf_t, named_conf_t)
')
+########################################
+##
+## Create, read, write, and delete
+## BIND configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_manage_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
########################################
##
## Search bind cache directories.
@@ -308,6 +352,47 @@ interface(`bind_read_zone',`
read_files_pattern($1, named_zone_t, named_zone_t)
')
+########################################
+##
+## Read BIND zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## bind zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_manage_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir manage_dir_perms;
+')
+
########################################
##
## Create, read, write, and delete
@@ -342,6 +427,25 @@ interface(`bind_udp_chat_named',`
refpolicywarn(`$0($*) has been deprecated.')
')
+########################################
+##
+## Allow the domain to read bind state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_state',`
+ gen_require(`
+ type named_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, named_t)
+')
+
########################################
##
## All of the rules required to
@@ -364,11 +468,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
- type named_keytab_t;
+ type named_keytab_t, named_unit_file_t;
')
- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { named_t ndc_t })
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
+ ')
+
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
@@ -384,11 +494,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
+ admin_pattern($1, named_keytab_t)
+
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
- bind_run_ndc($1, $2)
+ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
index 124112346..71ecaba28 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_keytab_t;
files_type(named_keytab_t)
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
# Local policy
#
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_read_search dac_override fowner net_raw net_admin setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
read_files_pattern(named_t, named_conf_t, named_conf_t)
read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
manage_files_pattern(named_t, named_cache_t, named_cache_t)
manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
allow named_t named_keytab_t:file read_file_perms;
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -115,7 +118,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
-corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
@@ -127,9 +129,15 @@ corenet_udp_bind_generic_node(named_t)
corenet_sendrecv_all_server_packets(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
+corenet_udp_bind_ipp_port(named_t)
+corenet_udp_bind_rtsp_port(named_t)
+corenet_udp_bind_dhcpc_port(named_t)
+corenet_udp_bind_kerberos_port(named_t)
+corenet_udp_bind_flash_port(named_t)
+corenet_udp_bind_bgp_port(named_t)
corenet_tcp_sendrecv_dns_port(named_t)
corenet_udp_sendrecv_dns_port(named_t)
-
+corenet_udp_bind_whois_port(named_t)
corenet_tcp_bind_rndc_port(named_t)
corenet_tcp_sendrecv_rndc_port(named_t)
@@ -140,14 +148,18 @@ corenet_udp_sendrecv_all_ports(named_t)
corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
+corenet_udp_bind_all_ephemeral_ports(named_t)
+corenet_tcp_bind_all_ephemeral_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_mmap_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -174,6 +186,19 @@ tunable_policy(`named_write_master_zones',`
manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
')
+optional_policy(`
+ cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
+ # needed by FreeIPA with DNS support
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+ dnssec_trigger_manage_pid_files(named_t)
+')
+
optional_policy(`
dbus_system_domain(named_t, named_exec_t)
@@ -187,7 +212,17 @@ optional_policy(`
')
optional_policy(`
+ ipa_manage_lib(named_t)
+')
+
+optional_policy(`
+ ipsec_rw_inherited_pipes(named_t)
+')
+
+optional_policy(`
+ kerberos_filetrans_named_content(named_t)
kerberos_read_keytab(named_t)
+ kerberos_read_host_rcache(named_t)
kerberos_use(named_t)
')
@@ -214,8 +249,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability { dac_read_search dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -229,10 +265,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
-kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
-corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -242,6 +277,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
+dev_read_rand(ndc_t)
+dev_read_urand(ndc_t)
+
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
@@ -257,7 +295,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
index 1d60c2730..f8bb70055 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
# /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
logging_send_syslog_msg(bird_t)
diff --git a/bitlbee.fc b/bitlbee.fc
index e9708d6cc..61362d088 100644
--- a/bitlbee.fc
+++ b/bitlbee.fc
@@ -7,7 +7,7 @@
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
-/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
+/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb799e..2badfc0d9 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
type bitlbee_log_t, bitlbee_tmp_t;
')
- allow $1 bitlbee_t:process { ptrace signal_perms };
+ allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bitlbee_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48b6..102fa8eae 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
# Local policy
#
-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };
+
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
-files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file})
manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
corenet_tcp_connect_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
-files_read_usr_files(bitlbee_t)
-
libs_legacy_use_shared_libs(bitlbee_t)
auth_use_nsswitch(bitlbee_t)
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
+optional_policy(`
+ dbus_system_bus_client(bitlbee_t)
+')
optional_policy(`
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
+
diff --git a/blkmapd.fc b/blkmapd.fc
new file mode 100644
index 000000000..5e59fb414
--- /dev/null
+++ b/blkmapd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/blkmapd -- gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
+
+/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
+
+/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0)
diff --git a/blkmapd.if b/blkmapd.if
new file mode 100644
index 000000000..76663796f
--- /dev/null
+++ b/blkmapd.if
@@ -0,0 +1,121 @@
+
+## The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
+
+########################################
+##
+## Execute blkmapd_exec_t in the blkmapd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`blkmapd_domtrans',`
+ gen_require(`
+ type blkmapd_t, blkmapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
+')
+
+######################################
+##
+## Execute blkmapd in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`blkmapd_exec',`
+ gen_require(`
+ type blkmapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, blkmapd_exec_t)
+')
+
+########################################
+##
+## Execute blkmapd server in the blkmapd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`blkmapd_initrc_domtrans',`
+ gen_require(`
+ type blkmapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
+')
+########################################
+##
+## Read blkmapd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`blkmapd_read_pid_files',`
+ gen_require(`
+ type blkmapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an blkmapd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`blkmapd_admin',`
+ gen_require(`
+ type blkmapd_t;
+ type blkmapd_initrc_exec_t;
+ type blkmapd_var_run_t;
+ ')
+
+ allow $1 blkmapd_t:process { signal_perms };
+ ps_process_pattern($1, blkmapd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 blkmapd_t:process ptrace;
+ ')
+
+ blkmapd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 blkmapd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, blkmapd_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/blkmapd.te b/blkmapd.te
new file mode 100644
index 000000000..6cfb35592
--- /dev/null
+++ b/blkmapd.te
@@ -0,0 +1,44 @@
+policy_module(blkmapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type blkmapd_t;
+type blkmapd_exec_t;
+init_daemon_domain(blkmapd_t, blkmapd_exec_t)
+
+type blkmapd_initrc_exec_t;
+init_script_file(blkmapd_initrc_exec_t)
+
+type blkmapd_var_run_t;
+files_pid_file(blkmapd_var_run_t)
+
+
+########################################
+#
+# blkmapd local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+
+manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
+files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
+
+kernel_read_system_state(blkmapd_t)
+
+dev_list_sysfs(blkmapd_t)
+
+fs_list_rpc(blkmapd_t)
+fs_rw_rpc_named_pipes(blkmapd_t)
+
+storage_raw_read_fixed_disk(blkmapd_t)
+storage_raw_read_removable_device(blkmapd_t)
+
+
+logging_send_syslog_msg(blkmapd_t)
+
+optional_policy(`
+ rpc_read_nfs_state_data(blkmapd_t)
+')
diff --git a/blueman.fc b/blueman.fc
index c295d2e01..4f84e9c14 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec52526..1dd40595c 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
allow $1 blueman_t:dbus send_msg;
allow blueman_t $1:dbus send_msg;
+ ps_process_pattern(blueman_t, $1)
')
########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e06..7987a21b1 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
type blueman_t;
type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
#
allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-kernel_read_net_sysctls(blueman_t)
+kernel_rw_net_sysctls(blueman_t)
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
+files_dontaudit_write_all_mountpoints(blueman_t)
auth_use_nsswitch(blueman_t)
logging_send_syslog_msg(blueman_t)
-miscfiles_read_localization(blueman_t)
-
sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
')
+optional_policy(`
+ bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
optional_policy(`
dnsmasq_domtrans(blueman_t)
dnsmasq_read_pid_files(blueman_t)
')
+optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
optional_policy(`
iptables_domtrans(blueman_t)
')
+
+optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f329..0086b95d1 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0ae0..d3611b658 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ allow $2 bluetooth_helper_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
allow $2 bluetooth_t:socket rw_socket_perms;
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ bluetooth_stream_connect($2)
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
- files_search_pids($2)
')
#####################################
@@ -63,11 +70,14 @@ interface(`bluetooth_role',`
interface(`bluetooth_stream_connect',`
gen_require(`
type bluetooth_t, bluetooth_var_run_t;
+ type bluetooth_tmp_t;
')
files_search_pids($1)
allow $1 bluetooth_t:socket rw_socket_perms;
+ allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
')
########################################
@@ -128,6 +138,27 @@ interface(`bluetooth_dbus_chat',`
allow bluetooth_t $1:dbus send_msg;
')
+########################################
+##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
########################################
##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
@@ -188,6 +219,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
+########################################
+##
+## Execute bluetooth server in the bluetooth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bluetooth_systemctl',`
+ gen_require(`
+ type bluetooth_t;
+ type bluetooth_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bluetooth_t)
+')
+
########################################
##
## All of the rules required to
@@ -210,12 +265,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
- type bluetooth_initrc_exec_t;
+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
+ allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bluetooth_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +294,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
+
+ bluetooth_systemctl($1)
+ admin_pattern($1, bluetooth_unit_file_t)
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
index 851769e55..903bc0f9e 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -10,6 +10,7 @@ attribute_role bluetooth_helper_roles;
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+init_nnp_daemon_domain(bluetooth_t)
type bluetooth_conf_t;
files_config_file(bluetooth_conf_t)
@@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
########################################
#
# Local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
@@ -62,6 +66,8 @@ allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_stream_socket { accept connectto listen };
allow bluetooth_t self:tcp_socket { accept listen };
+allow bluetooth_t self:alg_socket create_stream_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
@@ -78,10 +84,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+allow bluetooth_t bluetooth_var_lib_t:file map;
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@@ -90,27 +98,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
kernel_request_load_module(bluetooth_t)
kernel_search_debugfs(bluetooth_t)
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
-
-dev_read_sysfs(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_rw_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
+dev_rw_uhid_dev(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +140,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
-miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
@@ -130,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +221,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad60..bda740a71 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaaf7..308616e8d 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,166 @@
-## Platform for computing using volunteered resources.
+## policy for boinc
########################################
##
-## All of the rules required to
-## administrate an boinc environment.
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+##
+## Dontaudit getattr on boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_dontaudit_getattr_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_systemctl',`
+ gen_require(`
+ type boinc_t;
+ type boinc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, boinc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
##
##
##
@@ -19,26 +176,32 @@
#
interface(`boinc_admin',`
gen_require(`
-
- type boinc_t, boinc_project_t, boinc_log_t;
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
- type boinc_project_var_lib_t, boinc_project_tmp_t;
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ type boinc_unit_file_t;
')
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { boinc_t boinc_project_t })
+ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_logs($1)
- admin_pattern($1, boinc_log_t)
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+ boinc_systemctl($1)
+ admin_pattern($1, boinc_unit_file_t)
- files_search_var_lib($1)
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+ allow $1 boinc_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/boinc.te b/boinc.te
index 687d4c48d..8ba0f8bdb 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
##
gen_tunable(boinc_execmem, true)
-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
type boinc_log_t;
logging_log_file(boinc_log_t)
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
type boinc_project_t;
domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
role system_r types boinc_project_t;
type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+ allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
########################################
#
-# Local policy
+# boinc local policy
#
allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -60,75 +100,51 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+allow boinc_t boinc_tmpfs_t:file map;
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+allow boinc_t boinc_project_var_lib_t:file map;
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +153,9 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
+
+xserver_stream_connect(boinc_t)
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
@@ -148,48 +165,61 @@ optional_policy(`
mta_send_mail(boinc_t)
')
-optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
-')
-
########################################
#
-# Project local policy
+# boinc-projects local policy
#
allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+ allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
files_dontaudit_search_home(boinc_project_t)
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
+
optional_policy(`
java_exec(boinc_project_t)
')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index c5a91138c..1919abdd8 100644
--- a/brctl.te
+++ b/brctl.te
@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
kernel_request_load_module(brctl_t)
+kernel_read_system_state(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
-files_read_etc_files(brctl_t)
-
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
-
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
index 000000000..05e352897
--- /dev/null
+++ b/brltty.fc
@@ -0,0 +1,10 @@
+/tmp/brltty\.log.* -- gen_context(system_u:object_r:brltty_log_t,s0)
+
+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
+/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 000000000..968c957ab
--- /dev/null
+++ b/brltty.if
@@ -0,0 +1,80 @@
+
+## brltty is refreshable braille display driver for Linux/Unix
+
+########################################
+##
+## Execute brltty in the brltty domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`brltty_domtrans',`
+ gen_require(`
+ type brltty_t, brltty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, brltty_exec_t, brltty_t)
+')
+########################################
+##
+## Execute brltty server in the brltty domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`brltty_systemctl',`
+ gen_require(`
+ type brltty_t;
+ type brltty_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 brltty_unit_file_t:file read_file_perms;
+ allow $1 brltty_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, brltty_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an brltty environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`brltty_admin',`
+ gen_require(`
+ type brltty_t;
+ type brltty_unit_file_t;
+ ')
+
+ allow $1 brltty_t:process { signal_perms };
+ ps_process_pattern($1, brltty_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 brltty_t:process ptrace;
+ ')
+
+ brltty_systemctl($1)
+ admin_pattern($1, brltty_unit_file_t)
+ allow $1 brltty_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
index 000000000..a4265adc9
--- /dev/null
+++ b/brltty.te
@@ -0,0 +1,72 @@
+policy_module(brltty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brltty_t;
+type brltty_exec_t;
+init_daemon_domain(brltty_t, brltty_exec_t)
+
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
+type brltty_var_run_t;
+files_pid_file(brltty_var_run_t)
+
+type brltty_log_t;
+logging_log_file(brltty_log_t)
+
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
+########################################
+#
+# brltty local policy
+#
+allow brltty_t self:capability { sys_admin sys_tty_config mknod };
+allow brltty_t self:process { fork signal_perms };
+
+allow brltty_t self:fifo_file rw_fifo_file_perms;
+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
+allow brltty_t self:tcp_socket listen;
+
+manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
+
+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
+allow brltty_t brltty_var_run_t:dir mounton;
+
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
+auth_use_nsswitch(brltty_t)
+
+corenet_tcp_bind_brlp_port(brltty_t)
+
+dev_read_sysfs(brltty_t)
+dev_rw_generic_usb_dev(brltty_t)
+dev_rw_input_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
+
+sysnet_dns_name_resolve(brltty_t)
+
+term_use_unallocated_ttys(brltty_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6ebf..9efceac4e 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262d5..d9ea246a1 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -12,10 +12,10 @@
#
interface(`bugzilla_search_content',`
gen_require(`
- type httpd_bugzilla_content_t;
+ type bugzilla_content_t;
')
- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+ allow $1 bugzilla_content_t:dir search_dir_perms;
')
########################################
@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
#
interface(`bugzilla_dontaudit_rw_stream_sockets',`
gen_require(`
- type httpd_bugzilla_script_t;
+ type bugzilla_script_t;
')
- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
')
########################################
@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
interface(`bugzilla_admin',`
gen_require(`
- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
+ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
+ type bugzilla_rw_content_t, bugzilla_script_exec_t;
+ type bugzilla_htaccess_t, bugzilla_tmp_t;
+ ')
+
+ allow $1 bugzilla_script_t:process signal_perms;
+ ps_process_pattern($1, bugzilla_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bugzilla_script_t:process ptrace;
')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
- ps_process_pattern($1, httpd_bugzilla_script_t)
+ files_list_tmp($1)
+ admin_pattern($1, bugzilla_tmp_t)
- files_search_usr($1)
- admin_pattern($1, httpd_bugzilla_script_exec_t)
- admin_pattern($1, httpd_bugzilla_script_t)
- admin_pattern($1, httpd_bugzilla_content_t)
- admin_pattern($1, httpd_bugzilla_htaccess_t)
- admin_pattern($1, httpd_bugzilla_ra_content_t)
+ files_list_var_lib(bugzilla_script_t)
+
+ admin_pattern($1, bugzilla_script_exec_t)
+ admin_pattern($1, bugzilla_script_t)
+ admin_pattern($1, bugzilla_content_t)
+ admin_pattern($1, bugzilla_htaccess_t)
+ admin_pattern($1, bugzilla_ra_content_t)
files_search_tmp($1)
files_search_var_lib($1)
- admin_pattern($1, httpd_bugzilla_rw_content_t)
+ admin_pattern($1, bugzilla_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
index 18623e39e..c62f617e1 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
#
apache_content_template(bugzilla)
+apache_content_alias_template(bugzilla, bugzilla)
+
+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
+files_tmp_file(bugzilla_tmp_t)
########################################
#
# Local policy
#
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+allow bugzilla_script_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+
+corenet_sendrecv_http_client_packets(bugzilla_script_t)
+corenet_tcp_connect_http_port(bugzilla_script_t)
+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+
+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
+corenet_tcp_connect_smtp_port(bugzilla_script_t)
+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+
+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+files_search_var_lib(bugzilla_script_t)
-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
+auth_read_passwd(bugzilla_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+dev_read_sysfs(bugzilla_script_t)
-files_search_var_lib(httpd_bugzilla_script_t)
+sysnet_read_config(bugzilla_script_t)
+sysnet_use_ldap(bugzilla_script_t)
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
-sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(bugzilla_script_t)
optional_policy(`
- mta_send_mail(httpd_bugzilla_script_t)
+ mta_send_mail(bugzilla_script_t)
')
optional_policy(`
- mysql_stream_connect(httpd_bugzilla_script_t)
- mysql_tcp_connect(httpd_bugzilla_script_t)
+ mysql_stream_connect(bugzilla_script_t)
+ mysql_tcp_connect(bugzilla_script_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_bugzilla_script_t)
- postgresql_tcp_connect(httpd_bugzilla_script_t)
+ postgresql_stream_connect(bugzilla_script_t)
+ postgresql_tcp_connect(bugzilla_script_t)
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 000000000..b5ee23be7
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 000000000..2d2e60c19
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,122 @@
+## policy for bumblebee
+
+########################################
+##
+## Execute bumblebee in the bumblebee domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_domtrans',`
+ gen_require(`
+ type bumblebee_t, bumblebee_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+##
+## Read bumblebee PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_read_pid_files',`
+ gen_require(`
+ type bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+##
+## Execute bumblebee server in the bumblebee domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_systemctl',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+##
+## Connect to bumblebee over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_stream_connect',`
+ gen_require(`
+ type bumblebee_t, bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an bumblebee environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`bumblebee_admin',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_var_run_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bumblebee_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
+ bumblebee_systemctl($1)
+ admin_pattern($1, bumblebee_unit_file_t)
+ allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 000000000..acaf51906
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,62 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_read_network_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_use_nsswitch(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+ apm_stream_connect(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c7902b..aa03fc8ae 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9c5..3b419455f 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## CacheFiles user-space management daemon.
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## policy for cachefilesd
########################################
##
-## All of the rules required to
-## administrate an cachefilesd environment.
+## Execute a domain transition to run cachefilesd.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
gen_require(`
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
- type cachefilesd_var_run_t;
+ type cachefilesd_t, cachefilesd_exec_t;
')
- allow $1 cachefilesd_t:process { ptrace signal_perms };
- ps_process_pattern($1, cachefilesd_t)
-
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var($1)
- admin_pattern($1, cachefilesd_cache_t)
-
- files_search_pids($1)
- admin_pattern($1, cachefilesd_var_run_t)
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
index a3760bc92..22ed920b7 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,125 @@
policy_module(cachefilesd, 1.1.0)
-########################################
+###############################################################################
#
# Declarations
#
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
type cachefilesd_t;
type cachefilesd_exec_t;
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
-########################################
#
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override };
+allow cachefilesd_t self:process signal_perms;
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-miscfiles_read_localization(cachefilesd_t)
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c52871..ba793b748 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
attribute_role calamaris_roles;
')
- lightsquid_domtrans($1)
+ calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
')
diff --git a/calamaris.te b/calamaris.te
index 7e574604b..8d8cd78e5 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
# Local policy
#
-allow calamaris_t self:capability dac_override;
+allow calamaris_t self:capability { dac_read_search dac_override };
allow calamaris_t self:process { signal_perms setsched };
allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket { accept listen };
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
dev_read_urand(calamaris_t)
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
files_read_etc_runtime_files(calamaris_t)
-libs_read_lib_files(calamaris_t)
-
auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t)
-miscfiles_read_localization(calamaris_t)
-
userdom_dontaudit_list_user_home_dirs(calamaris_t)
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 0e5be4cdf..b9a407f90 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07a2..f416e22a7 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
- allow $1 canna_t:process { ptrace signal_perms };
+ allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 canna_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 9fe61621f..5c505e7de 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_all_recvfrom_unlabeled(canna_t)
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
-files_read_etc_files(canna_t)
files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
-logging_send_syslog_msg(canna_t)
+auth_use_nsswitch(canna_t)
-miscfiles_read_localization(canna_t)
+logging_send_syslog_msg(canna_t)
sysnet_read_config(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d37..cb94e5ea7 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
+ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
- allow $1 ccs_t:process { ptrace signal_perms };
+ allow $1 ccs_t:process { signal_perms };
ps_process_pattern($1, ccs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ccs_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index 658134d8a..58deeceaa 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { accept connectto listen };
allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
dev_read_urand(ccs_t)
-files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
logging_send_syslog_msg(ccs_t)
-miscfiles_read_localization(ccs_t)
-
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- aisexec_stream_connect(ccs_t)
- corosync_stream_connect(ccs_t)
+ rhcs_stream_connect_cluster(ccs_t)
')
optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f694..4de4a005c 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
- allow $2 cdrecord_t:process { ptrace signal_perms };
+ allow $2 cdrecord_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 cdrecord_t:process ptrace;
+ ')
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
index 16883c9c3..97e9a429e 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
# Local policy
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
-files_read_etc_files(cdrecord_t)
-
term_use_controlling_term(cdrecord_t)
term_list_ptys(cdrecord_t)
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
logging_send_syslog_msg(cdrecord_t)
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt(cdrecord_t)
- fs_read_nfs_files(cdrecord_t)
- fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
optional_policy(`
resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b189b..ef29f6e6c 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
- allow $1 certmaster_t:process { ptrace signal_perms };
+ allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmaster_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index 4a878730b..113f3b32f 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
auth_use_nsswitch(certmaster_t)
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8b6..c88764838 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -1,7 +1,12 @@
+/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef26..144c0740a 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
')
ps_process_pattern($1, certmonger_t)
- allow $1 certmonger_t:process { ptrace signal_perms };
+ allow $1 certmonger_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmonger_t:process ptrace;
+ ')
certmonger_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287ce..5c59aedd6 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
+type certmonger_unit_file_t;
+systemd_unit_file(certmonger_unit_file_t)
+
########################################
#
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +58,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
corecmd_exec_bin(certmonger_t)
corecmd_exec_shell(certmonger_t)
+dev_read_rand(certmonger_t)
dev_read_urand(certmonger_t)
domain_use_interactive_fds(certmonger_t)
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
@@ -68,18 +85,26 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
+libs_exec_ldconfig(certmonger_t)
+
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
+systemd_start_systemd_services(certmonger_t)
+systemd_status_all_unit_files(certmonger_t)
+
userdom_search_user_home_content(certmonger_t)
+userdom_write_user_tmp_dirs(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
- apache_search_config(certmonger_t)
+ apache_read_config(certmonger_t)
apache_signal(certmonger_t)
apache_signull(certmonger_t)
+ apache_systemctl(certmonger_t)
')
optional_policy(`
@@ -92,11 +117,77 @@ optional_policy(`
')
optional_policy(`
- kerberos_read_keytab(certmonger_t)
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
+ dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+ ipa_manage_log(certmonger_t)
+ ipa_manage_pid_files(certmonger_t)
+ ipa_named_filetrans_log_dir(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
+ kerberos_manage_kdc_config(certmonger_t)
+ kerberos_filetrans_named_content(certmonger_t)
+')
+
+optional_policy(`
+ mta_send_mail(certmonger_t)
')
optional_policy(`
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t)
+ pki_tomcat_systemctl(certmonger_t)
+')
+
+optional_policy(`
+ rhcs_start_haproxy_services(certmonger_t)
+')
+
+optional_policy(`
+ sssd_delete_public_files(certmonger_t)
+')
+
+optional_policy(`
+ allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
+ allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
+ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
+ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type certmonger_unconfined_t;
+ domain_type(certmonger_unconfined_t)
+
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+ role system_r types certmonger_unconfined_t;
+
+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(certmonger_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(certmonger_unconfined_t)
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
index 171fafb99..69d01f6fa 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -18,34 +18,47 @@ role certwatch_roles types certwatch_t;
# Local policy
#
-allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:capability { dac_read_search dac_override sys_nice };
allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+miscfiles_map_generic_certs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
+ apache_domtrans(certwatch_t)
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
+optional_policy(`
+ mta_send_mail(certwatch_t)
+')
+
optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
diff --git a/cfengine.if b/cfengine.if
index a7311229f..5279d4e3a 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
- type cfengine_log_t, cfengine_var_lib_t;
')
########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
# Policy
#
+ kernel_read_system_state(cfengine_$1_t)
+
auth_use_nsswitch(cfengine_$1_t)
+
+ logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+##
+## Search cfengine lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_search_lib_files',`
+ gen_require(`
+ type cfengine_var_lib_t;
+ ')
+
+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
')
########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
+#####################################
+##
+## Allow the specified domain to append cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_append_inherited_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ cfengine_search_lib_files($1)
+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+##
+## Dontaudit the specified domain to write cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_dontaudit_write_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ dontaudit $1 cfengine_var_log_t:file write;
+')
+
########################################
##
## All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
- allow $1 cfengine_domain:process { ptrace signal_perms };
+ allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')
+
diff --git a/cfengine.te b/cfengine.te
index fbe3ad955..21ab8e176 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
-kernel_read_system_state(cfengine_domain)
-
corecmd_exec_bin(cfengine_domain)
corecmd_exec_shell(cfengine_domain)
dev_read_urand(cfengine_domain)
dev_read_sysfs(cfengine_domain)
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
sysnet_domtrans_ifconfig(cfengine_domain)
########################################
@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
# Monitord local policy
#
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
+kernel_read_usermodehelper_state(cfengine_monitord_t)
kernel_read_network_state(cfengine_monitord_t)
domain_read_all_domains_state(cfengine_monitord_t)
diff --git a/cgdcbxd.fc b/cgdcbxd.fc
new file mode 100644
index 000000000..756703813
--- /dev/null
+++ b/cgdcbxd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/cgdcbxd\.service -- gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0)
+
+/usr/sbin/cgdcbxd -- gen_context(system_u:object_r:cgdcbxd_exec_t,s0)
+
+/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0)
diff --git a/cgdcbxd.if b/cgdcbxd.if
new file mode 100644
index 000000000..1efacf1d1
--- /dev/null
+++ b/cgdcbxd.if
@@ -0,0 +1,99 @@
+
+## policy for cgdcbxd
+
+########################################
+##
+## Execute TEMPLATE in the cgdcbxd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cgdcbxd_domtrans',`
+ gen_require(`
+ type cgdcbxd_t, cgdcbxd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t)
+')
+########################################
+##
+## Read cgdcbxd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cgdcbxd_read_pid_files',`
+ gen_require(`
+ type cgdcbxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+')
+
+########################################
+##
+## Execute cgdcbxd server in the cgdcbxd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cgdcbxd_systemctl',`
+ gen_require(`
+ type cgdcbxd_t;
+ type cgdcbxd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cgdcbxd_unit_file_t:file read_file_perms;
+ allow $1 cgdcbxd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cgdcbxd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an cgdcbxd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`cgdcbxd_admin',`
+ gen_require(`
+ type cgdcbxd_t;
+ type cgdcbxd_var_run_t;
+ type cgdcbxd_unit_file_t;
+ ')
+
+ allow $1 cgdcbxd_t:process { signal_perms };
+ ps_process_pattern($1, cgdcbxd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgdcbxd_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, cgdcbxd_var_run_t)
+
+ cgdcbxd_systemctl($1)
+ admin_pattern($1, cgdcbxd_unit_file_t)
+ allow $1 cgdcbxd_unit_file_t:service all_service_perms;
+
+')
diff --git a/cgdcbxd.te b/cgdcbxd.te
new file mode 100644
index 000000000..32640a7b0
--- /dev/null
+++ b/cgdcbxd.te
@@ -0,0 +1,40 @@
+policy_module(cgdcbxd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgdcbxd_t;
+type cgdcbxd_exec_t;
+init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t)
+
+type cgdcbxd_var_run_t;
+files_pid_file(cgdcbxd_var_run_t)
+
+type cgdcbxd_unit_file_t;
+systemd_unit_file(cgdcbxd_unit_file_t)
+
+########################################
+#
+# cgdcbxd local policy
+#
+
+allow cgdcbxd_t self:fifo_file rw_fifo_file_perms;
+allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms;
+allow cgdcbxd_t self:udp_socket create_socket_perms;
+allow cgdcbxd_t self:unix_dgram_socket create_socket_perms;
+
+dontaudit cgdcbxd_t self:capability sys_ptrace;
+allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file })
+
+kernel_read_system_state(cgdcbxd_t)
+kernel_read_network_state(cgdcbxd_t)
+kernel_search_network_sysctl(cgdcbxd_t)
+
+fs_manage_cgroup_files(cgdcbxd_t)
+
+domain_dontaudit_read_all_domains_state(cgdcbxd_t)
diff --git a/cgroup.if b/cgroup.if
index 85ca63f9a..1d1c99c8f 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgclear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgconfig_t:process ptrace;
+ ')
+
+ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgred_t:process ptrace;
+ ')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a27a..514eb47f2 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
kernel_read_system_state(cgclear_t)
+auth_use_nsswitch(cgclear_t)
+
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig local policy
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
-files_read_etc_files(cgconfig_t)
-
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
+auth_use_nsswitch(cgconfig_t)
+
########################################
#
# cgred local policy
#
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t self:netlink_connector_socket create_socket_perms;
+allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 000000000..5c6bdb68d
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,11 @@
+/opt/google/chrome[^/]*/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/opt/google/chrome[^/]*/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 000000000..aa308eba6
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## policy for chrome
+
+########################################
+##
+## Execute a domain transition to run chrome_sandbox.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
+ allow $1 chrome_sandbox_t:fd use;
+
+ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
+
+
+########################################
+##
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the chrome_sandbox domain.
+##
+##
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+ role $1 types chrome_sandbox_nacl_t;
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
+ allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
+')
+
+########################################
+##
+## Dontaudit read/write to a chrome_sandbox leaks
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 000000000..5dce7aba4
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,257 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process { setcap setsched };
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+auth_dontaudit_read_passwd(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+term_dontaudit_use_console(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_execute_user_tmp_files(chrome_sandbox_t)
+userdom_map_tmp_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+ gnome_exec_config_home_files(chrome_sandbox_t)
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
+ mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(chrome_sandbox_t)
+ fs_read_fusefs_files(chrome_sandbox_t)
+ fs_exec_fusefs_files(chrome_sandbox_t)
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(chrome_sandbox_t)
+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+ bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_write_state(chrome_sandbox_t)
+')
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143ed8..940434abe 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,13 +1,20 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265c2..ffebaf512 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+##
+## Send generic signals to chronyd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_signal',`
+ gen_require(`
+ type chronyd_t;
+ ')
+
+ allow $1 chronyd_t:process signal;
+')
+
#####################################
##
## Read chronyd log files.
@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',`
########################################
##
-## Connect to chronyd using a unix
-## domain stream socket.
+## Read chronyd keys files.
##
##
##
@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',`
##
##
#
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
gen_require(`
- type chronyd_t, chronyd_var_run_t;
+ type chronyd_keys_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
########################################
##
-## Send to chronyd using a unix domain
-## datagram socket.
+## Append chronyd keys files.
##
##
##
@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',`
##
##
#
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
+ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+##
+## Connect to chronyd using a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_stream_connect',`
gen_require(`
type chronyd_t, chronyd_var_run_t;
')
files_search_pids($1)
- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
########################################
##
-## Read chronyd key files.
+## Send to chronyd using a unix domain
+## datagram socket.
##
##
##
@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',`
##
##
#
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
gen_require(`
- type chronyd_keys_t;
+ type chronyd_t, chronyd_var_run_t;
')
- files_search_etc($1)
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
####################################
@@ -176,28 +235,81 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
+ allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 chronyd_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
+
+ admin_pattern($1, chronyd_tmpfs_t)
+
+ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
+ allow $1 chronyd_unit_file_t:service all_service_perms;
+')
+
+########################################
+##
+## Execute chronyc in the chronyc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chronyd_domtrans_chronyc',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
+########################################
+##
+## Execute chronyc in the chronyc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`chronyd_run_chronyc',`
+ gen_require(`
+ type chronyc_t;
+ attribute_role chronyc_roles;
+ ')
+
+ chronyd_domtrans_chronyc($1)
+ roleattribute $2 chronyc_roles;
')
diff --git a/chronyd.te b/chronyd.te
index e5b621c29..6ba55b0a4 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
# Declarations
#
+attribute_role chronyc_roles;
+roleattribute system_r chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -27,21 +33,40 @@ logging_log_file(chronyd_var_log_t)
type chronyd_var_run_t;
files_pid_file(chronyd_var_run_t)
+type chronyd_tmp_t;
+files_tmp_file(chronyd_tmp_t)
+
+type chronyc_t;
+type chronyc_exec_t;
+domain_type(chronyc_t, chronyc_exec_t)
+init_system_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
+
########################################
#
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
+allow chronyd_t self:capability2 block_suspend;
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
allow chronyd_t self:fifo_file rw_fifo_file_perms;
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+allow chronyd_t chronyc_t:unix_dgram_socket sendto;
+
+allow chronyd_t chronyc_exec_t:file mmap_file_perms;
+
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+allow chronyd_t chronyd_tmpfs_t:file map;
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -61,6 +86,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
+kernel_request_load_module(chronyd_t)
+
+can_exec(chronyd_t,chronyc_exec_t)
+
+clock_read_adjtime(chronyd_t)
corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
@@ -76,18 +106,85 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
auth_use_nsswitch(chronyd_t)
+corecmd_exec_bin(chronyd_t)
+
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
+sysnet_read_dhcpc_state(chronyd_t)
+
+systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
optional_policy(`
- mta_send_mail(chronyd_t)
+ virt_read_lib_files(chronyd_t)
+')
+
+optional_policy(`
+ timemaster_stream_connect(chronyd_t)
+ timemaster_read_pid_files(chronyd_t)
+ timemaster_rw_shm(chronyd_t)
+')
+
+optional_policy(`
+ ptp4l_rw_shm(chronyd_t)
+ phc2sys_rw_shm(chronyd_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow chronyc_t self:capability { dac_read_search dac_override };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:unix_dgram_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow chronyc_t chronyd_t:unix_dgram_socket sendto;
+
+allow chronyc_t chronyd_keys_t:file manage_file_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+
+manage_dirs_pattern(chronyc_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyc_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyc_t, chronyd_tmpfs_t, { dir file })
+
+manage_files_pattern(chronyc_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyc_t, chronyd_var_lib_t, file)
+
+manage_files_pattern(chronyc_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyc_t, chronyd_var_log_t, file)
+
+manage_files_pattern(chronyc_t, chronyd_tmp_t, chronyd_tmp_t)
+files_tmp_filetrans(chronyc_t, chronyd_tmp_t, file)
+
+corecmd_exec_bin(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+
+userdom_use_user_ptys(chronyc_t)
+userdom_use_inherited_user_ttys(chronyc_t)
+
+optional_policy(`
+ nscd_shm_use(chronyc_t)
')
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 000000000..4b318b783
--- /dev/null
+++ b/cinder.fc
@@ -0,0 +1,16 @@
+
+/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0)
+/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0)
+/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
+/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-cinder-api.* -- gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-backup.* -- gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-scheduler.* -- gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-volume.* -- gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
+
+/var/lib/cinder(/.*)? gen_context(system_u:object_r:cinder_var_lib_t,s0)
+
+/var/log/cinder(/.*)? gen_context(system_u:object_r:cinder_log_t,s0)
+
+/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0)
diff --git a/cinder.if b/cinder.if
new file mode 100644
index 000000000..fc9cae7c7
--- /dev/null
+++ b/cinder.if
@@ -0,0 +1,57 @@
+## openstack-cinder
+
+######################################
+##
+## Manage cinder lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cinder_manage_lib_files',`
+ gen_require(`
+ type cinder_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
+')
+
+#######################################
+##
+## Creates types and rules for a basic
+## openstack-cinder systemd daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`cinder_domain_template',`
+ gen_require(`
+ attribute cinder_domain;
+ ')
+
+ type cinder_$1_t, cinder_domain;
+ type cinder_$1_exec_t;
+ init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
+
+ type cinder_$1_unit_file_t;
+ systemd_unit_file(cinder_$1_unit_file_t)
+
+ type cinder_$1_tmp_t;
+ files_tmp_file(cinder_$1_tmp_t)
+
+ manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+ manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+ files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
+ can_exec(cinder_$1_t, cinder_$1_tmp_t)
+
+ kernel_read_system_state(cinder_$1_t)
+
+ logging_send_syslog_msg(cinder_$1_t)
+
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
index 000000000..488a7a659
--- /dev/null
+++ b/cinder.te
@@ -0,0 +1,169 @@
+policy_module(cinder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# cinder-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute cinder_domain;
+
+cinder_domain_template(api)
+cinder_domain_template(backup)
+cinder_domain_template(scheduler)
+cinder_domain_template(volume)
+
+type cinder_log_t;
+logging_log_file(cinder_log_t)
+
+type cinder_var_lib_t;
+files_type(cinder_var_lib_t)
+
+type cinder_var_run_t;
+files_pid_file(cinder_var_run_t)
+
+######################################
+#
+# cinder general domain local policy
+#
+
+allow cinder_domain self:process signal_perms;
+allow cinder_domain self:fifo_file rw_fifo_file_perms;
+allow cinder_domain self:tcp_socket create_stream_socket_perms;
+allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+
+corenet_tcp_connect_amqp_port(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+kernel_read_network_state(cinder_domain)
+
+corecmd_exec_bin(cinder_domain)
+corecmd_exec_shell(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+auth_read_passwd(cinder_domain)
+
+dev_read_sysfs(cinder_domain)
+dev_read_urand(cinder_domain)
+
+fs_getattr_xattr_fs(cinder_domain)
+
+init_read_utmp(cinder_domain)
+
+libs_exec_ldconfig(cinder_domain)
+
+optional_policy(`
+ mysql_stream_connect(cinder_domain)
+ mysql_read_db_lnk_files(cinder_domain)
+')
+
+optional_policy(`
+ sysnet_read_config(cinder_domain)
+ sysnet_exec_ifconfig(cinder_domain)
+')
+
+#######################################
+#
+# cinder api local policy
+#
+
+allow cinder_api_t self:process setfscreate;
+allow cinder_api_t self:key write;
+allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_api_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_api_t)
+
+corenet_tcp_bind_generic_node(cinder_api_t)
+corenet_udp_bind_generic_node(cinder_api_t)
+# should be add to booleans
+corenet_tcp_connect_all_ports(cinder_api_t)
+corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
+
+auth_read_passwd(cinder_api_t)
+
+logging_send_syslog_msg(cinder_api_t)
+
+miscfiles_read_certs(cinder_api_t)
+
+optional_policy(`
+ iptables_domtrans(cinder_api_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cinder_api_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cinder_api_t)
+')
+
+optional_policy(`
+ unconfined_domain(cinder_api_t)
+')
+
+#######################################
+#
+# cinder backup local policy
+#
+
+allow cinder_backup_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(cinder_backup_t)
+
+systemd_dbus_chat_logind(cinder_backup_t)
+
+optional_policy(`
+ unconfined_domain(cinder_backup_t)
+')
+
+#######################################
+#
+# cinder scheduler local policy
+#
+
+allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_scheduler_t self:udp_socket create_socket_perms;
+
+auth_read_passwd(cinder_scheduler_t)
+
+init_read_utmp(cinder_scheduler_t)
+
+optional_policy(`
+ unconfined_domain(cinder_scheduler_t)
+')
+
+#######################################
+#
+# cinder volume local policy
+#
+
+allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow cinder_volume_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_volume_t)
+
+logging_send_syslog_msg(cinder_volume_t)
+
+optional_policy(`
+ lvm_domtrans(cinder_volume_t)
+')
+
+optional_policy(`
+ unconfined_domain(cinder_volume_t)
+')
+
diff --git a/cipe.te b/cipe.te
index a0aa693d1..af571edbb 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_all_recvfrom_unlabeled(ciped_t)
corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
domain_use_interactive_fds(ciped_t)
-files_read_etc_files(ciped_t)
files_read_etc_runtime_files(ciped_t)
files_dontaudit_search_var(ciped_t)
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
logging_send_syslog_msg(ciped_t)
-miscfiles_read_localization(ciped_t)
-
sysnet_read_config(ciped_t)
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc31..c53b80dcd 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
index 4cc4a5cd0..a6c632290 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## ClamAV Virus Scanner.
+## ClamAV Virus Scanner
########################################
##
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
type clamd_t, clamd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamd_exec_t, clamd_t)
')
########################################
##
-## Connect to clamd using a unix
-## domain stream socket.
+## Connect to run clamd.
##
##
##
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
########################################
##
-## Append clamav log files.
+## Allow the specified domain to append
+## to clamav log files.
##
##
##
@@ -59,27 +58,6 @@ interface(`clamav_append_log',`
append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
')
-########################################
-##
-## Create, read, write, and delete
-## clamav pid content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`clamav_manage_pid_content',`
- gen_require(`
- type clamd_var_run_t;
- ')
-
- files_search_pids($1)
- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
########################################
##
## Read clamav configuration files.
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
########################################
##
-## Search clamav library directories.
+## Search clamav libraries directories.
##
##
##
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
type clamscan_t, clamscan_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
########################################
##
-## Execute clamscan in the caller domain.
+## Execute clamscan without a transition.
##
##
##
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
type clamscan_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, clamscan_exec_t)
')
-#######################################
+########################################
##
-## Read clamd process state files.
+## Manage clamd pid content.
##
##
##
@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
##
##
#
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
gen_require(`
- type clamd_t;
+ type clamd_var_run_t;
')
- kernel_search_proc($1)
- allow $1 clamd_t:dir list_dir_perms;
- read_files_pattern($1, clamd_t, clamd_t)
- read_lnk_files_pattern($1, clamd_t, clamd_t)
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+##
+## Read clamd state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_read_state_clamd',`
+ gen_require(`
+ type clamd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+##
+## Execute clamd server in the clamd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`clamd_systemctl',`
+ gen_require(`
+ type clamd_t;
+ type clamd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, clamd_t)
')
########################################
##
-## All of the rules required to
-## administrate an clamav environment.
+## All of the rules required to administrate
+## an clamav environment
##
##
##
@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the clamav domain.
##
##
##
@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
+ type clamd_unit_file_t;
')
- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 clamd_t:process ptrace;
+ allow $1 clamscan_t:process ptrace;
+ allow $1 freshclam_t:process ptrace;
+ ')
+
+ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
+ clamd_systemctl($1)
+ admin_pattern($1, clamd_unit_file_t)
+ allow $1 clamd_unit_file_t:service all_service_perms;
+
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
@@ -217,11 +252,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+ admin_pattern($1, clamd_var_log_t)
files_list_pids($1)
admin_pattern($1, clamd_var_run_t)
files_list_tmp($1)
- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+ admin_pattern($1, clamd_tmp_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
')
diff --git a/clamav.te b/clamav.te
index ce3836acd..0263671f7 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
corecmd_exec_shell(clamd_t)
-corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
corenet_sendrecv_generic_client_packets(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
-',`
- dontaudit clamd_t self:process execmem;
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
amavis_create_pid_files(clamd_t)
')
@@ -165,12 +161,37 @@ optional_policy(`
mta_send_mail(clamd_t)
')
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
+',`
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(freshclam_t)
+')
+
########################################
#
# Freshclam local policy
#
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { setgid setuid dac_read_search dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
-miscfiles_read_localization(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
@@ -240,6 +260,10 @@ optional_policy(`
amavis_manage_spool_files(freshclam_t)
')
+optional_policy(`
+ clamd_systemctl(freshclam_t)
+')
+
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -249,7 +273,7 @@ optional_policy(`
# Clamscam local policy
#
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { setgid setuid dac_read_search dac_override };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
-corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corecmd_read_all_executables(clamscan_t)
-files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
-miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)
sysnet_dns_name_resolve(clamscan_t)
@@ -309,10 +330,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
files_getattr_all_sockets(clamscan_t)
')
-optional_policy(`
- amavis_read_spool_files(clamscan_t)
-')
-
optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff --git a/clockspeed.te b/clockspeed.te
index d3e2a67e5..f5b330c08 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-miscfiles_read_localization(clockspeed_srv_t)
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 4a5b3d1a5..cd146bd5a 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
-miscfiles_read_localization(clogd_t)
-
optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
+ rhcs_stream_connect_cluster(clogd_t)
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 000000000..3849f134a
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init.*\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
+
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 000000000..55fe0d668
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,116 @@
+## cloudform policy
+
+#######################################
+##
+## Creates types and rules for a basic
+## cloudform daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`cloudform_domain_template',`
+ gen_require(`
+ attribute cloudform_domain;
+ ')
+
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+')
+
+########################################
+##
+## Execute a domain transition to run cloud_init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_init_domtrans',`
+ gen_require(`
+ type cloud_init_t, cloud_init_exec_t;
+ ')
+
+ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
+')
+
+######################################
+##
+## Execute mongod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_exec_mongod',`
+ gen_require(`
+ type mongod_exec_t;
+ ')
+
+ can_exec($1, mongod_exec_t)
+')
+
+#######################################
+##
+## Allow read to cloud lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_read_lib_files',`
+ gen_require(`
+ type cloud_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+#######################################
+##
+## Allow read to cloud lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_read_lib_lnk_files',`
+ gen_require(`
+ type cloud_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+######################################
+##
+## Execute mongod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_dontaudit_write_cloud_log',`
+ gen_require(`
+ type cloud_log_t;
+ ')
+
+ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 000000000..1cacfc06d
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,249 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+auth_use_nsswitch(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_dbus_chat_timedated(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ certmonger_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+ rhsmcertd_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+ mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ # it check file context and run restorecon
+ seutil_read_file_contexts(cloud_init_t)
+ seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cloud_init_t)
+ ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cloud_init_t)
+ sysnet_read_dhcpc_state(cloud_init_t)
+ sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+ rpm_run(cloud_init_t, system_r)
+ rpm_transition_script(cloud_init_t, system_r)
+')
+
+optional_policy(`
+ unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+kernel_read_network_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+ sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb96..f348d2746 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
type cmirrord_t, cmirrord_tmpfs_t;
')
- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
- allow $1 cmirrord_t:process { ptrace signal_perms };
+ allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cmirrord_t:process ptrace;
+ ')
+
cmirrord_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index bbdd3960e..28b176182 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
allow cmirrord_t self:sem create_sem_perms;
allow cmirrord_t self:shm create_shm_perms;
allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:netlink_connector_socket create_socket_perms;
allow cmirrord_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
logging_send_syslog_msg(cmirrord_t)
-miscfiles_read_localization(cmirrord_t)
-
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208ff..6ce88039f 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,11 +4,15 @@
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f8132..8b567c191 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
+
+
+########################################
+##
+## Read cobbler configuration dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+')
+
+
########################################
##
## Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
-
- apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd44..b6d1c0f70 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -62,7 +62,7 @@ files_tmp_file(cobbler_tmp_t)
# Local policy
#
-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice };
dontaudit cobblerd_t self:capability sys_tty_config;
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)
+dev_read_sysfs(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
term_use_console(cobblerd_t)
+auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
')
optional_policy(`
+ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
@@ -170,6 +173,7 @@ optional_policy(`
bind_domtrans(cobblerd_t)
bind_initrc_domtrans(cobblerd_t)
bind_manage_zone(cobblerd_t)
+ bind_systemctl(cobblerd_t)
')
optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
+ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
dnsmasq_domtrans(cobblerd_t)
dnsmasq_initrc_domtrans(cobblerd_t)
dnsmasq_write_config(cobblerd_t)
+ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(cobblerd_t)
')
optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
')
optional_policy(`
+ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
')
optional_policy(`
- tftp_manage_config_files(cobblerd_t)
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+ tftp_manage_config(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 000000000..bf801737d
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,13 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_var_run_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 000000000..d5920c061
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,188 @@
+## policy for cockpit
+
+########################################
+##
+## Execute TEMPLATE in the cockpit domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cockpit_ws_domtrans',`
+ gen_require(`
+ type cockpit_ws_t, cockpit_ws_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+##
+## Execute TEMPLATE in the cockpit domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cockpit_session_domtrans',`
+ gen_require(`
+ type cockpit_session_t, cockpit_session_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+##
+## Search cockpit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_search_lib',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read cockpit lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_read_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Manage cockpit lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_manage_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Manage cockpit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_manage_lib_dirs',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Execute cockpit server in the cockpit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an cockpit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`cockpit_admin',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_session_t;
+ type cockpit_var_lib_t;
+ type cockpit_var_run_t;
+ type cockpit_unit_file_t;
+ ')
+
+ allow $1 cockpit_ws_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_ws_t)
+
+ allow $1 cockpit_session_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_session_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cockpit_ws_t:process ptrace;
+ allow $1 cockpit_session_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, cockpit_var_run_t)
+
+ cockpit_systemctl($1)
+ admin_pattern($1, cockpit_unit_file_t)
+ allow $1 cockpit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 000000000..6b84d6f0f
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,123 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_var_run_t;
+files_pid_file(cockpit_var_run_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
+
+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+files_mmap_usr_files(cockpit_ws_t)
+
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
+ kerberos_use(cockpit_ws_t)
+ kerberos_etc_filetrans_keytab(cockpit_ws_t)
+')
+
+optional_policy(`
+ ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+# cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource };
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_passwd(cockpit_session_t)
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe3a..3237fb088 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e64..67801421b 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,145 @@
########################################
##
-## All of the rules required to
-## administrate an collectd environment.
+## Transition to collectd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_domtrans',`
+ gen_require(`
+ type collectd_t, collectd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_initrc_domtrans',`
+ gen_require(`
+ type collectd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+##
+## Search collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_search_lib',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_read_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_dirs',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_systemctl',`
+ gen_require(`
+ type collectd_t;
+ type collectd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, collectd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an collectd environment
##
##
##
@@ -20,13 +157,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
- type collectd_var_lib_t;
+ type collectd_var_lib_t, collectd_unit_file_t;
')
- allow $1 collectd_t:process { ptrace signal_perms };
+ allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 collectd_t:process ptrace;
+ ')
+
+ collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +177,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
+
+ collectd_systemctl($1)
+ admin_pattern($1, collectd_unit_file_t)
+ allow $1 collectd_unit_file_t:service all_service_perms;
')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8c4..4abd55f87 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
apache_content_template(collectd)
+apache_content_alias_template(collectd, collectd)
+
+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
+files_tmp_file(collectd_script_tmp_t)
########################################
#
# Local policy
#
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+auth_use_nsswitch(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
+fs_getattr_all_dirs(collectd_t)
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
@@ -74,17 +90,40 @@ tunable_policy(`collectd_tcp_network_connect',`
corenet_tcp_sendrecv_all_ports(collectd_t)
')
+optional_policy(`
+ mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
optional_policy(`
virt_read_config(collectd_t)
+ virt_stream_connect(collectd_t)
')
########################################
#
-# Web local policy
+# Web collectd local policy
#
-optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(collectd_script_t)
+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
+
+auth_read_passwd(collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb54..08ab89171 100644
--- a/colord.fc
+++ b/colord.fc
@@ -7,5 +7,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37c1..c69be28b9 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## GNOME color manager.
+## GNOME color manager
########################################
##
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
type colord_t, colord_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, colord_exec_t, colord_t)
')
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
allow $1 colord_t:dbus send_msg;
allow colord_t $1:dbus send_msg;
+ ps_process_pattern(colord_t, $1)
')
######################################
@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+########################################
+##
+## Execute colord server in the colord domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`colord_systemctl',`
+ gen_require(`
+ type colord_t;
+ type colord_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 9f2dfb233..ad8ae4228 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
########################################
#
# Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
allow colord_t self:capability { dac_read_search dac_override };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
+
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
@@ -100,19 +106,17 @@ init_read_state(colord_t)
auth_use_nsswitch(colord_t)
+init_read_state(colord_t)
+
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
+systemd_read_logind_sessions_files(colord_t)
+systemd_hwdb_manage_config(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmp_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
cups_read_config(colord_t)
@@ -120,6 +124,13 @@ optional_policy(`
cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
+')
+
+optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+ # Fixes lots of breakage in F16 on upgrade
+ gnome_read_generic_data_home_files(colord_t)
')
optional_policy(`
@@ -137,3 +148,17 @@ optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+ # allow to read /run/initial-setup-$username
+ xserver_read_xdm_pid(colord_t)
+ xserver_map_xdm_pid(colord_t)
+')
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index c63cf8556..dc6998b60 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
dev_read_urand(comsat_t)
fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
logging_send_syslog_msg(comsat_t)
-miscfiles_read_localization(comsat_t)
-
userdom_dontaudit_getattr_user_ttys(comsat_t)
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index ad2b69606..28d1af020 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,6 +1,7 @@
/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
index 881d92f35..a2d588a51 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,391 @@
-## High-Throughput Computing System.
+
+## policy for condor
+
+#####################################
+##
+## Creates types and rules for a basic
+## condor init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`condor_domain_template',`
+ gen_require(`
+ type condor_master_t;
+ attribute condor_domain;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type condor_$1_t, condor_domain;
+ type condor_$1_exec_t;
+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+ role system_r types condor_$1_t;
+
+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+ allow condor_master_t condor_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(condor_$1_t)
+
+ corenet_all_recvfrom_netlabel(condor_$1_t)
+ corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+ auth_use_nsswitch(condor_$1_t)
+
+ logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+##
+## Transition to condor.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_domtrans_master',`
+ gen_require(`
+ type condor_master_t, condor_master_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+##
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
+##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+##
+##
+## Range for the domain.
+##
+##
+#
+interface(`condor_startd_ranged_domtrans_to',`
+ gen_require(`
+ type sshd_t;
+ ')
+ condor_startd_domtrans_to($1, $2)
+
+
+ ifdef(`enable_mcs',`
+ range_transition condor_startd_t $2:process $3;
+ ')
+
+')
#######################################
##
-## The template to define a condor domain.
+## Allows to start userlandprocesses
+## by transitioning to the specified domain.
##
-##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+#
+interface(`condor_startd_domtrans_to',`
+ gen_require(`
+ type condor_startd_t;
+ ')
+
+ domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+##
+## Read condor's log files.
+##
+##
##
-## Domain prefix to be used.
+## Domain allowed access.
##
##
+##
#
-template(`condor_domain_template',`
+interface(`condor_read_log',`
gen_require(`
- attribute condor_domain;
- type condor_master_t;
+ type condor_log_t;
')
- #############################
- #
- # Declarations
- #
+ logging_search_logs($1)
+ read_files_pattern($1, condor_log_t, condor_log_t)
+')
- type condor_$1_t, condor_domain;
- type condor_$1_exec_t;
- domain_type(condor_$1_t)
- domain_entry_file(condor_$1_t, condor_$1_exec_t)
- role system_r types condor_$1_t;
+########################################
+##
+## Append to condor log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_append_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- #############################
- #
- # Policy
- #
+ logging_search_logs($1)
+ append_files_pattern($1, condor_log_t, condor_log_t)
+')
- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
- allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+##
+## Manage condor log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- auth_use_nsswitch(condor_$1_t)
+ logging_search_logs($1)
+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
+ manage_files_pattern($1, condor_log_t, condor_log_t)
+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an condor environment.
+## Search condor lib directories.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`condor_search_lib',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ allow $1 condor_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read condor lib files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+##
+## Read and write condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_dirs',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Read condor PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_read_pid_files',`
gen_require(`
- attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+ type condor_var_run_t;
')
- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute condor server in the condor domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_systemctl',`
+ gen_require(`
+ type condor_domain;
+ type condor_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+##
+## Read and write condor_startd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_startd',`
+ gen_require(`
+ type condor_startd_t;
+ ')
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+##
+## Read and write condor_schedd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+ gen_require(`
+ type condor_schedd_t;
+ ')
+
+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an condor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_admin',`
+ gen_require(`
+ attribute condor_domain;
+ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t;
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
+ ps_process_pattern($1, condor_domain)
+
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
+ allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
@@ -77,8 +393,8 @@ interface(`condor_admin',`
logging_search_logs($1)
admin_pattern($1, condor_log_t)
- files_search_locks($1)
- admin_pattern($1, condor_var_lock_t)
+ files_search_locks($1)
+ admin_pattern($1, condor_var_lock_t)
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
@@ -88,4 +404,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+ condor_systemctl($1)
+ admin_pattern($1, condor_unit_file_t)
+ allow $1 condor_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/condor.te b/condor.te
index ce9f040e2..990ada3ad 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
-type condor_conf_t;
+type condor_conf_t alias condor_etc_rw_t;
files_config_file(condor_conf_t)
type condor_log_t;
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
@@ -60,10 +63,18 @@ condor_domain_template(startd)
# Global local policy
#
+allow condor_domain self:capability { dac_read_search dac_override };
+allow condor_domain self:capability2 block_suspend;
+
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
-kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
+kernel_rw_kernel_sysctl(condor_domain)
+kernel_search_network_sysctl(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
sysnet_dns_name_resolve(condor_domain)
@@ -130,7 +140,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+kernel_read_fs_sysctls(condor_master_t)
+kernel_rw_net_sysctls(condor_master_t)
+
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
+logging_send_syslog_msg(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
+corenet_tcp_bind_http_port(condor_collector_t)
+
#####################################
#
# Negotiator local policy
@@ -183,12 +203,14 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
######################################
#
# Procd local policy
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -199,13 +221,15 @@ domain_read_all_domains_state(condor_procd_t)
# Schedd local policy
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
+
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -214,12 +238,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
+optional_policy(`
+ mta_send_mail(condor_schedd_t)
+ mta_read_config(condor_schedd_t)
+')
+
#####################################
#
# Startd local policy
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
@@ -238,11 +269,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
libs_exec_lib_files(condor_startd_t)
-files_read_usr_files(condor_startd_t)
-
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
@@ -254,3 +284,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
+
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 000000000..397da66fb
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
+
+/usr/share/conman/exec(/.*)? gen_context(system_u:object_r:conman_unconfined_script_exec_t,s0)
+
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.d(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
+/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 000000000..1cc5fa464
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,143 @@
+## Conman is a program for connecting to remote consoles being managed by conmand
+
+########################################
+##
+## Execute conman in the conman domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_domtrans',`
+ gen_require(`
+ type conman_t, conman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+##
+## Read conman's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_read_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Append to conman log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_append_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Manage conman log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_manage_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, conman_log_t, conman_log_t)
+ manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Execute conman server in the conman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_systemctl',`
+ gen_require(`
+ type conman_t;
+ type conman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an conman environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`conman_admin',`
+ gen_require(`
+ type conman_t;
+ type conman_log_t;
+ type conman_unit_file_t;
+ ')
+
+ allow $1 conman_t:process { signal_perms };
+ ps_process_pattern($1, conman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 conman_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, conman_log_t)
+
+ conman_systemctl($1)
+ admin_pattern($1, conman_unit_file_t)
+ allow $1 conman_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 000000000..8d5d88400
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,117 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether conman can
+## connect to all TCP ports
+##
+##
+gen_tunable(conman_can_network, false)
+
+##
+##
+## Allow conman to manage nfs files
+##
+##
+gen_tunable(conman_use_nfs, false)
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_tmp_t;
+files_tmp_file(conman_tmp_t)
+
+type conman_var_run_t;
+files_pid_file(conman_var_run_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+type conman_unconfined_script_t;
+type conman_unconfined_script_exec_t;
+application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+allow conman_t conman_unconfined_script_t:process sigkill;
+allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
+
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
+auth_use_nsswitch(conman_t)
+
+kernel_read_system_state(conman_t)
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corenet_tcp_connect_all_ephemeral_ports(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+dev_read_urand(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+term_use_ptmx(conman_t)
+term_use_usb_ttys(conman_t)
+term_getattr_pty_fs(conman_t)
+
+tunable_policy(`conman_can_network',`
+ corenet_sendrecv_all_client_packets(conman_t)
+ corenet_tcp_connect_all_ports(conman_t)
+ corenet_tcp_sendrecv_all_ports(conman_t)
+')
+
+tunable_policy(`conman_use_nfs',`
+ fs_manage_nfs_files(conman_t)
+ fs_read_nfs_symlinks(conman_t)
+')
+
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
+
+########################################
+#
+# conman script local policy
+#
+
+domtrans_pattern(conman_t, conman_unconfined_script_exec_t, conman_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(conman_unconfined_script_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c95582f..29e5fd38d 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec9c..78025c5e7 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -19,6 +19,27 @@ interface(`consolekit_domtrans',`
domtrans_pattern($1, consolekit_exec_t, consolekit_t)
')
+########################################
+##
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
########################################
##
## Send and receive messages from
@@ -40,6 +61,24 @@ interface(`consolekit_dbus_chat',`
allow consolekit_t $1:dbus send_msg;
')
+########################################
+##
+## Dontaudit attempts to read consolekit log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
########################################
##
## Read consolekit log files.
@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+##
+## List consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+##
+## Allow the domain to read consolekit state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_state',`
+ gen_require(`
+ type consolekit_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+##
+## Execute consolekit server in the consolekit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`consolekit_systemctl',`
+ gen_require(`
+ type consolekit_t;
+ type consolekit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index bd18063f6..94407f854 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
########################################
#
# Local policy
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
-mcs_ptrace_all(consolekit_t)
-
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
auth_create_pam_console_data_dirs(consolekit_t)
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
+init_read_utmp(consolekit_t)
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
+optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
')
optional_policy(`
@@ -109,13 +110,6 @@ optional_policy(`
')
')
-optional_policy(`
- hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
- networkmanager_append_log_files(consolekit_t)
-')
optional_policy(`
policykit_domtrans_auth(consolekit_t)
diff --git a/container.fc b/container.fc
new file mode 100644
index 000000000..bad12f421
--- /dev/null
+++ b/container.fc
@@ -0,0 +1,31 @@
+/root/\.docker gen_context(system_u:object_r:container_home_t,s0)
+
+/usr/bin/docker -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/docker-novolume-plugin.service -- gen_context(system_u:object_r:container_unit_file_t,s0)
+
+/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
+
+/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/kublet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+
+/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+
+/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
+
+/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
+
+/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_share_t,s0)
diff --git a/container.if b/container.if
new file mode 100644
index 000000000..785affa3f
--- /dev/null
+++ b/container.if
@@ -0,0 +1,542 @@
+
+## The open-source application container engine.
+
+########################################
+##
+## Execute docker in the docker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_runtime_domtrans',`
+ gen_require(`
+ type container_runtime_t, container_runtime_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
+')
+
+########################################
+##
+## Execute docker in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_runtime_exec',`
+ gen_require(`
+ type container_runtime_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, container_runtime_exec_t)
+')
+
+########################################
+##
+## Search docker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_search_lib',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ allow $1 container_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Execute docker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_exec_lib',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ allow $1 container_var_lib_t:dir search_dir_perms;
+ can_exec($1, container_var_lib_t)
+')
+
+########################################
+##
+## Read docker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_read_lib_files',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+##
+## Read docker share files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_read_share_files',`
+ gen_require(`
+ type container_share_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, container_share_t, container_share_t)
+ read_files_pattern($1, container_share_t, container_share_t)
+ read_lnk_files_pattern($1, container_share_t, container_share_t)
+')
+
+######################################
+##
+## Allow the specified domain to execute docker shared files
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_exec_share_files',`
+ gen_require(`
+ type container_share_t;
+ ')
+
+ can_exec($1, container_share_t)
+')
+
+########################################
+##
+## Manage docker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_manage_lib_files',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
+ manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+##
+## Manage docker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_manage_lib_dirs',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+##
+## Create objects in a docker var lib directory
+## with an automatic type transition to
+## a specified private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`container_lib_filetrans',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ filetrans_pattern($1, container_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Read docker PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_read_pid_files',`
+ gen_require(`
+ type container_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, container_var_run_t, container_var_run_t)
+')
+
+########################################
+##
+## Execute docker server in the docker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_systemctl',`
+ gen_require(`
+ type container_runtime_t;
+ type container_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 container_unit_file_t:file read_file_perms;
+ allow $1 container_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, container_runtime_t)
+')
+
+########################################
+##
+## Read and write docker shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_rw_sem',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ allow $1 container_runtime_t:sem rw_sem_perms;
+')
+
+#######################################
+##
+## Read and write the docker pty type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_use_ptys',`
+ gen_require(`
+ type container_devpts_t;
+ ')
+
+ allow $1 container_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## Allow domain to create docker content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_filetrans_named_content',`
+
+ gen_require(`
+ type container_var_lib_t;
+ type container_share_t;
+ type container_log_t;
+ type container_var_run_t;
+ type container_home_t;
+ ')
+
+ files_pid_filetrans($1, container_var_run_t, file, "docker.pid")
+ files_pid_filetrans($1, container_var_run_t, sock_file, "docker.sock")
+ files_pid_filetrans($1, container_var_run_t, dir, "docker-client")
+ logging_log_filetrans($1, container_log_t, dir, "lxc")
+ files_var_lib_filetrans($1, container_var_lib_t, dir, "docker")
+ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "config.env")
+ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hosts")
+ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hostname")
+ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "resolv.conf")
+ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "init")
+ userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".docker")
+')
+
+########################################
+##
+## Connect to docker over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_stream_connect',`
+ gen_require(`
+ type container_runtime_t, container_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t)
+')
+
+########################################
+##
+## Connect to SPC containers over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_spc_stream_connect',`
+ gen_require(`
+ type spc_t, spc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ files_write_all_pid_sockets($1)
+ allow $1 spc_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an docker environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin',`
+ gen_require(`
+ type container_runtime_t;
+ type container_var_lib_t, container_var_run_t;
+ type container_unit_file_t;
+ type container_lock_t;
+ type container_log_t;
+ type container_config_t;
+ ')
+
+ allow $1 container_runtime_t:process { ptrace signal_perms };
+ ps_process_pattern($1, container_runtime_t)
+
+ admin_pattern($1, container_config_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, container_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, container_var_run_t)
+
+ files_search_locks($1)
+ admin_pattern($1, container_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, container_log_t)
+
+ container_systemctl($1)
+ admin_pattern($1, container_unit_file_t)
+ allow $1 container_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Read the process state of spc containers
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_spc_read_state',`
+ gen_require(`
+ type spc_t;
+ ')
+
+ ps_process_pattern($1, spc_t)
+')
+
+########################################
+##
+## Execute container_auth_exec_t in the container_auth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`container_auth_domtrans',`
+ gen_require(`
+ type container_auth_t, container_auth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, container_auth_exec_t, container_auth_t)
+')
+
+######################################
+##
+## Execute container_auth in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_auth_exec',`
+ gen_require(`
+ type container_auth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, container_auth_exec_t)
+')
+
+########################################
+##
+## Connect to container_auth over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_auth_stream_connect',`
+ gen_require(`
+ type container_auth_t, container_plugin_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
+')
+
+########################################
+##
+## docker domain typebounds calling domain.
+##
+##
+##
+## Domain to be typebound.
+##
+##
+#
+interface(`container_runtime_typebounds',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ typebounds container_runtime_t $1;
+')
+
+########################################
+##
+## Allow any container_runtime_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`container_entrypoint',`
+ gen_require(`
+ type container_runtime_exec_t;
+ ')
+ allow $1 container_runtime_exec_t:file entrypoint;
+')
+
+########################################
+##
+## rw configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_rw_config',`
+ gen_require(`
+ type container_config_t;
+ ')
+
+ rw_files_pattern($1, container_config_t, container_config_t)
+ files_search_etc($1)
+')
+
diff --git a/container.te b/container.te
new file mode 100644
index 000000000..5a929c427
--- /dev/null
+++ b/container.te
@@ -0,0 +1,391 @@
+policy_module(container, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether docker can
+## connect to all TCP ports.
+##
+##
+gen_tunable(container_connect_any, false)
+
+type container_runtime_t alias docker_t;
+type container_runtime_exec_t alias docker_exec_t;
+init_daemon_domain(container_runtime_t, container_runtime_exec_t)
+domain_subj_id_change_exemption(container_runtime_t)
+domain_role_change_exemption(container_runtime_t)
+
+type spc_t;
+domain_type(spc_t)
+role system_r types spc_t;
+
+type container_auth_t alias docker_auth_t;
+type container_auth_exec_t alias docker_auth_exec_t;
+init_daemon_domain(container_auth_t, container_auth_exec_t)
+
+type spc_var_run_t;
+files_pid_file(spc_var_run_t)
+
+type container_var_lib_t alias docker_var_lib_t;
+files_type(container_var_lib_t)
+
+type container_home_t alias docker_home_t;
+userdom_user_home_content(container_home_t)
+
+type container_config_t alias docker_config_t;
+files_config_file(container_config_t)
+
+type container_lock_t alias docker_lock_t;
+files_lock_file(container_lock_t)
+
+type container_log_t alias docker_log_t;
+logging_log_file(container_log_t)
+
+type container_runtime_tmp_t alias docker_tmp_t;
+files_tmp_file(container_runtime_tmp_t)
+
+type container_runtime_tmpfs_t alias docker_tmpfs_t;
+files_tmpfs_file(container_runtime_tmpfs_t)
+
+type container_var_run_t alias docker_var_run_t;
+files_pid_file(container_var_run_t)
+
+type container_plugin_var_run_t alias docker_plugin_var_run_t;
+files_pid_file(container_plugin_var_run_t)
+
+type container_unit_file_t alias docker_unit_file_t;
+systemd_unit_file(container_unit_file_t)
+
+type container_devpts_t alias docker_devpts_t;
+term_pty(container_devpts_t)
+
+type container_share_t alias docker_share_t;
+files_type(container_share_t)
+
+########################################
+#
+# docker local policy
+#
+allow container_runtime_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
+allow container_runtime_t self:tun_socket relabelto;
+allow container_runtime_t self:process { getattr signal_perms setrlimit setfscreate };
+allow container_runtime_t self:fifo_file rw_fifo_file_perms;
+allow container_runtime_t self:unix_stream_socket create_stream_socket_perms;
+allow container_runtime_t self:tcp_socket create_stream_socket_perms;
+allow container_runtime_t self:udp_socket create_socket_perms;
+allow container_runtime_t self:capability2 block_suspend;
+
+container_auth_stream_connect(container_runtime_t)
+
+manage_files_pattern(container_runtime_t, container_home_t, container_home_t)
+manage_dirs_pattern(container_runtime_t, container_home_t, container_home_t)
+manage_lnk_files_pattern(container_runtime_t, container_home_t, container_home_t)
+userdom_admin_home_dir_filetrans(container_runtime_t, container_home_t, dir, ".docker")
+
+manage_dirs_pattern(container_runtime_t, container_config_t, container_config_t)
+manage_files_pattern(container_runtime_t, container_config_t, container_config_t)
+files_etc_filetrans(container_runtime_t, container_config_t, dir, "docker")
+
+manage_dirs_pattern(container_runtime_t, container_lock_t, container_lock_t)
+manage_files_pattern(container_runtime_t, container_lock_t, container_lock_t)
+files_lock_filetrans(container_runtime_t, container_lock_t, { dir file }, "lxc")
+
+manage_dirs_pattern(container_runtime_t, container_log_t, container_log_t)
+manage_files_pattern(container_runtime_t, container_log_t, container_log_t)
+manage_lnk_files_pattern(container_runtime_t, container_log_t, container_log_t)
+logging_log_filetrans(container_runtime_t, container_log_t, { dir file lnk_file })
+allow container_runtime_t container_log_t:dir_file_class_set { relabelfrom relabelto };
+
+manage_dirs_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_lnk_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+files_tmp_filetrans(container_runtime_t, container_runtime_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_lnk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_fifo_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_chr_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_blk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+allow container_runtime_t container_runtime_tmpfs_t:dir relabelfrom;
+can_exec(container_runtime_t, container_runtime_tmpfs_t)
+fs_tmpfs_filetrans(container_runtime_t, container_runtime_tmpfs_t, { dir file })
+allow container_runtime_t container_runtime_tmpfs_t:chr_file mounton;
+
+manage_dirs_pattern(container_runtime_t, container_share_t, container_share_t)
+manage_files_pattern(container_runtime_t, container_share_t, container_share_t)
+manage_lnk_files_pattern(container_runtime_t, container_share_t, container_share_t)
+allow container_runtime_t container_share_t:dir_file_class_set { relabelfrom relabelto };
+
+can_exec(container_runtime_t, container_share_t)
+#container_filetrans_named_content(container_runtime_t)
+
+manage_dirs_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+allow container_runtime_t container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+files_var_lib_filetrans(container_runtime_t, container_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_sock_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_lnk_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+files_pid_filetrans(container_runtime_t, container_var_run_t, { dir file lnk_file sock_file })
+
+allow container_runtime_t container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(container_runtime_t, container_devpts_t)
+
+kernel_read_system_state(container_runtime_t)
+kernel_read_network_state(container_runtime_t)
+kernel_read_all_sysctls(container_runtime_t)
+kernel_rw_net_sysctls(container_runtime_t)
+kernel_setsched(container_runtime_t)
+kernel_read_all_proc(container_runtime_t)
+
+domain_use_interactive_fds(container_runtime_t)
+domain_dontaudit_read_all_domains_state(container_runtime_t)
+
+corecmd_exec_bin(container_runtime_t)
+corecmd_exec_shell(container_runtime_t)
+
+corenet_tcp_bind_generic_node(container_runtime_t)
+corenet_tcp_sendrecv_generic_if(container_runtime_t)
+corenet_tcp_sendrecv_generic_node(container_runtime_t)
+corenet_tcp_sendrecv_generic_port(container_runtime_t)
+corenet_tcp_bind_all_ports(container_runtime_t)
+corenet_tcp_connect_http_port(container_runtime_t)
+corenet_tcp_connect_commplex_main_port(container_runtime_t)
+corenet_udp_sendrecv_generic_if(container_runtime_t)
+corenet_udp_sendrecv_generic_node(container_runtime_t)
+corenet_udp_sendrecv_all_ports(container_runtime_t)
+corenet_udp_bind_generic_node(container_runtime_t)
+corenet_udp_bind_all_ports(container_runtime_t)
+
+files_read_config_files(container_runtime_t)
+files_dontaudit_getattr_all_dirs(container_runtime_t)
+files_dontaudit_getattr_all_files(container_runtime_t)
+
+fs_read_cgroup_files(container_runtime_t)
+fs_read_tmpfs_symlinks(container_runtime_t)
+fs_search_all(container_runtime_t)
+fs_getattr_all_fs(container_runtime_t)
+
+storage_raw_rw_fixed_disk(container_runtime_t)
+
+auth_use_nsswitch(container_runtime_t)
+auth_dontaudit_getattr_shadow(container_runtime_t)
+
+init_read_state(container_runtime_t)
+init_status(container_runtime_t)
+
+logging_send_audit_msgs(container_runtime_t)
+logging_send_syslog_msg(container_runtime_t)
+
+miscfiles_read_localization(container_runtime_t)
+
+mount_domtrans(container_runtime_t)
+
+seutil_read_default_contexts(container_runtime_t)
+seutil_read_config(container_runtime_t)
+
+sysnet_dns_name_resolve(container_runtime_t)
+sysnet_exec_ifconfig(container_runtime_t)
+
+optional_policy(`
+ rpm_exec(container_runtime_t)
+ rpm_read_db(container_runtime_t)
+ rpm_exec(container_runtime_t)
+')
+
+optional_policy(`
+ fstools_domtrans(container_runtime_t)
+')
+
+optional_policy(`
+ iptables_domtrans(container_runtime_t)
+')
+
+optional_policy(`
+ openvswitch_stream_connect(container_runtime_t)
+')
+
+#
+# lxc rules
+#
+
+allow container_runtime_t self:capability { dac_read_search dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
+
+allow container_runtime_t self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow container_runtime_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow container_runtime_t self:netlink_audit_socket create_netlink_socket_perms;
+allow container_runtime_t self:unix_dgram_socket { create_socket_perms sendto };
+allow container_runtime_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow container_runtime_t container_var_lib_t:dir mounton;
+allow container_runtime_t container_var_lib_t:chr_file mounton;
+can_exec(container_runtime_t, container_var_lib_t)
+
+kernel_dontaudit_setsched(container_runtime_t)
+kernel_get_sysvipc_info(container_runtime_t)
+kernel_request_load_module(container_runtime_t)
+kernel_mounton_messages(container_runtime_t)
+kernel_mounton_all_proc(container_runtime_t)
+kernel_mounton_all_sysctls(container_runtime_t)
+kernel_unlabeled_entry_type(spc_t)
+kernel_unlabeled_domtrans(container_runtime_t, spc_t)
+
+dev_getattr_all(container_runtime_t)
+dev_getattr_sysfs_fs(container_runtime_t)
+dev_read_urand(container_runtime_t)
+dev_read_lvm_control(container_runtime_t)
+dev_rw_sysfs(container_runtime_t)
+dev_rw_loop_control(container_runtime_t)
+dev_rw_lvm_control(container_runtime_t)
+
+files_getattr_isid_type_dirs(container_runtime_t)
+files_manage_isid_type_dirs(container_runtime_t)
+files_manage_isid_type_files(container_runtime_t)
+files_manage_isid_type_symlinks(container_runtime_t)
+files_manage_isid_type_chr_files(container_runtime_t)
+files_manage_isid_type_blk_files(container_runtime_t)
+files_exec_isid_files(container_runtime_t)
+files_mounton_isid(container_runtime_t)
+files_mounton_non_security(container_runtime_t)
+files_mounton_isid_type_chr_file(container_runtime_t)
+
+fs_mount_all_fs(container_runtime_t)
+fs_unmount_all_fs(container_runtime_t)
+fs_remount_all_fs(container_runtime_t)
+files_mounton_isid(container_runtime_t)
+fs_manage_cgroup_dirs(container_runtime_t)
+fs_manage_cgroup_files(container_runtime_t)
+fs_relabelfrom_xattr_fs(container_runtime_t)
+fs_relabelfrom_tmpfs(container_runtime_t)
+fs_read_tmpfs_symlinks(container_runtime_t)
+fs_list_hugetlbfs(container_runtime_t)
+
+term_use_generic_ptys(container_runtime_t)
+term_use_ptmx(container_runtime_t)
+term_getattr_pty_fs(container_runtime_t)
+term_relabel_pty_fs(container_runtime_t)
+term_mounton_unallocated_ttys(container_runtime_t)
+
+modutils_domtrans_insmod(container_runtime_t)
+
+systemd_status_all_unit_files(container_runtime_t)
+systemd_start_systemd_services(container_runtime_t)
+
+userdom_stream_connect(container_runtime_t)
+userdom_search_user_home_content(container_runtime_t)
+userdom_read_all_users_state(container_runtime_t)
+userdom_relabel_user_home_files(container_runtime_t)
+userdom_relabel_user_tmp_files(container_runtime_t)
+userdom_relabel_user_tmp_dirs(container_runtime_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(container_runtime_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(container_runtime_t)
+ init_dbus_chat(container_runtime_t)
+ init_start_transient_unit(container_runtime_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(container_runtime_t)
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat(container_runtime_t)
+ ')
+')
+
+optional_policy(`
+ udev_read_db(container_runtime_t)
+')
+
+optional_policy(`
+ virt_read_config(container_runtime_t)
+ virt_exec(container_runtime_t)
+ virt_stream_connect(container_runtime_t)
+ virt_stream_connect_sandbox(container_runtime_t)
+ virt_exec_sandbox_files(container_runtime_t)
+ virt_manage_sandbox_files(container_runtime_t)
+ virt_relabel_sandbox_filesystem(container_runtime_t)
+ # for lxc
+ virt_transition_svirt_sandbox(container_runtime_t, system_r)
+ virt_mounton_sandbox_file(container_runtime_t)
+# virt_attach_sandbox_tun_iface(container_runtime_t)
+ allow container_runtime_t svirt_sandbox_domain:tun_socket relabelfrom;
+')
+
+tunable_policy(`container_connect_any',`
+ corenet_tcp_connect_all_ports(container_runtime_t)
+ corenet_sendrecv_all_packets(container_runtime_t)
+ corenet_tcp_sendrecv_all_ports(container_runtime_t)
+')
+
+########################################
+#
+# spc local policy
+#
+allow spc_t { container_var_lib_t container_share_t }:file entrypoint;
+role system_r types spc_t;
+
+domtrans_pattern(container_runtime_t, container_share_t, spc_t)
+domtrans_pattern(container_runtime_t, container_var_lib_t, spc_t)
+allow container_runtime_t spc_t:process { setsched signal_perms };
+ps_process_pattern(container_runtime_t, spc_t)
+allow container_runtime_t spc_t:socket_class_set { relabelto relabelfrom };
+filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "overlay")
+
+optional_policy(`
+ dbus_chat_system_bus(spc_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(spc_t)
+')
+
+optional_policy(`
+ unconfined_domain(container_runtime_t)
+')
+
+optional_policy(`
+ virt_transition_svirt_sandbox(spc_t, system_r)
+')
+
+########################################
+#
+# container_auth local policy
+#
+allow container_auth_t self:fifo_file rw_fifo_file_perms;
+allow container_auth_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit container_auth_t self:capability net_admin;
+
+container_stream_connect(container_auth_t)
+
+manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file })
+
+domain_use_interactive_fds(container_auth_t)
+
+kernel_read_net_sysctls(container_auth_t)
+
+auth_use_nsswitch(container_auth_t)
+
+files_read_etc_files(container_auth_t)
+
+miscfiles_read_localization(container_auth_t)
+
+sysnet_dns_name_resolve(container_auth_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0fcc..b26d3e0a4 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -10,3 +12,5 @@
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037da..d8596812d 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
')
+#######################################
+##
+## Setattr corosync log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_setattr_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
#####################################
##
## Connect to corosync over a unix
@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
+ type corosync_var_lib_t;
')
files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
######################################
##
-## Read and write corosync tmpfs files.
+## Allow the specified domain to read/write corosync's tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_rw_tmpfs',`
+ gen_require(`
+ type corosync_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+##
+## Execute corosync server in the corosync domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
gen_require(`
- type corosync_tmpfs_t;
+ type corosync_t;
+ type corosync_unit_file_t;
')
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, corosync_t)
')
######################################
@@ -160,12 +205,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
+ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
+ allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 corosync_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
@@ -183,4 +233,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
+
+ corosync_systemctl($1)
+ admin_pattern($1, corosync_unit_file_t)
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
index d5aa1e446..9a2570145 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
########################################
#
# Local policy
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
# for hearbeat
allow corosync_t self:capability { net_raw chown };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmp_files(corosync_t)
+userdom_rw_user_tmp_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
optional_policy(`
ccs_read_config(corosync_t)
@@ -128,21 +136,30 @@ optional_policy(`
drbd_domtrans(corosync_t)
')
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
optional_policy(`
qpidd_rw_shm(corosync_t)
')
optional_policy(`
- rhcs_getattr_fenced_exec_files(corosync_t)
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
rhcs_rw_cluster_shm(corosync_t)
rhcs_rw_cluster_semaphores(corosync_t)
rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
+ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
- rgmanager_manage_tmpfs_files(corosync_t)
+ rpc_search_nfs_state_data(corosync_t)
')
optional_policy(`
- rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+ wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c0863022d..5380ab641 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,8 +1,10 @@
-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
-
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
+
+/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 715a826f1..a1cbdb29e 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
########################################
##
-## Read couchdb log files.
+## Allow to read couchdb log files.
##
##
##
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
type couchdb_log_t;
')
- logging_search_logs($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
##
-## Read, write, and create couchdb lib files.
+## Allow to read couchdb lib files.
##
##
##
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
##
##
#
-interface(`couchdb_manage_lib_files',`
+interface(`couchdb_read_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
########################################
##
-## Read couchdb config files.
+## All of the rules required to
+## administrate an couchdb environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Manage couchdb lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_lib_dirs',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Allow to read couchdb conf files.
##
##
##
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
type couchdb_conf_t;
')
- files_search_etc($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
##
-## Read couchdb pid files.
+## Read couchdb PID files.
##
##
##
@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Search couchdb PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_search_pid_dirs',`
+ gen_require(`
+ type couchdb_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+##
+## Allow domain to manage couchdb content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_files',`
+ gen_require(`
+ type couchdb_var_run_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
+ type couchdb_conf_t;
+ ')
+
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
##
-## All of the rules required to
-## administrate an couchdb environment.
+## Execute couchdb server in the couchdb domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
+ type couchdb_t;
+ type couchdb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an couchdb environment
+##
+##
+##
+## Domain allowed access.
+##
+##
##
##
## Role allowed access.
@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
+ type couchdb_unit_file_t;
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
type couchdb_tmp_t;
')
- allow $1 couchdb_t:process { ptrace signal_perms };
+ allow $1 couchdb_t:process { signal_perms };
ps_process_pattern($1, couchdb_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 couchdb_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
+
+ admin_pattern($1, couchdb_unit_file_t)
+ couchdb_systemctl($1)
+ allow $1 couchdb_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/couchdb.te b/couchdb.te
index ae1c1b12a..9b3a328c2 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
########################################
#
# Local policy
#
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { execmem setsched signal signull sigkill };
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:unix_dgram_socket create_socket_perms;
allow couchdb_t self:tcp_socket { accept listen };
-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
-allow couchdb_t couchdb_conf_t:file read_file_perms;
+manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
+files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
can_exec(couchdb_t, couchdb_exec_t)
+kernel_read_network_state(couchdb_t)
kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
+# disksup tries to monitor the local disks
+fs_getattr_all_files(couchdb_t)
+fs_getattr_all_dirs(couchdb_t)
+fs_getattr_all_fs(couchdb_t)
+files_getattr_all_mountpoints(couchdb_t)
+files_search_all_mountpoints(couchdb_t)
+files_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+
dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
-files_read_usr_files(couchdb_t)
+auth_use_nsswitch(couchdb_t)
-fs_getattr_xattr_fs(couchdb_t)
+optional_policy(`
+ gnome_dontaudit_search_config(couchdb_t)
+')
+
+optional_policy(`
+ rpc_read_nfs_state_data(couchdb_t)
+')
-auth_use_nsswitch(couchdb_t)
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 2f017a076..defdc871e 100644
--- a/courier.fc
+++ b/courier.fc
@@ -11,17 +11,18 @@
/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820fc7..acdb179e8 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## Courier IMAP and POP3 email servers.
+## Courier IMAP and POP3 email servers
-#######################################
+########################################
##
-## The template to define a courier domain.
+## Template for creating courier server processes.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix name of the server process.
##
##
#
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
attribute courier_domain;
')
- ########################################
+ ##############################
#
# Declarations
#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
- ########################################
+ ##############################
#
- # Policy
+ # Declarations
#
can_exec(courier_$1_t, courier_$1_exec_t)
+
+ kernel_read_system_state(courier_$1_t)
+
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
')
########################################
##
-## Execute the courier authentication
-## daemon with a domain transition.
+## Execute the courier authentication daemon with
+## a domain transition.
##
##
##
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
#######################################
##
-## Connect to courier-authdaemon over
-## a unix stream socket.
+## Connect to courier-authdaemon over a unix stream socket.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`courier_stream_connect_authdaemon',`
- gen_require(`
- type courier_authdaemon_t, courier_spool_t;
- ')
+ gen_require(`
+ type courier_authdaemon_t, courier_spool_t;
+ ')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
')
########################################
##
-## Execute the courier POP3 and IMAP
-## server with a domain transition.
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
##
##
##
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
########################################
##
-## Read courier config files.
+## Read courier config files
##
##
##
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
##
-##
+##
##
## Domain allowed access.
##
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
########################################
##
-## Read and write courier spool pipes.
+## Read and write to courier spool pipes.
##
##
##
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
type courier_spool_t;
')
- files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
index ae3bc70e9..d64452f77 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
type courier_var_lib_t;
files_type(courier_var_lib_t)
@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t)
# Common local policy
#
-allow courier_domain self:capability dac_override;
+allow courier_domain self:capability { dac_read_search dac_override };
dontaudit courier_domain self:capability sys_tty_config;
allow courier_domain self:process { setpgid signal_perms };
allow courier_domain self:fifo_file rw_fifo_file_perms;
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
files_pid_filetrans(courier_domain, courier_var_run_t, dir)
kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
corecmd_exec_bin(courier_domain)
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
domain_use_interactive_fds(courier_domain)
-files_read_etc_files(courier_domain)
files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
fs_getattr_xattr_fs(courier_domain)
fs_search_auto_mountpoints(courier_domain)
-logging_send_syslog_msg(courier_domain)
-
sysnet_read_config(courier_domain)
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -76,6 +71,10 @@ optional_policy(`
seutil_sigchld_newrole(courier_domain)
')
+optional_policy(`
+ mysql_stream_connect(courier_domain)
+')
+
optional_policy(`
udev_read_db(courier_domain)
')
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
-miscfiles_read_localization(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
-miscfiles_read_localization(courier_tcpd_t)
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
index af72c4e55..afab0367f 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
-logging_send_syslog_msg(cpucontrol_domain)
-
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-kernel_list_proc(cpucontrol_t)
kernel_read_proc_symlinks(cpucontrol_t)
dev_read_sysfs(cpucontrol_t)
dev_rw_cpu_microcode(cpucontrol_t)
+logging_send_syslog_msg(cpucontrol_t)
+
optional_policy(`
rhgb_use_ptys(cpucontrol_t)
')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
domain_read_all_domains_state(cpuspeed_t)
-files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 6cedb8724..530e250e5 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
kernel_read_system_state(cpufreqselector_t)
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
dev_rw_sysfs(cpufreqselector_t)
-miscfiles_read_localization(cpufreqselector_t)
-
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cpuplug.fc b/cpuplug.fc
new file mode 100644
index 000000000..be203ff49
--- /dev/null
+++ b/cpuplug.fc
@@ -0,0 +1,3 @@
+/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
+
+/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0)
diff --git a/cpuplug.if b/cpuplug.if
new file mode 100644
index 000000000..c68d1d3cf
--- /dev/null
+++ b/cpuplug.if
@@ -0,0 +1,20 @@
+## cpuplugd - Linux on System z CPU and memory hotplug daemon
+
+########################################
+##
+## Execute cpuplug in the cpuplug domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cpuplug_domtrans',`
+ gen_require(`
+ type cpuplug_t, cpuplug_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
+')
diff --git a/cpuplug.te b/cpuplug.te
new file mode 100644
index 000000000..074f3e04d
--- /dev/null
+++ b/cpuplug.te
@@ -0,0 +1,40 @@
+policy_module(cpuplug, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpuplug_t;
+type cpuplug_exec_t;
+init_daemon_domain(cpuplug_t, cpuplug_exec_t)
+
+type cpuplug_initrc_exec_t;
+init_script_file(cpuplug_initrc_exec_t)
+
+type cpuplug_lock_t;
+files_lock_file(cpuplug_lock_t)
+
+type cpuplug_var_run_t;
+files_pid_file(cpuplug_var_run_t)
+
+########################################
+#
+# cpuplug local policy
+#
+allow cpuplug_t self:fifo_file rw_fifo_file_perms;
+allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
+files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
+
+manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
+files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
+
+kernel_read_system_state(cpuplug_t)
+kernel_rw_vm_sysctls(cpuplug_t)
+
+dev_rw_sysfs(cpuplug_t)
+
+logging_send_syslog_msg(cpuplug_t)
+
diff --git a/cron.fc b/cron.fc
index ad0bae948..615a947aa 100644
--- a/cron.fc
+++ b/cron.fc
@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]* -- <>
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <>
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <>
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
ifdef(`distro_debian',`
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <>
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
')
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
index 1303b3036..f5bd4aee8 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
#######################################
##
-## The template to define a crontab domain.
+## The common rules for a crontab domain.
##
-##
+##
##
-## Domain prefix to be used.
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
##
##
#
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ kernel_read_system_state($1_t)
+
auth_domtrans_chk_passwd($1_t)
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ userdom_home_reader($1_t)
+
')
########################################
##
-## Role access for cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
##
@@ -60,56 +68,66 @@ interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
role $1 types { cronjob_t crontab_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- allow $2 crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
+ allow $2 crontab_t:process signal_perms;
ps_process_pattern($2, crontab_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 cronjob_t:process { signal_perms };
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -119,78 +137,75 @@ interface(`cron_role',`
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Role access for unconfined cron.
+## Role access for unconfined cronjobs
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_unconfined_role',`
gen_require(`
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
-
- role $1 types { unconfined_cronjob_t crontab_t };
-
- ##############################
- #
- # Local policy
- #
-
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types unconfined_cronjob_t;
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ ##############################
+ #
+ # Local policy
+ #
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
+ allow $2 crond_t:process sigchld;
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process signal_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
+ ')
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, unconfined_cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ allow $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ ')
optional_policy(`
gen_require(`
@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
########################################
##
-## Role access for admin cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_admin_role',`
gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t;
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ type user_cron_spool_t, crond_t;
class passwd crontab;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
- role $1 types { cronjob_t admin_crontab_t };
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 crond_t:process sigchld;
- allow $2 admin_crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 admin_crontab_t:process ptrace;
+ ')
# Manipulate other users crontab.
allow $2 self:passwd crontab;
@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Make the specified program domain
-## accessable from the system cron jobs.
+## Make the specified program domain accessable
+## from the system cron jobs.
##
##
##
@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
- type user_cron_spool_log_t;
')
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
+
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
type system_cronjob_t, crond_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
########################################
##
-## Execute crond in the caller domain.
+## Execute crond_exec_t
##
##
##
@@ -352,7 +369,6 @@ interface(`cron_exec',`
type crond_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, crond_exec_t)
')
@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
########################################
##
-## Use crond file descriptors.
+## Execute crond server in the crond domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_systemctl',`
+ gen_require(`
+ type crond_unit_file_t;
+ type crond_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+##
+## Inherit and use a file descriptor
+## from the cron daemon.
##
##
##
@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
########################################
##
-## Send child terminated signals to crond.
+## Send a SIGCHLD signal to the cron daemon.
##
##
##
@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
########################################
##
-## Set the attributes of cron log files.
+## Send a generic signal to cron daemon.
##
##
##
@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
##
##
#
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file setattr_file_perms;
+ allow $1 crond_t:process signal;
')
########################################
##
-## Create cron log files.
+## Read a cron daemon unnamed pipe.
##
##
##
@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
##
##
#
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- create_files_pattern($1, cron_log_t, cron_log_t)
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
########################################
##
-## Write to cron log files.
+## Read crond state files.
##
##
##
@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
##
##
#
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file write_file_perms;
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
')
+
########################################
##
-## Create, read, write and delete
-## cron log files.
+## Send and receive messages from
+## crond over dbus.
##
##
##
@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
##
##
#
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
+ class dbus send_msg;
')
- manage_files_pattern($1, cron_log_t, cron_log_t)
-
- logging_search_logs($1)
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
')
########################################
##
-## Create specified objects in generic
-## log directories with the cron log file type.
+## Do not audit attempts to write cron daemon unnamed pipes.
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- logging_log_filetrans($1, cron_log_t, $2, $3)
+ dontaudit $1 crond_t:fifo_file write;
')
########################################
##
-## Read cron daemon unnamed pipes.
+## Read and write a cron daemon unnamed pipe.
##
##
##
@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
##
##
#
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
gen_require(`
type crond_t;
')
- allow $1 crond_t:fifo_file read_fifo_file_perms;
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Do not audit attempts to write
-## cron daemon unnamed pipes.
+## Do not audit attempts to setattr cron daemon unnamed pipes.
##
##
##
@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
##
##
#
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_dontaudit_setattr_pipes',`
gen_require(`
type crond_t;
')
- dontaudit $1 crond_t:fifo_file write;
+ dontaudit $1 crond_t:fifo_file setattr;
')
########################################
##
-## Read and write crond unnamed pipes.
+## Read and write inherited user spool files.
##
##
##
@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
##
##
#
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
- type crond_t;
+ type user_cron_spool_t;
')
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
##
-## Read and write crond TCP sockets.
+## Read and write inherited spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Read, and write cron daemon TCP sockets.
##
##
##
@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
##
-## Do not audit attempts to read and
-## write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
##
-## Search cron spool directories.
+## Search the directory containing user cron tables.
##
##
##
@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
########################################
##
-## Create, read, write, and delete
-## crond pid files.
+## Search the directory containing user cron tables.
##
##
##
@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
##
##
#
-interface(`cron_manage_pid_files',`
+interface(`cron_manage_system_spool',`
gen_require(`
- type crond_var_run_t;
+ type cron_system_spool_t;
')
- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
########################################
##
-## Execute anacron in the cron
-## system domain.
+## Manage pid files used by cron
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`cron_anacron_domtrans_system_job',`
+interface(`cron_manage_pid_files',`
gen_require(`
- type system_cronjob_t, anacron_exec_t;
+ type crond_var_run_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
##
-## Use system cron job file descriptors.
+## Read pid files used by cron
##
##
##
@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
##
##
#
-interface(`cron_use_system_job_fds',`
+interface(`cron_read_pid_files',`
gen_require(`
- type system_cronjob_t;
+ type crond_var_run_t;
')
- allow $1 system_cronjob_t:fd use;
+ files_search_pids($1)
+ read_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
##
-## Read system cron job lib files.
+## Execute anacron in the cron system domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_anacron_domtrans_system_job',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t, anacron_exec_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')
########################################
##
-## Create, read, write, and delete
-## system cron job lib files.
+## Inherit and use a file descriptor
+## from system cron jobs.
##
##
##
@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
##
##
#
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_use_system_job_fds',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fd use;
')
########################################
##
-## Write system cron job unnamed pipes.
+## Write a system cron job unnamed pipe.
##
##
##
@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
##
-## Read and write system cron job
-## unnamed pipes.
+## Read and write a system cron job unnamed pipe.
##
##
##
@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Read and write inherited system cron
-## job unix domain stream sockets.
+## Allow read/write unix stream sockets from the system cron jobs.
##
##
##
@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
########################################
##
-## Read system cron job temporary files.
+## Read temporary files from the system cron jobs.
##
##
##
@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
##
## Do not audit attempts to append temporary
-## system cron job files.
+## files from the system cron jobs.
##
##
##
@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
########################################
##
## Do not audit attempts to write temporary
-## system cron job files.
+## files from the system cron jobs.
##
##
##
@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+##
+## Create, read, write and delete
+## cron log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create specified objects in generic
+## log directories with the cron log file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+#######################################
+##
+## Create specified objects in generic
+## log directories with the cron log file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`cron_generic_log_filetrans_log_insights',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
index 7de385956..b9b2c8f7f 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
##
##
-## Determine whether system cron jobs
-## can relabel filesystem for
-## restoring file contexts.
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
##
##
gen_tunable(cron_can_relabel, false)
##
-##
-## Determine whether crond can execute jobs
-## in the user domain as opposed to the
-## the generic cronjob domain.
-##
+##
+## Determine whether crond can execute jobs
+## in the user domain as opposed to the
+## the generic cronjob domain.
+##
+##
+gen_tunable(cron_userdomain_transition, true)
+
+##
+##
+## Allow system cronjob to be executed on
+## on NFS, CIFS or FUSE filesystem.
+##
##
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_system_cronjob_use_shares, false)
##
##
-## Determine whether extra rules
-## should be enabled to support fcron.
+## Enable extra rules in the cron domain
+## to support fcron.
##
##
gen_tunable(fcron_crond, false)
-attribute cron_spool_type;
attribute crontab_domain;
+attribute cron_spool_type;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
+# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
files_pid_file(cron_var_run_t)
+# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+corecmd_bin_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
-
+# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
- dontaudit crontab_domain crond_t:process signal;
-')
-
########################################
#
-# Admin local policy
+# Admin crontab local policy
#
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
')
########################################
#
-# Daemon local policy
+# Cron daemon local policy
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
-miscfiles_read_localization(crond_t)
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
- dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
- allow crond_t cronjob_t:process transition;
- allow crond_t cronjob_t:fd use;
- allow crond_t cronjob_t:key manage_key_perms;
-')
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
+ # pam_limits is used
allow crond_t self:process setrlimit;
- optional_policy(`
- logwatch_search_cache_dir(crond_t)
- ')
+')
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
files_polyinstantiate_all(crond_t)
')
-tunable_policy(`fcron_crond',`
- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -354,103 +311,141 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client(crond_t)
-
- optional_policy(`
- hal_dbus_chat(crond_t)
- ')
-
- optional_policy(`
- unconfined_dbus_send(crond_t)
- ')
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
- amanda_search_var_lib(crond_t)
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
- amavis_search_lib(crond_t)
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+ init_dbus_chat(crond_t)
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
- hal_write_log(crond_t)
+ antivirus_search_db(crond_t)
')
optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
- mta_send_mail(crond_t)
+ # cjp: why?
+ munin_search_lib(crond_t)
')
optional_policy(`
- munin_search_lib(crond_t)
+ rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
- postgresql_search_db(crond_t)
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
')
optional_policy(`
- rpc_search_nfs_state_data(crond_t)
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
')
optional_policy(`
- rpm_read_pipes(crond_t)
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
')
optional_policy(`
- seutil_sigchld_newrole(crond_t)
+ udev_read_db(crond_t)
')
optional_policy(`
- udev_read_db(crond_t)
+ vnstatd_search_lib(crond_t)
')
########################################
#
-# System local policy
+# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+tunable_policy(`cron_system_cronjob_use_shares',`
+ fs_fusefs_entrypoint(system_cronjob_t)
+ fs_nfs_entrypoint(system_cronjob_t)
+ fs_cifs_entrypoint(system_cronjob_t)
+')
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
+# for nscd:
files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
-init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -516,20 +517,28 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_cronjob_t)
+miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
seutil_read_config(system_cronjob_t)
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
+selinux_get_fs_mount(system_cronjob_t)
+
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
- selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +548,26 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ # Needed for certwatch
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ cron_generic_log_filetrans_log_insights(system_cronjob_t)
+')
+
+optional_policy(`
+ chronyd_run_chronyc(system_cronjob_t,system_r)
')
optional_policy(`
@@ -551,10 +576,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
')
optional_policy(`
@@ -566,6 +587,10 @@ optional_policy(`
exim_read_spool_files(system_cronjob_t)
')
+optional_policy(`
+ firewalld_dbus_chat(system_cronjob_t)
+')
+
optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -591,14 +616,39 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
mysql_read_config(system_cronjob_t)
')
+optional_policy(`
+ networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
+ pcp_filetrans_named_content(system_cronjob_t)
+')
+
optional_policy(`
postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+ rkhunter_manage_lib_files(system_cronjob_t)
+')
+
+optional_policy(`
+ rhsmcertd_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -606,8 +656,13 @@ optional_policy(`
samba_read_log(system_cronjob_t)
')
+optional_policy(`
+ snapper_dbus_chat(system_cronjob_t)
+')
+
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -615,12 +670,27 @@ optional_policy(`
')
optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_dbus_chat_timedated(system_cronjob_t)
+ systemd_dbus_chat_hostnamed(system_cronjob_t)
+ systemd_dbus_chat_localed(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
+ userdom_filetrans_home_content(crond_t)
')
########################################
#
-# Cronjob local policy
+# User cronjobs local policy
#
allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +698,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
-corenet_all_recvfrom_unlabeled(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +731,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
files_dontaudit_search_pids(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
-miscfiles_read_localization(cronjob_t)
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
userdom_manage_user_home_content_files(cronjob_t)
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit cronjob_t crond_t:fd use;
- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- dontaudit cronjob_t crond_t:process sigchld;
-
- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
- allow cronjob_t crond_t:fd use;
- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
- allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
')
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
optional_policy(`
nis_use_ypbind(cronjob_t)
')
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+corecmd_exec_bin(crontab_domain)
+corecmd_exec_shell(crontab_domain)
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+ openshift_transition(system_cronjob_t)
+')
+
########################################
#
-# Unconfined local policy
+# Unconfined cronjobs local policy
#
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6f3..84ece3e4a 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -1,12 +1,20 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d12..06895f39a 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,178 @@
-## Clustered Database based on Samba Trivial Database.
+
+## policy for ctdbd
+
+########################################
+##
+## Transition to ctdbd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+##
+## Execute ctdbd server in the ctdbd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+#######################################
+##
+## Allow domain to signal ctdbd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_signal',`
+ gen_require(`
+ type ctdbd_t;
+ ')
+ allow $1 ctdbd_t:process signal;
+')
+
+#######################################
+##
+## Allow domain to sigchld ctdbd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_sigchld',`
+ gen_require(`
+ type ctdbd_t;
+ ')
+ allow $1 ctdbd_t:process sigchld;
+')
+
+########################################
+##
+## Read ctdbd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Append to ctdbd log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Manage ctdbd log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Search ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read ctdbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
########################################
##
-## Create, read, write, and delete
-## ctdbd lib files.
+## Manage ctdbd lib files.
##
##
##
@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
-#######################################
+########################################
##
-## Connect to ctdbd with a unix
-## domain stream socket.
+## Manage ctdbd lib directories.
##
##
##
@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Read ctdbd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_pid_files',`
gen_require(`
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ type ctdbd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to ctdbd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ctdb environment.
+## All of the rules required to administrate
+## an ctdbd environment
##
##
##
@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
##
##
#
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+ type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
- allow $1 ctdbd_t:process { ptrace signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ctdbd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502e6..9ace4fe93 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
@@ -32,13 +35,17 @@ files_pid_file(ctdbd_var_run_t)
# Local policy
#
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-allow ctdbd_t self:process { setpgid signal_perms setsched };
+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
+allow ctdbd_t self:capability2 block_suspend;
+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
allow ctdbd_t self:packet_socket create_socket_perms;
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
+allow ctdbd_t self:rawip_socket create_socket_perms;
+allow ctdbd_t self:netlink_tcpdiag_socket create_socket_perms;
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,12 +64,24 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+write_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+
+can_exec(ctdbd_t, ctdbd_exec_t)
+
kernel_read_network_state(ctdbd_t)
kernel_read_system_state(ctdbd_t)
kernel_rw_net_sysctls(ctdbd_t)
@@ -72,27 +91,41 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_bind_smbd_port(ctdbd_t)
+corenet_tcp_bind_all_rpc_ports(ctdbd_t)
+corenet_udp_bind_all_rpc_ports(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
+corenet_tcp_connect_gluster_port(ctdbd_t)
+corenet_tcp_connect_nfs_port(ctdbd_t)
+corenet_tcp_connect_portmap_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
corecmd_exec_shell(ctdbd_t)
+corecmd_getattr_all_executables(ctdbd_t)
dev_read_sysfs(ctdbd_t)
dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
+fs_getattr_all_fs(ctdbd_t)
+
+auth_use_nsswitch(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
+userdom_home_manager(ctdbd_t)
+
optional_policy(`
consoletype_exec(ctdbd_t)
')
@@ -106,9 +139,22 @@ optional_policy(`
')
optional_policy(`
+ rpc_domtrans_rpcd(ctdbd_t)
+ rpc_manage_nfs_state_data_dir(ctdbd_t)
+ rpc_read_nfs_state_data(ctdbd_t)
+')
+
+optional_policy(`
+ samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+ samba_signull_winbind(ctdbd_t)
+ samba_signull_unconfined_net(ctdbd_t)
')
optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011ec8..9437dbe01 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 3023be7f6..27938e4b4 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
########################################
@@ -304,6 +307,30 @@ interface(`cups_stream_connect_ptal',`
stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
')
+########################################
+##
+## Execute cupsd server in the cupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cupsd_systemctl',`
+ gen_require(`
+ type cupsd_t;
+ type cupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
+')
+
########################################
##
## Read the process state (/proc/pid) of cupsd.
@@ -344,18 +371,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+ ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -368,13 +400,48 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
- files_list_spool($1)
- admin_pattern($1, cupsd_spool_t)
-
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
-
- files_list_pids($1)
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+ cupsd_systemctl($1)
+ admin_pattern($1, cupsd_unit_file_t)
+ allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+##
+## Transition to cups named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_filetrans_named_content',`
+ gen_require(`
+ type cupsd_rw_etc_t;
+ type cupsd_etc_t;
+ ')
+
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppd")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "ppd")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813ccb..80859f130 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
# Declarations
#
-type cupsd_config_t;
+##
+##
+## Allow cups execmem/execstack
+##
+##
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
type cupsd_config_exec_t;
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t)
-type cupsd_t;
+type cupsd_t, cups_domain;
type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
logging_log_file(cupsd_log_t)
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
type ptal_t;
type ptal_exec_t;
@@ -97,34 +99,65 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+ lpd_manage_spool(cups_domain)
+')
+
########################################
#
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
-allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-allow cupsd_t cupsd_etc_t:file setattr_file_perms;
+allow cupsd_t cupsd_etc_t:dir manage_dir_perms;
+allow cupsd_t cupsd_etc_t:file { map setattr_file_perms };
read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-allow cupsd_t hplip_t:process { signal sigkill };
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
-corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
-fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
+mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
optional_policy(`
apm_domtrans_client(cupsd_t)
@@ -272,18 +320,26 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
+ init_dbus_chat(cupsd_t)
+
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
avahi_dbus_chat(cupsd_t)
')
+ optional_policy(`
+ colord_read_lib_files(cupsd_t)
+ ')
+
optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -296,8 +352,8 @@ optional_policy(`
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
kerberos_manage_host_rcache(cupsd_t)
- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
optional_policy(`
@@ -306,7 +362,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
- lpd_manage_spool(cupsd_t)
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -315,6 +370,10 @@ optional_policy(`
mta_send_mail(cupsd_t)
')
+optional_policy(`
+ networkmanager_dbus_chat(cupsd_t)
+')
+
optional_policy(`
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -334,7 +393,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(cupsd_t)
')
########################################
@@ -342,12 +405,11 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -372,18 +434,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +452,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
-fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +469,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -448,10 +495,13 @@ optional_policy(`
')
')
+optional_policy(`
+ gnome_dontaudit_read_config(cupsd_config_t)
+')
+
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -466,6 +516,10 @@ optional_policy(`
lpd_read_config(cupsd_config_t)
')
+optional_policy(`
+ libs_exec_ldconfig(cupsd_config_t)
+')
+
optional_policy(`
rpm_read_db(cupsd_config_t)
')
@@ -487,10 +541,6 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +558,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +587,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -549,8 +596,7 @@ optional_policy(`
# Pdf local policy
#
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override };
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +612,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- lpd_manage_spool(cups_pdf_t)
+ gnome_read_config(cups_pdf_t)
')
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
-')
-
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
@@ -735,7 +656,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_all_recvfrom_unlabeled(ptal_t)
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +665,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
-dev_read_sysfs(ptal_t)
dev_read_usbfs(ptal_t)
dev_rw_printer(ptal_t)
domain_use_interactive_fds(ptal_t)
-files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +677,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
-miscfiles_read_localization(ptal_t)
-
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +689,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be90c..4c1a965c0 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,13 +1,16 @@
+HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+
/etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
/var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
index 64775fd37..91a60569c 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
## Concurrent versions system.
+######################################
+##
+## Dontaudit Attempts to list the CVS data and metadata.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
##
## Read CVS data and metadata content.
@@ -39,6 +57,24 @@ interface(`cvs_exec',`
can_exec($1, cvs_exec_t)
')
+########################################
+##
+## Transition to cvs named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cvs_filetrans_home_content',`
+ gen_require(`
+ type cvs_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
########################################
##
## All of the rules required to
@@ -60,11 +96,17 @@ interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
+ allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cvs_t:process ptrace;
+ ')
+
+ # Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
@@ -81,4 +123,7 @@ interface(`cvs_admin',`
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
+
+ userdom_search_user_home_dirs($1)
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
index 0f7755005..36e4a38cf 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
## password files.
##
##
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
########################################
#
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:tcp_socket { accept listen };
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
+init_dontaudit_read_utmp(cvs_t)
+
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-miscfiles_read_localization(cvs_t)
-
mta_send_mail(cvs_t)
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
- allow cvs_t self:capability dac_override;
+tunable_policy(`cvs_read_shadow',`
+ allow cvs_t self:capability { dac_read_search dac_override };
auth_tunable_read_shadow(cvs_t)
')
@@ -116,8 +129,10 @@ optional_policy(`
optional_policy(`
apache_content_template(cvs)
+ apache_content_alias_template(cvs, cvs)
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc7355..86e11f5e3 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
-corenet_all_recvfrom_unlabeled(cyphesis_t)
corenet_tcp_sendrecv_generic_if(cyphesis_t)
corenet_tcp_sendrecv_generic_node(cyphesis_t)
corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
domain_use_interactive_fds(cyphesis_t)
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
logging_send_syslog_msg(cyphesis_t)
-miscfiles_read_localization(cyphesis_t)
-
sysnet_dns_name_resolve(cyphesis_t)
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 83bfda6ed..92d9fb2e7 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
+#######################################
+##
+## Allow write cyrus data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cyrus_write_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
########################################
##
## Connect to Cyrus using a unix
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
type cyrus_keytab_t;
')
- allow $1 cyrus_t:process { ptrace signal_perms };
+ allow $1 cyrus_t:process signal_perms;
ps_process_pattern($1, cyrus_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cyrus_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2de2..21d93a737 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -54,21 +54,24 @@ manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+allow cyrus_t cyrus_var_lib_t:file map;
manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+allow cyrus_t cyrus_var_run_t:file map;
kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
+kernel_read_network_state(cyrus_t)
-corenet_all_recvfrom_unlabeled(cyrus_t)
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
corenet_tcp_sendrecv_all_ports(cyrus_t)
corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +79,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
@@ -95,8 +101,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +111,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
-miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
@@ -120,6 +123,14 @@ optional_policy(`
cron_system_entry(cyrus_t, cyrus_exec_t)
')
+optional_policy(`
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ gssproxy_stream_connect(cyrus_t)
+')
+
optional_policy(`
kerberos_read_keytab(cyrus_t)
kerberos_use(cyrus_t)
@@ -134,8 +145,8 @@ optional_policy(`
')
optional_policy(`
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
')
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0b7..6c8106a87 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
')
+
diff --git a/daemontools.te b/daemontools.te
index ee1b4aa8e..2fd746e05 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
+term_write_console(svc_multilog_t)
+
init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
logging_manage_generic_logs(svc_multilog_t)
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 5a5e2902a..6321a1d0a 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
domain_use_interactive_fds(dante_t)
-files_read_etc_files(dante_t)
files_read_etc_runtime_files(dante_t)
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index b60c464f1..3a5246a9b 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
########################################
#
# Local policy
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
@@ -60,3 +61,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index f55c42082..e9d64ab5f 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_all_recvfrom_unlabeled(dbskkd_t)
corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_generic_if(dbskkd_t)
corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
fs_getattr_xattr_fs(dbskkd_t)
-files_read_etc_files(dbskkd_t)
auth_use_nsswitch(dbskkd_t)
logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b9c..558729530 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,29 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb46..3b6a2c833 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## Desktop messaging bus.
+## Desktop messaging bus
########################################
##
@@ -19,7 +19,24 @@ interface(`dbus_stub',`
########################################
##
-## Role access for dbus.
+## Execute dbus-daemon in the caller domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`dbus_exec_dbusd',`
+ gen_require(`
+ type dbusd_exec_t;
+ ')
+ can_exec($1, dbusd_exec_t)
+')
+
+########################################
+##
+## Role access for dbus
##
##
##
@@ -41,59 +58,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
- attribute session_bus_type;
- type system_dbusd_t, dbusd_exec_t;
- type session_dbusd_tmp_t, session_dbusd_home_t;
+ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
#
- # Declarations
+ # Delcarations
#
type $1_dbusd_t, session_bus_type;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
-
role $2 types $1_dbusd_t;
+ kernel_read_system_state($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+
+ userdom_home_manager($1_dbusd_t)
+
##############################
#
# Local policy
#
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 $1_dbusd_t:fd use;
-
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+ # SE-DBus specific permissions
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
+ allow $3 $1_dbusd_t:process signal_perms;
- allow $1_dbusd_t $3:process sigkill;
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_dbusd_t:process ptrace;
+ ')
- corecmd_bin_domtrans($1_dbusd_t, $3)
- corecmd_shell_domtrans($1_dbusd_t, $3)
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
auth_use_nsswitch($1_dbusd_t)
- ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ logging_send_syslog_msg($1_dbusd_t)
+
+ optional_policy(`
+ mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
')
#######################################
##
## Template for creating connections to
-## the system bus.
+## the system DBUS.
##
##
##
@@ -103,91 +129,88 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
- attribute dbusd_system_bus_client;
- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
- typeattribute $1 dbusd_system_bus_client;
-
+ # SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
- allow system_dbusd_t $1:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+ dev_read_urand($1)
+
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
dbus_read_config($1)
+
+ optional_policy(`
+ unconfined_server_dbus_chat($1)
+ ')
')
#######################################
##
-## Acquire service on DBUS
-## session bus.
+## Creating connections to specified
+## DBUS sessions.
##
-##
+##
##
-## Domain allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
- dbus_connect_all_session_bus($1)
-')
-
-#######################################
-##
-## Acquire service on all DBUS
-## session busses.
-##
##
##
## Domain allowed access.
##
##
#
-interface(`dbus_connect_all_session_bus',`
+interface(`dbus_session_client',`
gen_require(`
- attribute session_bus_type;
- class dbus acquire_svc;
+ class dbus send_msg;
+ type $1_dbusd_t;
')
- allow $1 session_bus_type:dbus acquire_svc;
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
')
#######################################
##
-## Acquire service on specified
-## DBUS session bus.
+## Template for creating connections to
+## a user DBUS.
##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
##
##
## Domain allowed access.
##
##
#
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_bus_client',`
gen_require(`
- type $1_dbusd_t;
- class dbus acquire_svc;
+ attribute session_bus_type;
+ class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus acquire_svc;
+ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+
+ allow session_bus_type $1:process sigkill;
')
-#######################################
+########################################
##
-## Creating connections to DBUS
-## session bus.
+## Send a message the session DBUS.
##
##
##
@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
##
##
#
-interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
+interface(`dbus_send_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 session_bus_type:dbus send_msg;
')
-#######################################
+########################################
##
-## Creating connections to all
-## DBUS session busses.
+## Read dbus configuration.
##
##
##
@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
##
##
#
-interface(`dbus_all_session_bus_client',`
+interface(`dbus_read_config',`
gen_require(`
- attribute session_bus_type, dbusd_session_bus_client;
- class dbus send_msg;
+ type dbusd_etc_t;
')
- typeattribute $1 dbusd_session_bus_client;
-
- allow $1 { session_bus_type self }:dbus send_msg;
- allow session_bus_type $1:dbus send_msg;
-
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
+ allow $1 dbusd_etc_t:dir list_dir_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
')
-#######################################
+########################################
##
-## Creating connections to specified
-## DBUS session bus.
+## Read system dbus lib files.
##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
##
##
## Domain allowed access.
##
##
#
-interface(`dbus_spec_session_bus_client',`
+interface(`dbus_read_lib_files',`
gen_require(`
- attribute dbusd_session_bus_client;
- type $1_dbusd_t;
- class dbus send_msg;
+ type system_dbusd_var_lib_t;
')
- typeattribute $2 dbusd_session_bus_client;
-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
-
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:fd use;
+ files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
##
-## Send messages to DBUS session bus.
+## Create, read, write, and delete
+## system dbus lib files.
##
##
##
@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
##
##
#
-interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
##
-## Send messages to all DBUS
-## session busses.
+## Connect to the system DBUS
+## for service (acquire_svc).
##
##
##
@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
##
##
#
-interface(`dbus_send_all_session_bus',`
+interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
- class dbus send_msg;
+ class dbus acquire_svc;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
+ allow $1 session_bus_type:dbus acquire_svc;
')
-#######################################
+########################################
##
-## Send messages to specified
-## DBUS session busses.
+## Allow a application domain to be started
+## by the session dbus.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## User domain prefix to be used.
##
##
##
##
-## Domain allowed access.
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an
+## entry point to this domain.
##
##
#
-interface(`dbus_send_spec_session_bus',`
+interface(`dbus_session_domain',`
gen_require(`
type $1_dbusd_t;
- class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus send_msg;
+ domtrans_pattern($1_dbusd_t, $2, $3)
+
+ dbus_session_bus_client($3)
+ dbus_connect_session_bus($3)
')
########################################
##
-## Read dbus configuration content.
+## Connect to the system DBUS
+## for service (acquire_svc).
##
##
##
@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
##
##
#
-interface(`dbus_read_config',`
+interface(`dbus_connect_system_bus',`
gen_require(`
- type dbusd_etc_t;
+ type system_dbusd_t;
+ class dbus acquire_svc;
')
- allow $1 dbusd_etc_t:dir list_dir_perms;
- allow $1 dbusd_etc_t:file read_file_perms;
+ allow $1 system_dbusd_t:dbus acquire_svc;
')
########################################
##
-## Read system dbus lib files.
+## Send a message on the system DBUS.
##
##
##
@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
##
##
#
-interface(`dbus_read_lib_files',`
+interface(`dbus_send_system_bus',`
gen_require(`
- type system_dbusd_var_lib_t;
+ type system_dbusd_t;
+ class dbus send_msg;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus send_msg;
')
########################################
##
-## Create, read, write, and delete
-## system dbus lib files.
+## Allow unconfined access to the system DBUS.
##
##
##
@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
##
##
#
-interface(`dbus_manage_lib_files',`
+interface(`dbus_system_bus_unconfined',`
gen_require(`
- type system_dbusd_var_lib_t;
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus *;
')
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
+## Create a domain for processes
+## which can be started by the system dbus
##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
##
##
## Type to be used as a domain.
@@ -397,199 +409,251 @@ interface(`dbus_manage_lib_files',`
##
##
##
-## Type of the program to be used as an
-## entry point to this domain.
+## Type of the program to be used as an entry point to this domain.
##
##
#
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
+interface(`dbus_system_domain',`
+ gen_require(`
+ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
+ typeattribute $1 system_bus_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+ allow system_dbusd_t $2:file map;
+ init_system_domain($1, $2)
+
+ ps_process_pattern($1, system_dbusd_t)
+
')
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
+## Use and inherit system DBUS file descriptors.
##
##
##
-## Type to be used as a domain.
+## Domain allowed access.
##
##
-##
+#
+interface(`dbus_use_system_bus_fds',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
##
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain allowed access.
##
##
#
-interface(`dbus_all_session_domain',`
+interface(`dbus_unconfined',`
gen_require(`
- type session_bus_type;
+ attribute dbusd_unconfined;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
+ typeattribute $1 dbusd_unconfined;
')
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
+## Delete all dbus pid files
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+##
+## Read all dbus pid files
+##
##
##
-## Type to be used as a domain.
+## Domain allowed access.
##
##
-##
+#
+interface(`dbus_read_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+##
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
+##
+##
##
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain to not audit.
##
##
#
-interface(`dbus_spec_session_domain',`
+interface(`dbus_dontaudit_stream_connect_session_bus',`
gen_require(`
- type $1_dbusd_t;
+ attribute session_bus_type;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
-
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
')
########################################
##
-## Acquire service on the DBUS system bus.
+## Allow attempts to connect to
+## session bus types with a unix
+## stream socket.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`dbus_connect_system_bus',`
+interface(`dbus_stream_connect_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus acquire_svc;
+ attribute session_bus_type;
')
- allow $1 system_dbusd_t:dbus acquire_svc;
+ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
##
-## Send messages to the DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to session bus types.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`dbus_send_system_bus',`
+interface(`dbus_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
+ attribute session_bus_type;
class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
+ allow session_bus_type $1:dbus send_msg;
')
########################################
##
-## Unconfined access to DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to session bus types.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`dbus_system_bus_unconfined',`
+interface(`dbus_dontaudit_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus all_dbus_perms;
+ attribute session_bus_type;
+ class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus *;
+ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
##
-## Create a domain for processes which
-## can be started by the DBUS system bus.
+## Do not audit attempts to send dbus
+## messages to system bus types.
##
##
##
-## Type to be used as a domain.
+## Domain to not audit.
##
##
-##
+#
+interface(`dbus_dontaudit_chat_system_bus',`
+ gen_require(`
+ attribute system_bus_type;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 system_bus_type:dbus send_msg;
+ dontaudit system_bus_type $1:dbus send_msg;
+')
+
+
+########################################
+##
+## Allow attempts to connect to
+## session bus types with a unix
+## stream socket.
+##
+##
##
-## Type of the program to be used as an entry point to this domain.
+## Domain to not audit.
##
##
#
-interface(`dbus_system_domain',`
+interface(`dbus_stream_connect_system_dbusd',`
gen_require(`
type system_dbusd_t;
- role system_r;
')
- domain_type($1)
- domain_entry_file($1, $2)
-
- role system_r types $1;
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
+ allow $1 system_dbusd_t:unix_stream_socket connectto;
')
+
########################################
##
-## Use and inherit DBUS system bus
-## file descriptors.
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`dbus_use_system_bus_fds',`
+interface(`dbus_dontaudit_stream_connect_system_dbusd',`
gen_require(`
- type system_dbusd_t;
+ attribute system_dbusd_t;
')
- allow $1 system_dbusd_t:fd use;
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
')
########################################
##
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
+## Allow attempts to send dbus
+## messages to system bus types.
##
##
##
@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_chat_system_bus',`
gen_require(`
- type system_dbusd_t;
+ attribute system_bus_type;
+ class dbus send_msg;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_bus_type:dbus send_msg;
+ allow system_bus_type $1:dbus send_msg;
+')
+
+#######################################
+##
+## Transition to dbus named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_filetrans_named_content_system',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
########################################
##
-## Unconfined access to DBUS.
+## Allow attempts to send dbus
+## messages to system dbusd type.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`dbus_unconfined',`
+interface(`dbus_acquire_svc_system_dbusd',`
gen_require(`
- attribute dbusd_unconfined;
+ type system_dbusd_t;
+ class dbus acquire_svc;
')
- typeattribute $1 dbusd_unconfined;
+ allow $1 system_dbusd_t:dbus acquire_svc;
+
')
diff --git a/dbus.te b/dbus.te
index c9998c80d..5b5df4c14 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
class dbus all_dbus_perms;
')
-########################################
+##############################
#
-# Declarations
+# Delcarations
#
attribute dbusd_unconfined;
+attribute system_bus_type;
attribute session_bus_type;
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
type dbusd_etc_t;
files_config_file(dbusd_etc_t)
@@ -22,9 +20,6 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
-########################################
+##############################
#
-# Local policy
+# System bus local policy
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
+allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
+kernel_stream_connect(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+dev_rw_nvme(system_dbusd_t)
+
+files_rw_inherited_non_security_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +124,170 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
+ snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+ systemd_start_power_services(system_dbusd_t)
+ systemd_config_all_services(system_dbusd_t)
+ files_config_all_files(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
+optional_policy(`
+ unconfined_server_domtrans(system_dbusd_t)
+')
+
########################################
#
-# Common session bus local policy
+# system_bus_type rules
#
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
allow session_bus_type self:file { getattr read write };
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
-kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
@@ -191,23 +296,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_sendrecv_all_ports(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)
dev_read_urand(session_bus_type)
-domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
@@ -215,7 +315,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
-selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
@@ -225,18 +324,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
optional_policy(`
- xserver_use_xdm_fds(session_bus_type)
+ gnome_read_config(session_bus_type)
+ gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+ thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
')
########################################
@@ -244,5 +361,9 @@ optional_policy(`
# Unconfined access to this module
#
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+kernel_stream_connect(session_bus_type)
+systemd_login_read_pid_files(session_bus_type)
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e66..cef59a752 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+
/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0e8..46394219a 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
- files_search_var($1)
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
index 353fa4a09..a5e912fca 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
files_read_etc_runtime_files(cdcc_t)
auth_use_nsswitch(cdcc_t)
logging_send_syslog_msg(cdcc_t)
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
files_read_etc_runtime_files(dcc_client_t)
fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
- amavis_read_spool_files(dcc_client_t)
+ antivirus_read_db(dcc_client_t)
')
optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
files_read_etc_runtime_files(dcc_dbclean_t)
auth_use_nsswitch(dcc_dbclean_t)
logging_send_syslog_msg(dcc_dbclean_t)
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_all_recvfrom_unlabeled(dccd_t)
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
-miscfiles_read_localization(dccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
-miscfiles_read_localization(dccifd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
-miscfiles_read_localization(dccm_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_user_home_dirs(dccm_t)
diff --git a/ddclient.if b/ddclient.if
index 5606b4069..cd18cf2a7 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
type ddclient_var_run_t, ddclient_initrc_exec_t;
')
- allow $1 ddclient_t:process { ptrace signal_perms };
+ allow $1 ddclient_t:process signal_perms;
ps_process_pattern($1, ddclient_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ddclient_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index a4caa1b5b..42f30662d 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
# Declarations
#
+
dontaudit ddclient_t self:capability sys_tty_config;
allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_all_recvfrom_unlabeled(ddclient_t)
corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
domain_use_interactive_fds(ddclient_t)
-files_read_etc_files(ddclient_t)
files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+auth_read_passwd(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
sysnet_exec_ifconfig(ddclient_t)
sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index 8fa4bb994..8f5ffb00a 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
-files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
term_use_all_ttys(ddcprobe_t)
term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da62..c87b5b7c6 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
## Role allowed access.
##
##
+##
#
interface(`denyhosts_admin',`
gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
- allow $1 denyhosts_t:process { ptrace signal_perms };
+ allow $1 denyhosts_t:process signal_perms;
ps_process_pattern($1, denyhosts_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 denyhosts_t:process ptrace;
+ ')
+
denyhosts_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
- files_search_locks($1)
+ files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
index 583a52726..91c4104c7 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# Local policy
#
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corecmd_exec_shell(denyhosts_t)
-corenet_all_recvfrom_unlabeled(denyhosts_t)
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
+corenet_tcp_connect_sype_transport_port(denyhosts_t)
+corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
+
dev_read_urand(denyhosts_t)
+auth_use_nsswitch(denyhosts_t)
+
+iptables_domtrans(denyhosts_t)
+
logging_read_generic_logs(denyhosts_t)
logging_send_syslog_msg(denyhosts_t)
-miscfiles_read_localization(denyhosts_t)
-
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d99..b8479873e 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -11,6 +11,7 @@
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff48..1bc5d3aea 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## Devicekit modular hardware abstraction layer.
+## Devicekit modular hardware abstraction layer
########################################
##
@@ -15,10 +15,27 @@ interface(`devicekit_domtrans',`
type devicekit_t, devicekit_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
')
+########################################
+##
+## Execute a domain transition to run devicekit_disk.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans_disk',`
+ gen_require(`
+ type devicekit_disk_t, devicekit_disk_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
########################################
##
## Send to devicekit over a unix domain
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
#
interface(`devicekit_dgram_send',`
gen_require(`
- type devicekit_t, devicekit_var_run_t;
+ type devicekit_t;
')
- files_search_pids($1)
- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+ allow $1 devicekit_t:unix_dgram_socket sendto;
')
########################################
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
########################################
##
-## Send generic signals to devicekit power.
+## Use file descriptors for devicekit_disk.
##
##
##
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
##
##
#
-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
')
- allow $1 devicekit_power_t:process signal;
+ allow $1 devicekit_disk_t:fd use;
')
########################################
##
-## Send and receive messages from
-## devicekit power over dbus.
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
class dbus send_msg;
')
- allow $1 devicekit_power_t:dbus send_msg;
- allow devicekit_power_t $1:dbus send_msg;
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
+ dontaudit devicekit_disk_t $1:dbus send_msg;
')
########################################
##
-## Use and inherit devicekit power
-## file descriptors.
+## Send signal devicekit power
##
##
##
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
##
##
#
-interface(`devicekit_use_fds_power',`
+interface(`devicekit_signal_power',`
gen_require(`
type devicekit_power_t;
')
- allow $1 devicekit_power_t:fd use;
+ allow $1 devicekit_power_t:process signal;
')
########################################
##
-## Append inherited devicekit log files.
+## Send and receive messages from
+## devicekit power over dbus.
##
##
##
@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',`
##
##
#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+#######################################
+##
+## Use and inherit devicekit power
+## file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_use_fds_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+##
+## Append inherited devicekit log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`devicekit_append_inherited_log_files',`
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
devicekit_use_fds_power($1)
')
-########################################
+#######################################
##
-## Create, read, write, and delete
-## devicekit log files.
+## Allow read devicekit log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_read_log_files',`
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ allow $1 devicekit_var_log_t:file read_file_perms;
+')
+
+#######################################
+##
+## Do not audit attempts to write the devicekit
+## log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
########################################
##
-## Relabel devicekit log files.
+## Allow the domain to read devicekit_power state files in /proc.
##
##
##
@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',`
##
##
#
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
gen_require(`
- type devicekit_var_log_t;
+ type devicekit_power_t;
')
- logging_search_logs($1)
- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, devicekit_power_t)
')
########################################
@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',`
########################################
##
-## Create, read, write, and delete
+## Do not audit attempts to read
## devicekit PID files.
##
##
##
+## Domain to not audit.
+##
+##
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+##
+## Manage devicekit PID files.
+##
+##
+##
## Domain allowed access.
##
##
@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+##
+## Relabel devicekit LOG files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_relabel_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an devicekit environment.
+## Manage devicekit LOG files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`devicekit_manage_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
@@ -259,21 +388,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
- type devicekit_var_log_t;
')
- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+ allow $1 devicekit_t:process signal_perms;
+ ps_process_pattern($1, devicekit_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 devicekit_t:process ptrace;
+ allow $1 devicekit_disk_t:process ptrace;
+ allow $1 devicekit_power_t:process ptrace;
+ ')
+
+ allow $1 devicekit_disk_t:process signal_perms;
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process signal_perms;
+ ps_process_pattern($1, devicekit_power_t)
- files_search_tmp($1)
admin_pattern($1, devicekit_tmp_t)
+ files_list_tmp($1)
- files_search_var_lib($1)
admin_pattern($1, devicekit_var_lib_t)
+ files_list_var_lib($1)
- logging_search_logs($1)
- admin_pattern($1, devicekit_var_log_t)
-
- files_search_pids($1)
admin_pattern($1, devicekit_var_run_t)
+ files_list_pids($1)
+')
+
+########################################
+##
+## Transition to devicekit named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_filetrans_named_content',`
+ gen_require(`
+ type devicekit_var_run_t, devicekit_var_log_t;
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
index 77a5003c0..8d3dc77cb 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
type devicekit_t;
type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
-
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_read_system_state(devicekit_disk_t)
kernel_read_vm_sysctls(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
-kernel_setsched(devicekit_disk_t)
+kernel_dontaudit_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
logging_send_syslog_msg(devicekit_disk_t)
-miscfiles_read_localization(devicekit_disk_t)
-
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
optional_policy(`
+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +171,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
+ mount_read_pid_files(devicekit_disk_t)
')
optional_policy(`
@@ -182,6 +184,11 @@ optional_policy(`
raid_domtrans_mdadm(devicekit_disk_t)
')
+optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
+ systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
@@ -192,12 +199,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:capability2 compromise_kernel;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
-kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_usermodehelper_state(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-kernel_setsched(devicekit_power_t)
+kernel_dontaudit_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
files_dontaudit_list_mnt(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
-miscfiles_read_localization(devicekit_power_t)
-
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
@@ -277,6 +286,12 @@ optional_policy(`
')
optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+ cron_systemctl(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -306,9 +321,12 @@ optional_policy(`
fstools_domtrans(devicekit_power_t)
')
+optional_policy(`
+ gnome_manage_home_config(devicekit_power_t)
+')
+
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
@@ -347,3 +365,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ corenet_tcp_connect_xserver_port(devicekit_power_t)
+ xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 8182c4806..0b9bb9710 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,6 +1,13 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd6.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcrelay.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
+/usr/sbin/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edbcd..954c090bd 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
+ allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################
@@ -58,6 +58,31 @@ interface(`dhcpd_initrc_domtrans',`
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
')
+########################################
+##
+## Execute dhcpd server in the dhcpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dhcpd_systemctl',`
+ gen_require(`
+ type dhcpd_unit_file_t;
+ type dhcpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
+
########################################
##
## All of the rules required to
@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ type dhcpd_unit_file_t;
')
- allow $1 dhcpd_t:process { ptrace signal_perms };
+ allow $1 dhcpd_t:process signal_perms;
ps_process_pattern($1, dhcpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dhcpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
+ admin_pattern($1, dhcpd_unit_file_t)
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
index 98a24b989..3ca9fe61a 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)
-corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_generic_if(dhcpd_t)
corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
domain_use_interactive_fds(dhcpd_t)
-files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -102,21 +103,41 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
tunable_policy(`dhcpd_use_ldap',`
- sysnet_use_ldap(dhcpd_t)
+ allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
+')
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot };
')
optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
+optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
diff --git a/dictd.if b/dictd.if
index 3cc3494bd..cb0a1f4bf 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
type dictd_var_run_t, dictd_initrc_exec_t;
')
- allow $1 dictd_t:process { ptrace signal_perms };
+ allow $1 dictd_t:process signal_perms;
ps_process_pattern($1, dictd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dictd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index 433d3c5a0..0dccebfd9 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_all_recvfrom_unlabeled(dictd_t)
corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_generic_if(dictd_t)
corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
logging_send_syslog_msg(dictd_t)
-miscfiles_read_localization(dictd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b218815..5f917054c 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
-files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 000000000..38b17f89f
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/dirsrv-admin\.service -- gen_context(system_u:object_r:dirsrvadmin_unit_file_t,s0)
+
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 000000000..0d4e70492
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,157 @@
+## Administration Server for Directory Server, dirsrv-admin.
+
+########################################
+##
+## Exec dirsrv-admin programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+##
+## Exec cgi programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_script_exec',`
+ gen_require(`
+ type dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_script_exec_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_read_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+##
+## Read dirsrv-adminserver tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_read_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+##
+## Execute dirsrv-admin server in the dirsrv-admin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dirsrvadmin_systemctl',`
+ gen_require(`
+ type dirsrvadmin_t;
+ type dirsrvadmin_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
+ allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dirsrvadmin_t)
+')
+
+#######################################
+##
+## Execute admin cgi programs in caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+ gen_require(`
+ type dirsrvadmin_unconfined_script_t;
+ type dirsrvadmin_unconfined_script_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 000000000..51fb95d13
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,173 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unit_file_t;
+systemd_unit_file(dirsrvadmin_unit_file_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+ apache_domtrans(dirsrvadmin_t)
+ apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
+ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+ allow dirsrvadmin_script_t self:process { getsched getpgid };
+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+ auth_read_passwd(dirsrvadmin_script_t)
+
+ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
+ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
+ corenet_tcp_bind_http_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
+ files_search_var_lib(dirsrvadmin_script_t)
+
+ sysnet_read_config(dirsrvadmin_script_t)
+
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_lnk_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ miscfiles_read_certs(dirsrvadmin_script_t)
+
+ optional_policy(`
+ dirsrvadmin_systemctl(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ apache_read_modules(dirsrvadmin_script_t)
+ apache_read_config(dirsrvadmin_script_t)
+ apache_read_pid_files(dirsrvadmin_script_t)
+ apache_read_tmp_symlinks(dirsrvadmin_script_t)
+ apache_read_tmp_files(dirsrvadmin_script_t)
+ apache_read_tmp_dirs(dirsrvadmin_script_t)
+ apache_signal(dirsrvadmin_script_t)
+ apache_signull(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(dirsrvadmin_script_t)
+ dirsrv_domtrans(dirsrvadmin_script_t)
+ dirsrv_signal(dirsrvadmin_script_t)
+ dirsrv_signull(dirsrvadmin_script_t)
+ dirsrv_manage_log(dirsrvadmin_script_t)
+ dirsrv_manage_var_lib(dirsrvadmin_script_t)
+ dirsrv_pid_filetrans(dirsrvadmin_script_t)
+ dirsrv_manage_var_run(dirsrvadmin_script_t)
+ dirsrv_manage_config(dirsrvadmin_script_t)
+ dirsrv_read_share(dirsrvadmin_script_t)
+ ')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 000000000..0c441124c
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 000000000..943a99c98
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,232 @@
+## policy for dirsrv
+
+########################################
+##
+## Execute a domain transition to run dirsrv.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+########################################
+##
+## Execute dirsrv in the dirsrv domain, and
+## allow the specified role the dirsrv domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`dirsrv_run',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ dirsrv_domtrans($1)
+ role $2 types dirsrv_t;
+')
+
+########################################
+##
+## Allow caller to signal dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+##
+## Send a null signal to dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+##
+## Connect to dirsrv over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_stream_connect',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+##
+## Allow a domain to create dirsrv pid directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+##
+## Allow a domain to read dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
+ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage dirsrv configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+##
+## Read dirsrv share files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir list_dir_perms;
+ allow $1 dirsrv_share_t:file { map read_file_perms };
+ allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 000000000..dbddd4aaf
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,213 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+allow dirsrv_t dirsrv_tmpfs_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_lib_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_run_t:file map;
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { dir file })
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir lnk_file })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+fs_read_cgroup_files(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+usermanage_read_crack_db(dirsrv_t)
+
+optional_policy(`
+ apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+ prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
+optional_policy(`
+ systemd_manage_passwd_run(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+kernel_read_system_state(dirsrv_snmp_t)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c740c..1790ec5dc 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
#
interface(`distcc_admin',`
gen_require(`
- type distccd_t, distccd_t, distccd_log_t;
+ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
diff --git a/distcc.te b/distcc.te
index 898b2f433..8a1725b62 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_all_recvfrom_unlabeled(distccd_t)
corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_generic_if(distccd_t)
corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
logging_send_syslog_msg(distccd_t)
-miscfiles_read_localization(distccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
userdom_dontaudit_search_user_home_dirs(distccd_t)
diff --git a/djbdns.if b/djbdns.if
index 671d3c0a1..6d36c951a 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
+ corenet_udp_bind_generic_node(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
')
#####################################
diff --git a/djbdns.te b/djbdns.te
index 87ca536ae..ebd327ad1 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
files_search_var(djbdns_domain)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
########################################
#
# axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418af..674367b3a 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f6770..653a1ecbb 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
')
+######################################
+##
+## Execute dmidecode in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dmidecode_exec',`
+ gen_require(`
+ type dmidecode_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dmidecode_exec_t)
+')
+
########################################
##
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index aa0ef6e94..d55bbd34c 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+ rhsmcertd_rw_lock_files(dmidecode_t)
+ rhsmcertd_read_log(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808d8..84735a8cb 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b80b..a79982cd6 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
##
##
#
-#
interface(`dnsmasq_domtrans',`
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
')
+#######################################
+##
+## Execute dnsmasq server in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnsmasq_exec',`
+ gen_require(`
+ type dnsmasq_exec_t;
+ ')
+
+ can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+##
+## Allow read/write dnsmasq pipes
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
##
## Execute the dnsmasq init script in
@@ -40,6 +75,49 @@ interface(`dnsmasq_initrc_domtrans',`
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
')
+########################################
+##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnsmasq_systemctl',`
+ gen_require(`
+ type dnsmasq_unit_file_t;
+ type dnsmasq_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+##
+## Send sigchld to dnsmasq.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_sigchld',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigchld;
+')
+
########################################
##
## Send generic signals to dnsmasq.
@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
##
##
#
-#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
+
########################################
##
## Create, read, write, and delete
@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
##
-## Read dnsmasq pid files.
+## Read dnsmasq pid files
##
##
##
@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
##
##
#
-#
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
##
-## Create specified objects in specified
-## directories with a type transition to
-## the dnsmasq pid file type.
+## Create dnsmasq pid directories.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Directory to transition on.
-##
-##
-##
+#
+interface(`dnsmasq_read_state',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+##
+## Transition to dnsmasq named content
+##
+##
##
-## The object class of the object being created.
+## Domain allowed access.
##
##
-##
+##
##
-## The name of the object being created.
+## The type of the directory for the object to be created.
##
##
#
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
gen_require(`
type dnsmasq_var_run_t;
')
- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+##
+## Transition to dnsmasq named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
')
########################################
@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+ type dnsmasq_var_log_t;
+ type dnsmasq_initrc_exec_t;
+ type dnsmasq_unit_file_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
+ allow $1 dnsmasq_t:process signal_perms;
ps_process_pattern($1, dnsmasq_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dnsmasq_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
- logging_seearch_logs($1)
+ logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
+ admin_pattern($1, dnsmasq_unit_file_t)
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+')
+
+########################################
+##
+## Send and receive messages from
+## dnsmasq over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_dbus_chat',`
+ gen_require(`
+ type dnsmasq_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dnsmasq_t:dbus send_msg;
+ allow dnsmasq_t $1:dbus send_msg;
')
+
+
diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b30..67fa8a1a3 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,12 +24,18 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
+type dnsmasq_tmp_t;
+files_tmp_file(dnsmasq_tmp_t)
+
########################################
#
# Local policy
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +44,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -51,12 +58,19 @@ manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+manage_dirs_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t)
+manage_files_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t)
+files_tmp_filetrans(dnsmasq_t, dnsmasq_tmp_t, { file dir })
+
kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -80,15 +94,16 @@ dev_read_urand(dnsmasq_t)
domain_use_interactive_fds(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)
+files_manage_mnt_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -97,13 +112,26 @@ optional_policy(`
cobbler_read_lib_files(dnsmasq_t)
')
+optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
optional_policy(`
dbus_connect_system_bus(dnsmasq_t)
dbus_system_bus_client(dnsmasq_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(dnsmasq_t)
+ ')
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
+ dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -124,6 +152,18 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
+ virt_read_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
+
+optional_policy(`
+ neutron_manage_lib_files(dnsmasq_t)
+ neutron_stream_connect(dnsmasq_t)
+ neutron_rw_fifo_file(dnsmasq_t)
+ neutron_sigchld(dnsmasq_t)
+')
+
+optional_policy(`
+ systemd_resolved_read_pid(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 000000000..1714fa661
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 000000000..a846ce030
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,104 @@
+
+## policy for dnssec_trigger
+
+########################################
+##
+## Transition to dnssec_trigger.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnssec_trigger_domtrans',`
+ gen_require(`
+ type dnssec_trigger_t, dnssec_trigger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+##
+## Read dnssec_trigger PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnssec_trigger_read_pid_files',`
+ gen_require(`
+ type dnssec_trigger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage dnssec_trigger PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnssec_trigger_manage_pid_files',`
+ gen_require(`
+ type dnssec_trigger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+ manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+ manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+')
+
+
+########################################
+##
+## Send signull to dnssec_trigger.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnssec_trigger_signull',`
+ gen_require(`
+ type dnssec_trigger_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process signull;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dnssec_trigger environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnssec_trigger_admin',`
+ gen_require(`
+ type dnssec_trigger_t;
+ type dnssec_trigger_var_run_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnssec_trigger_t)
+
+ files_search_pids($1)
+ admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 000000000..bc3fac51c
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,81 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+type dnssec_trigger_tmp_t;
+files_tmp_file(dnssec_trigger_tmp_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability { net_admin linux_immutable };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+ dbus_system_bus_client(dnssec_trigger_t)
+')
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
+ bind_read_config(dnssec_trigger_t)
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
+ networkmanager_sigkill(dnssec_trigger_t)
+ networkmanager_signull(dnssec_trigger_t)
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e782..e6fe2f402 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
logging_send_syslog_msg(dnssec_triggerd_t)
-miscfiles_read_localization(dnssec_triggerd_t)
-
sysnet_dns_name_resolve(dnssec_triggerd_t)
sysnet_manage_config(dnssec_triggerd_t)
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/dovecot.fc b/dovecot.fc
index c88007004..444805588 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index d5badb755..c2431fc73 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## POP and IMAP mail server.
+## Dovecot POP and IMAP mail server
+
+######################################
+##
+## Creates types and rules for a basic
+## dovecot daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`dovecot_basic_types_template',`
+ gen_require(`
+ attribute dovecot_domain;
+ ')
+
+ type $1_t, dovecot_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
#######################################
##
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot unix domain stream socket.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`dovecot_stream_connect',`
- gen_require(`
- type dovecot_t, dovecot_var_run_t;
- ')
+ gen_require(`
+ type dovecot_t, dovecot_var_run_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
')
########################################
##
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot auth unix domain stream socket.
##
##
##
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
########################################
##
-## Execute dovecot_deliver in the
-## dovecot_deliver domain.
+## Execute dovecot_deliver in the dovecot_deliver domain.
##
##
##
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
##
-## Create, read, write, and delete
-## dovecot spool files.
+## Create, read, write, and delete the dovecot spool files.
##
##
##
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
')
files_search_spool($1)
- allow $1 dovecot_spool_t:dir manage_dir_perms;
- allow $1 dovecot_spool_t:file manage_file_perms;
- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
########################################
##
-## Do not audit attempts to delete
-## dovecot lib files.
+## Do not audit attempts to delete dovecot lib files.
##
##
##
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
type dovecot_var_lib_t;
')
- dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+ dontaudit $1 dovecot_var_lib_t:file unlink;
')
######################################
##
-## Write inherited dovecot tmp files.
+## Allow attempts to write inherited
+## dovecot tmp files.
##
##
##
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
allow $1 dovecot_tmp_t:file write;
')
+####################################
+##
+## Read dovecot configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_read_config',`
+ gen_require(`
+ type dovecot_etc_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
########################################
##
-## All of the rules required to
-## administrate an dovecot environment.
+## All of the rules required to administrate
+## an dovecot environment
##
##
##
@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the dovecot domain.
##
##
##
@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
type dovecot_keytab_t;
')
- allow $1 dovecot_t:process { ptrace signal_perms };
+ allow $1 dovecot_t:process signal_perms;
ps_process_pattern($1, dovecot_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dovecot_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
- logging_list_logs($1)
- admin_pattern($1, dovecot_var_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
- files_search_tmp($1)
- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
index 0aabc7e66..641a03465 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
attribute dovecot_domain;
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
init_daemon_domain(dovecot_t, dovecot_exec_t)
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
+# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
@@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-########################################
+#######################################
#
-# Common local policy
+# dovecot domain local policy
#
-allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+allow dovecot_domain self:capability sys_resource;
+dontaudit dovecot_domain self:capability2 block_suspend;
+allow dovecot_domain self:process signal_perms;
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_domain)
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
########################################
#
-# Local policy
+# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
allow dovecot_t dovecot_keytab_t:file read_file_perms;
@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
domain_use_interactive_fds(dovecot_t)
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -171,45 +168,45 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+ mta_manage_home_rw(dovecot_t)
+ mta_mmap_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
')
optional_policy(`
kerberos_manage_host_rcache(dovecot_t)
kerberos_read_keytab(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
kerberos_use(dovecot_t)
')
optional_policy(`
- mta_manage_spool(dovecot_t)
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
- postfix_manage_private_sockets(dovecot_t)
- postfix_search_spool(dovecot_t)
+ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
@@ -227,103 +224,155 @@ optional_policy(`
########################################
#
-# Auth local policy
+# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+dovecot_stream_connect_auth(dovecot_auth_t)
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+corecmd_exec_bin(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
+init_stream_connect(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
+systemd_login_read_pid_files(dovecot_auth_t)
+systemd_dbus_chat_logind(dovecot_auth_t)
+systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
userdom_list_user_tmp(dovecot_auth_t)
userdom_read_user_tmp_files(dovecot_auth_t)
userdom_read_user_tmp_symlinks(dovecot_auth_t)
')
optional_policy(`
+ mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
+ mysql_rw_db_sockets(dovecot_auth_t)
')
optional_policy(`
nis_authenticate(dovecot_auth_t)
')
+optional_policy(`
+ dbus_system_bus_client(dovecot_auth_t)
+ optional_policy(`
+ oddjob_dbus_chat(dovecot_auth_t)
+ oddjob_domtrans_mkhomedir(dovecot_auth_t)
+ ')
+')
+
optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
########################################
#
-# Deliver local policy
+# dovecot deliver local policy
#
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
- fs_manage_nfs_files(dovecot_deliver_t)
- fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
- fs_manage_cifs_files(dovecot_deliver_t)
- fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+ gnome_manage_data(dovecot_deliver_t)
')
optional_policy(`
mta_mailserver_delivery(dovecot_deliver_t)
+ mta_mmap_home_rw(dovecot_deliver_t)
+ mta_manage_spool(dovecot_deliver_t)
mta_read_queue(dovecot_deliver_t)
')
@@ -332,5 +381,6 @@ optional_policy(`
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/dpkg.te b/dpkg.te
index 50af48c89..5ab49010f 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
diff --git a/drbd.fc b/drbd.fc
index 671a3fb6f..47b4958d0 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
@@ -11,3 +11,5 @@
/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
/var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0)
+
+/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a2163936..26c59868b 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
########################################
##
-## Execute a domain transition to
-## run drbd.
+## Execute a domain transition to run drbd.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
type drbd_t, drbd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, drbd_exec_t, drbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an drbd environment.
+## Search drbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_search_lib',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_read_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Manage drbd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_dirs',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an drbd environment
##
##
##
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
## Role allowed access.
##
##
-##
#
interface(`drbd_admin',`
gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
- allow $1 drbd_t:process { ptrace signal_perms };
+ allow $1 drbd_t:process signal_perms;
ps_process_pattern($1, drbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 drbd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
')
+
diff --git a/drbd.te b/drbd.te
index f2516cc07..af2c2ad81 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t)
type drbd_lock_t;
files_lock_file(drbd_lock_t)
+type drbd_var_run_t;
+files_pid_file(drbd_var_run_t)
+
+type drbd_tmp_t;
+files_tmp_file(drbd_tmp_t)
+
########################################
#
# Local policy
#
-allow drbd_t self:capability { kill net_admin };
+allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin };
dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })
+
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file)
-can_exec(drbd_t, drbd_exec_t)
+manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
kernel_read_system_state(drbd_t)
+kernel_load_module(drbd_t)
+
+auth_use_nsswitch(drbd_t)
+
+can_exec(drbd_t, drbd_exec_t)
+
+corecmd_exec_bin(drbd_t)
+
+corenet_tcp_connect_http_port(drbd_t)
dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
-files_read_etc_files(drbd_t)
+files_read_kernel_modules(drbd_t)
-storage_raw_read_fixed_disk(drbd_t)
+logging_send_syslog_msg(drbd_t)
+
+fs_getattr_xattr_fs(drbd_t)
-miscfiles_read_localization(drbd_t)
+modutils_read_module_config(drbd_t)
+modutils_exec_insmod(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+storage_raw_write_fixed_disk(drbd_t)
sysnet_dns_name_resolve(drbd_t)
+
+optional_policy(`
+ rhcs_read_log_cluster(drbd_t)
+ rhcs_rw_cluster_tmpfs(drbd_t)
+ rhcs_manage_cluster_lib_files(drbd_t)
+')
diff --git a/dspam.fc b/dspam.fc
index 5eddac51c..b5fcb7760 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -2,11 +2,16 @@
/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
+/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f245250..a446210f0 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## Content-based spam filter designed for multi-user enterprise systems.
+
+## policy for dspam
+
########################################
##
## Execute a domain transition to run dspam.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
type dspam_t, dspam_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dspam_exec_t, dspam_t)
')
-#######################################
+
+########################################
##
-## Connect to dspam using a unix
-## domain stream socket.
+## Execute dspam server in the dspam domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`dspam_initrc_domtrans',`
+ gen_require(`
+ type dspam_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to read dspam's log files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## dspam log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dspam_append_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Allow domain to manage dspam log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dspam_manage_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Search dspam lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_search_lib',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ allow $1 dspam_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read dspam lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_read_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## dspam lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_manage_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+##
+## Manage dspam lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_manage_lib_dirs',`
gen_require(`
- type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+##
+## Read dspam PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_read_pid_files',`
+ gen_require(`
+ type dspam_var_run_t;
')
files_search_pids($1)
+ allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to DSPAM using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_stream_connect',`
+ gen_require(`
+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ ')
+
+ files_search_pids($1)
files_search_tmp($1)
- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
')
########################################
##
-## All of the rules required to
-## administrate an dspam environment.
+## All of the rules required to administrate
+## an dspam environment
##
##
##
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
#
interface(`dspam_admin',`
gen_require(`
- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
- type dspam_var_lib_t, dspam_var_run_t;
+ type dspam_t;
+ type dspam_initrc_exec_t;
+ type dspam_log_t;
+ type dspam_var_lib_t;
+ type dspam_var_run_t;
')
- allow $1 dspam_t:process { ptrace signal_perms };
+ allow $1 dspam_t:process signal_perms;
ps_process_pattern($1, dspam_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dspam_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 dspam_initrc_exec_t system_r;
allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
files_search_pids($1)
admin_pattern($1, dspam_var_run_t)
+
')
diff --git a/dspam.te b/dspam.te
index ef6236335..6b0dc19d1 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
allow dspam_t self:capability net_admin;
allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
corenet_tcp_bind_spamd_port(dspam_t)
corenet_tcp_connect_spamd_port(dspam_t)
corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
files_search_spool(dspam_t)
@@ -64,14 +73,33 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
-miscfiles_read_localization(dspam_t)
-
optional_policy(`
apache_content_template(dspam)
+ apache_content_alias_template(dspam, dspam)
+
+ allow dspam_t dspam_rw_content_t:file map;
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+ auth_read_passwd(dspam_script_t)
+
+ files_search_var_lib(dspam_script_t)
+
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
+
+ term_dontaudit_search_ptys(dspam_script_t)
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+ init_read_utmp(dspam_script_t)
+
+ logging_send_syslog_msg(dspam_script_t)
+
+ mta_send_mail(dspam_script_t)
+
+ optional_policy(`
+ mysql_tcp_connect(dspam_script_t)
+ mysql_stream_connect(dspam_script_t)
+ ')
')
optional_policy(`
@@ -87,3 +115,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(dspam_t)
+ postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
index b8b8328c0..e3dc7c72c 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
## the entropy feeds.
##
##
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
type entropyd_t;
type entropyd_exec_t;
@@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t)
# Local policy
#
-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
logging_send_syslog_msg(entropyd_t)
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/etcd.fc b/etcd.fc
new file mode 100644
index 000000000..eac30a338
--- /dev/null
+++ b/etcd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/etcd.* -- gen_context(system_u:object_r:etcd_unit_file_t,s0)
+
+/usr/bin/etcd -- gen_context(system_u:object_r:etcd_exec_t,s0)
+
+/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
index 000000000..d1a05a650
--- /dev/null
+++ b/etcd.if
@@ -0,0 +1,161 @@
+## A highly-available key value store for shared configuration.
+
+########################################
+##
+## Execute etcd in the etcd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`etcd_domtrans',`
+ gen_require(`
+ type etcd_t, etcd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, etcd_exec_t, etcd_t)
+')
+
+########################################
+##
+## Search etcd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`etcd_search_lib',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ allow $1 etcd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read etcd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`etcd_read_lib_files',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+##
+## Manage etcd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`etcd_manage_lib_files',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+##
+## Manage etcd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`etcd_manage_lib_dirs',`
+ gen_require(`
+ type etcd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+##
+## Execute etcd server in the etcd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`etcd_systemctl',`
+ gen_require(`
+ type etcd_t;
+ type etcd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 etcd_unit_file_t:file read_file_perms;
+ allow $1 etcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, etcd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an etcd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`etcd_admin',`
+ gen_require(`
+ type etcd_t;
+ type etcd_var_lib_t;
+ type etcd_unit_file_t;
+ ')
+
+ allow $1 etcd_t:process { signal_perms };
+ ps_process_pattern($1, etcd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 etcd_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, etcd_var_lib_t)
+
+ etcd_systemctl($1)
+ admin_pattern($1, etcd_unit_file_t)
+ allow $1 etcd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/etcd.te b/etcd.te
new file mode 100644
index 000000000..7cee445f6
--- /dev/null
+++ b/etcd.te
@@ -0,0 +1,42 @@
+policy_module(etcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type etcd_t;
+type etcd_exec_t;
+init_daemon_domain(etcd_t,etcd_exec_t)
+
+permissive etcd_t;
+
+type etcd_unit_file_t;
+systemd_unit_file(etcd_unit_file_t)
+
+type etcd_var_lib_t;
+files_type(etcd_var_lib_t)
+
+########################################
+#
+# ectd local policy
+#
+
+allow etcd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_lnk_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+files_var_lib_filetrans(etcd_t, etcd_var_lib_t, dir)
+
+kernel_read_unix_sysctls(etcd_t)
+kernel_read_net_sysctls(etcd_t)
+
+corenet_tcp_bind_generic_node(etcd_t)
+
+corenet_tcp_bind_kubernetes_port(etcd_t)
+corenet_tcp_bind_afs3_callback_port(etcd_t)
+
+fs_getattr_xattr_fs(etcd_t)
+
+logging_send_syslog_msg(etcd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305da..85206539c 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
index c99e07c48..ab9dd9f90 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
-files_read_usr_files(evolution_t)
fs_search_auto_mountpoints(evolution_t)
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
userdom_manage_user_home_content_dirs(evolution_t)
userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
userdom_write_user_tmp_sockets(evolution_t)
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
dev_read_urand(evolution_alarm_t)
-files_read_usr_files(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
dev_read_urand(evolution_exchange_t)
-files_read_usr_files(evolution_exchange_t)
fs_search_auto_mountpoints(evolution_exchange_t)
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
dev_read_urand(evolution_server_t)
-files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
diff --git a/exim.if b/exim.if
index 9bbc6907a..4a8d0536b 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
########################################
##
-## Execute exim in the exim domain,
-## and allow the specified role
-## the exim domain.
+## Execute the mailman program in the mailman domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
##
-##
-## Role allowed access.
-##
+##
+## The role to allow the mailman domain.
+##
##
##
#
interface(`exim_run',`
+ gen_require(`
+ type exim_t;
+ ')
+
+ exim_domtrans($1)
+ role $2 types exim_t;
+')
+
+########################################
+##
+## Execute exim in the exim domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`exim_initrc_domtrans',`
gen_require(`
- attribute_role exim_roles;
+ type exim_initrc_exec_t;
')
- exim_domtrans($1)
- roleattribute $2 exim_roles;
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
')
########################################
##
-## Do not audit attempts to read exim
-## temporary tmp files.
+## Do not audit attempts to read,
+## exim tmp files
##
##
##
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
########################################
##
-## Read exim temporary files.
+## Allow domain to read, exim tmp files
##
##
##
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
########################################
##
-## Read exim pid files.
+## Read exim PID files.
##
##
##
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
########################################
##
-## Read exim log files.
+## Allow the specified domain to read exim's log files.
##
##
##
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
########################################
##
-## Append exim log files.
+## Allow the specified domain to append
+## exim log files.
##
##
##
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
########################################
##
-## Create, read, write, and delete
-## exim log files.
+## Allow the specified domain to manage exim's log files.
##
##
##
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
########################################
##
## Create, read, write, and delete
-## exim spool directories.
+## exim spool dirs.
##
##
##
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
## Role allowed access.
##
##
-##
#
interface(`exim_admin',`
gen_require(`
@@ -285,10 +300,14 @@ interface(`exim_admin',`
type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
+ allow $1 exim_t:process signal_perms;
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 exim_t:process ptrace;
+ ')
+
+ exim_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
index 4086c51b9..3e7a99099 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
corecmd_search_bin(exim_t)
-corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
@@ -151,10 +150,10 @@ fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
logging_send_syslog_msg(exim_t)
-miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -170,9 +169,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
- corenet_sendrecv_oracledb_client_packets(exim_t)
- corenet_tcp_connect_oracledb_port(exim_t)
- corenet_tcp_sendrecv_oracledb_port(exim_t)
+ corenet_sendrecv_oracle_client_packets(exim_t)
+ corenet_tcp_connect_oracle_port(exim_t)
+ corenet_tcp_sendrecv_oracle_port(exim_t)
')
tunable_policy(`exim_read_user_files',`
@@ -186,8 +185,8 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
- clamav_domtrans_clamscan(exim_t)
- clamav_stream_connect(exim_t)
+ antivirus_domtrans(exim_t)
+ antivirus_stream_connect(exim_t)
')
optional_policy(`
@@ -209,11 +208,6 @@ optional_policy(`
kerberos_use(exim_t)
')
-optional_policy(`
- mailman_read_data_files(exim_t)
- mailman_domtrans(exim_t)
-')
-
optional_policy(`
nagios_search_spool(exim_t)
')
@@ -236,6 +230,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084d4..94e193606 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
-########################################
+#######################################
##
-## Execute the fail2ban client in
-## the fail2ban client domain.
+## Execute the fail2ban client in
+## the fail2ban client domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
#
interface(`fail2ban_domtrans_client',`
- gen_require(`
- type fail2ban_client_t, fail2ban_client_exec_t;
- ')
+ gen_require(`
+ type fail2ban_client_t, fail2ban_client_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
-########################################
+#######################################
##
-## Execute fail2ban client in the
-## fail2ban client domain, and allow
-## the specified role the fail2ban
-## client domain.
+## Execute fail2ban client in the
+## fail2ban client domain, and allow
+## the specified role the fail2ban
+## client domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
#
interface(`fail2ban_run_client',`
- gen_require(`
- attribute_role fail2ban_client_roles;
- ')
+ gen_require(`
+ attribute_role fail2ban_client_roles;
+ ')
- fail2ban_domtrans_client($1)
- roleattribute $2 fail2ban_client_roles;
+ fail2ban_domtrans_client($1)
+ roleattribute $2 fail2ban_client_roles;
')
#####################################
##
-## Connect to fail2ban over a
-## unix domain stream socket.
+## Connect to fail2ban over a unix domain
+## stream socket.
##
##
##
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
')
files_search_tmp($1)
- allow $1 fail2ban_tmp_t:file { read write };
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
########################################
##
-## Do not audit attempts to use
-## fail2ban file descriptors.
+## Read and write to an fail2ba unix stream socket.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`fail2ban_dontaudit_use_fds',`
+interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
- dontaudit $1 fail2ban_t:fd use;
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
-########################################
+#######################################
##
-## Do not audit attempts to read and
-## write fail2ban unix stream sockets
+## Do not audit attempts to use
+## fail2ban file descriptors.
##
##
-##
-## Domain to not audit.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_use_fds',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ dontaudit $1 fail2ban_t:fd use;
')
-########################################
+#######################################
##
-## Read and write fail2ban unix
-## stream sockets.
+## Do not audit attempts to read and
+## write fail2ban unix stream sockets
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`fail2ban_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
########################################
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
')
files_search_var_lib($1)
- allow $1 fail2ban_var_lib_t:file read_file_perms;
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
########################################
##
-## Read fail2ban log files.
+## Allow the specified domain to read fail2ban's log files.
##
##
##
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
##
-## Append fail2ban log files.
+## Allow the specified domain to append
+## fail2ban log files.
##
##
##
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
##
-## Read fail2ban pid files.
+## Read fail2ban PID files.
##
##
##
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an fail2ban environment.
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an fail2ban environment
##
##
##
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the fail2ban domain.
##
##
##
#
interface(`fail2ban_admin',`
gen_require(`
- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
- type fail2ban_var_lib_t, fail2ban_client_t;
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+ type fail2ban_client_t;
')
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e56772..62fb6587a 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
#
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:process { setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
-corenet_all_recvfrom_unlabeled(fail2ban_t)
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
@@ -92,23 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
optional_policy(`
apache_read_log(fail2ban_t)
')
+optional_policy(`
+ dbus_system_bus_client(fail2ban_t)
+ dbus_connect_system_bus(fail2ban_t)
+
+ optional_policy(`
+ firewalld_dbus_chat(fail2ban_t)
+ ')
+')
+
optional_policy(`
ftp_read_log(fail2ban_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
optional_policy(`
iptables_domtrans(fail2ban_t)
')
@@ -117,6 +129,10 @@ optional_policy(`
libs_exec_ldconfig(fail2ban_t)
')
+optional_policy(`
+ rpm_exec(fail2ban_t)
+')
+
optional_policy(`
shorewall_domtrans(fail2ban_t)
')
@@ -126,27 +142,37 @@ optional_policy(`
# Client Local policy
#
-allow fail2ban_client_t self:capability dac_read_search;
+allow fail2ban_client_t self:capability { dac_read_search dac_override };
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+allow fail2ban_client_t fail2ban_t:process { rlimitinh };
+
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
corecmd_exec_bin(fail2ban_client_t)
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
domain_use_interactive_fds(fail2ban_client_t)
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
+auth_use_nsswitch(fail2ban_client_t)
+
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
-
-miscfiles_read_localization(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index ce358fb3f..cdc11a7f9 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override };
allow fcoemon_t self:fifo_file rw_fifo_file_perms;
allow fcoemon_t self:unix_stream_socket { accept listen };
allow fcoemon_t self:netlink_socket create_socket_perms;
allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
logging_send_syslog_msg(fcoemon_t)
miscfiles_read_localization(fcoemon_t)
+userdom_dgram_send(fcoemon_t)
+
optional_policy(`
lldpad_dgram_send(fcoemon_t)
')
+
+optional_policy(`
+ networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee67..a47a12fe7 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f791660..cab3954f3 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
+ ps_process_pattern($1, fetchmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fetchmail_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fetchmail_initrc_exec_t system_r;
allow $2 system_r;
- allow $1 fetchmail_t:process { ptrace signal_perms };
- ps_process_pattern($1, fetchmail_t)
-
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
index 742559a54..fa51d09dd 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
#
# Local policy
#
-
+allow fetchmail_t self:capability setuid;
dontaudit fetchmail_t self:capability sys_tty_config;
allow fetchmail_t self:process { signal_perms setrlimit };
allow fetchmail_t self:unix_stream_socket { accept listen };
+allow fetchmail_t self:key manage_key_perms;
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
corecmd_exec_bin(fetchmail_t)
corecmd_exec_shell(fetchmail_t)
-corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
-miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
+sysnet_dns_name_resolve(fetchmail_t)
+
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+ mta_send_mail(fetchmail_t)
+ mta_read_spool(fetchmail_t)
+')
+
+optional_policy(`
+ kerberos_use(fetchmail_t)
+')
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index 35da09d97..85f1e03d4 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_all_recvfrom_unlabeled(fingerd_t)
corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_generic_if(fingerd_t)
corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
domain_use_interactive_fds(fingerd_t)
files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
fs_getattr_all_fs(fingerd_t)
fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
term_getattr_all_ptys(fingerd_t)
auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
init_read_utmp(fingerd_t)
init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
mta_getattr_spool(fingerd_t)
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b8442..0e272bd0e 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index c62c5670a..2d9e254b4 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
########################################
##
-## Read firewalld configuration files.
+## Read firewalld config
##
##
##
@@ -10,7 +10,7 @@
##
##
#
-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
gen_require(`
type firewalld_etc_rw_t;
')
@@ -19,6 +19,48 @@ interface(`firewalld_read_config_files',`
read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
')
+########################################
+##
+## Execute firewalld server in the firewalld domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`firewalld_initrc_domtrans',`
+ gen_require(`
+ type firewalld_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+##
+## Execute firewalld server in the firewalld domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`firewalld_systemctl',`
+ gen_require(`
+ type firewalld_t;
+ type firewalld_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 firewalld_unit_file_t:file read_file_perms;
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, firewalld_t)
+')
+
########################################
##
## Send and receive messages from
@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
########################################
##
-## Do not audit attempts to read, snd
-## write firewalld temporary files.
+## Dontaudit attempts to write
+## firewalld tmp files.
##
##
##
@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',`
##
##
#
-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
gen_require(`
type firewalld_tmp_t;
')
- dontaudit $1 firewalld_tmp_t:file { read write };
+ dontaudit $1 firewalld_tmp_t:file write;
')
########################################
##
-## All of the rules required to
-## administrate an firewalld environment.
+## Read firewalld PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`firewalld_read_pid_files',`
+ gen_require(`
+ type firewalld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 firewalld_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an firewalld environment
##
##
##
@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
- type firewall_etc_rw_t, firewalld_var_run_t;
+ type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
- allow $1 firewalld_t:process { ptrace signal_perms };
+ allow $1 firewalld_t:process signal_perms;
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 firewalld_t:process ptrace;
+ ')
+
+ firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
@@ -97,6 +162,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
- files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
+ admin_pattern($1, firewalld_etc_rw_t)
+
+ admin_pattern($1, firewalld_unit_file_t)
+ firewalld_systemctl($1)
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3a1..5fd0906be 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
type firewalld_tmp_t;
files_tmp_file(firewalld_tmp_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
########################################
#
# Local policy
#
-allow firewalld_t self:capability { dac_override net_admin };
+allow firewalld_t self:capability { dac_read_search dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
+
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir })
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
+files_list_kernel_modules(firewalld_t)
+
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
@@ -63,20 +79,24 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
files_dontaudit_list_tmp(firewalld_t)
fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
-logging_send_syslog_msg(firewalld_t)
+auth_use_nsswitch(firewalld_t)
-miscfiles_read_localization(firewalld_t)
+libs_exec_ldconfig(firewalld_t)
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
+
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
-sysnet_read_config(firewalld_t)
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -94,6 +114,10 @@ optional_policy(`
')
')
+optional_policy(`
+ gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
optional_policy(`
iptables_domtrans(firewalld_t)
')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1fd..941f4ef73 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
type firewallgui_t;
')
- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')
diff --git a/firewallgui.te b/firewallgui.te
index 209454664..2481a9704 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
dev_read_sysfs(firewallgui_t)
dev_read_urand(firewallgui_t)
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
auth_use_nsswitch(firewallgui_t)
@@ -60,12 +62,13 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_gconf_home_content(firewallgui_t)
+ gnome_read_gconf_home_files(firewallgui_t)
')
optional_policy(`
iptables_domtrans(firewallgui_t)
iptables_initrc_domtrans(firewallgui_t)
+ iptables_systemctl(firewallgui_t)
')
optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c89..ba614e457 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875f0..f3a67c911 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## Initial system configuration utility.
+##
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+##
########################################
##
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################
##
-## Execute firstboot in the firstboot
-## domain, and allow the specified role
-## the firstboot domain.
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
##
##
##
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
#
interface(`firstboot_run',`
gen_require(`
- attribute_role firstboot_roles;
+ type firstboot_t;
')
firstboot_domtrans($1)
- roleattribute $2 firstboot_roles;
+ role $2 types firstboot_t;
')
########################################
##
-## Inherit and use firstboot file descriptors.
+## Inherit and use a file descriptor from firstboot.
##
##
##
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
########################################
##
-## Do not audit attempts to inherit
-## firstboot file descriptors.
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
##
##
##
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
########################################
##
-## Write firstboot unnamed pipes.
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_leaks',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:socket_class_set { read write };
+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Write to a firstboot unnamed pipe.
##
##
##
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
type firstboot_t;
')
+ allow $1 firstboot_t:fd use;
allow $1 firstboot_t:fifo_file write;
')
########################################
##
-## Read and Write firstboot unnamed pipes.
+## Read and Write to a firstboot unnamed pipe.
##
##
##
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
########################################
##
-## Do not audit attemps to read and
-## write firstboot unnamed pipes.
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
##
##
##
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
########################################
##
-## Do not audit attemps to read and
-## write firstboot unix domain
-## stream sockets.
+## Do not audit attemps to read and write to a firstboot
+## unix domain stream socket.
##
##
##
diff --git a/firstboot.te b/firstboot.te
index 5010f04e1..0341ae121 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
policy_module(firstboot, 1.13.0)
gen_require(`
- class passwd { passwd chfn chsh rootok };
+ class passwd { passwd chfn chsh rootok crontab };
')
########################################
@@ -9,17 +9,12 @@ gen_require(`
# Declarations
#
-attribute_role firstboot_roles;
-
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
@@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t)
# Local policy
#
-allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:capability { dac_read_search dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd { rootok passwd chfn chsh };
allow firstboot_t firstboot_etc_t:file read_file_perms;
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
-miscfiles_read_localization(firstboot_t)
-
sysnet_dns_name_resolve(firstboot_t)
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
optional_policy(`
dbus_system_bus_client(firstboot_t)
@@ -101,21 +104,18 @@ optional_policy(`
modutils_read_module_deps(firstboot_t)
')
-optional_policy(`
- nis_use_ypbind(firstboot_t)
-')
-
optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`
- unconfined_domtrans(firstboot_t)
- unconfined_domain(firstboot_t)
+ # The big hammer
+ unconfined_domain_noaudit(firstboot_t)
')
optional_policy(`
- gnome_manage_generic_home_content(firstboot_t)
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+ gnome_manage_config(firstboot_t)
')
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index 92a6479a2..66f574fc9 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.2.0)
type fprintd_t;
type fprintd_exec_t;
init_daemon_domain(fprintd_t, fprintd_exec_t)
+init_nnp_daemon_domain(fprintd_t)
type fprintd_var_lib_t;
files_type(fprintd_var_lib_t)
@@ -18,25 +19,29 @@ files_type(fprintd_var_lib_t)
#
allow fprintd_t self:capability sys_nice;
+allow fprintd_t self:capability2 wake_alarm;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
kernel_read_system_state(fprintd_t)
+corecmd_exec_bin(fprintd_t)
+
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
-files_read_usr_files(fprintd_t)
-
fs_getattr_all_fs(fprintd_t)
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
+logging_send_syslog_msg(fprintd_t)
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
@@ -54,8 +59,17 @@ optional_policy(`
')
')
+
optional_policy(`
- policykit_domtrans_auth(fprintd_t)
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+ udev_read_db(fprintd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 000000000..0942a2e39
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 000000000..dc9485309
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,71 @@
+## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification
+
+#####################################
+##
+## Creates types and rules for a basic
+## freeipmi init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`freeipmi_domain_template',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type freeipmi_$1_t, freeipmi_domain;
+ type freeipmi_$1_exec_t;
+ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+ role system_r types freeipmi_$1_t;
+
+ type freeipmi_$1_unit_file_t;
+ systemd_unit_file(freeipmi_$1_unit_file_t)
+
+ type freeipmi_$1_var_run_t, freeipmi_pid;
+ files_pid_file(freeipmi_$1_var_run_t)
+
+ #############################
+ #
+ # Local policy
+ #
+
+ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+ kernel_read_system_state(freeipmi_$1_t)
+
+ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+ auth_use_nsswitch(freeipmi_$1_t)
+
+ logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+##
+## Connect to cluster domains over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`freeipmi_stream_connect',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 000000000..b7f52674c
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,81 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+dev_read_rand(freeipmi_domain)
+dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
+dev_read_sysfs(freeipmi_domain)
+dev_map_sysfs(freeipmi_domain)
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+allow freeipmi_ipmidetectd_t self:tcp_socket listen;
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+dev_read_raw_memory(freeipmi_ipmiseld_t)
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 000000000..3cd9c38fd
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 000000000..190ccc035
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## policy for freqset
+
+########################################
+##
+## Execute TEMPLATE in the freqset domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`freqset_domtrans',`
+ gen_require(`
+ type freqset_t, freqset_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+##
+## Execute freqset in the freqset domain, and
+## allow the specified role the freqset domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the freqset domain.
+##
+##
+#
+interface(`freqset_run',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ freqset_domtrans($1)
+ roleattribute $2 freqset_roles;
+')
+
+########################################
+##
+## Role access for freqset
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`freqset_role',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ roleattribute $1 freqset_roles;
+
+ freqset_domtrans($2)
+
+ ps_process_pattern($2, freqset_t)
+ allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 000000000..0d09fbd62
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c12c..44f74e62f 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
index 44981434b..84a4858b6 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,67 @@
## File transfer protocol service.
+######################################
+##
+## Execute a domain transition to run ftpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_domtrans',`
+ gen_require(`
+ type ftpd_t, ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+##
+## Execute ftpd server in the ftpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ftp_initrc_domtrans',`
+ gen_require(`
+ type ftpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+##
+## Execute ftpd server in the ftpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_systemctl',`
+ gen_require(`
+ type ftpd_unit_file_t;
+ type ftpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
+
#######################################
##
## Execute a dyntransition to run anon sftpd.
@@ -179,8 +241,11 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+ allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -204,5 +269,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+ ftp_systemctl($1)
+ admin_pattern($1, ftpd_unit_file_t)
+ allow $1 ftpd_unit_file_t:service all_service_perms;
+
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
index 36838c202..d8066fbd4 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
## be labeled public_content_rw_t.
##
##
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
##
##
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
## all files on the system, governed by DAC.
##
##
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
##
##
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+##
+##
+## Allow ftpd to use ntfs/fusefs volumes.
+##
+##
+gen_tunable(ftpd_use_fusefs, false)
##
##
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
##
##
@@ -49,11 +56,11 @@ gen_tunable(allow_ftpd_use_nfs, false)
gen_tunable(ftpd_connect_db, false)
##
-##
-## Determine whether ftpd can bind to all
-## unreserved ports for passive mode.
-##
-##
+##
+## Determine whether ftpd can bind to all
+## unreserved ports for passive mode.
+##
+##
gen_tunable(ftpd_use_passive_mode, false)
##
@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
##
gen_tunable(ftpd_connect_all_unreserved, false)
-##
-##
-## Determine whether ftpd can read and write
-## files in user home directories.
-##
-##
-gen_tunable(ftp_home_dir, false)
-
-##
-##
-## Determine whether sftpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
-##
-gen_tunable(sftpd_anon_write, false)
-
-##
-##
-## Determine whether sftpd-can read and write
-## files in user home directories.
-##
-##
-gen_tunable(sftpd_enable_homedirs, false)
-
-##
-##
-## Determine whether sftpd-can login to
-## local users and read and write all
-## files on the system, governed by DAC.
-##
-##
-gen_tunable(sftpd_full_access, false)
-
-##
-##
-## Determine whether sftpd can read and write
-## files in user ssh home directories.
-##
-##
-gen_tunable(sftpd_write_ssh_home, false)
-
attribute_role ftpdctl_roles;
type anon_sftpd_t;
@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
-allow ftpd_t xferlog_t:dir setattr_dir_perms;
-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-logging_log_filetrans(ftpd_t, xferlog_t, file)
+manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
domain_use_interactive_fds(ftpd_t)
-files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
-miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
@@ -259,37 +228,60 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
+userdom_manage_user_home_content_dirs(ftpd_t)
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
+
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
fs_read_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
+ fs_manage_fusefs_symlinks(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_full_access',`
+tunable_policy(`ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- files_manage_non_auth_files(ftpd_t)
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
')
tunable_policy(`ftpd_use_passive_mode',`
- corenet_sendrecv_all_server_packets(ftpd_t)
- corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+ corenet_sendrecv_all_server_packets(ftpd_t)
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftpd_connect_all_unreserved',`
@@ -304,43 +296,23 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_manage_user_tmp_dirs(ftpd_t)
- userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-')
-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ftpd_t)
fs_manage_nfs_files(ftpd_t)
fs_manage_nfs_symlinks(ftpd_t)
')
-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(ftpd_t)
fs_manage_cifs_files(ftpd_t)
fs_manage_cifs_symlinks(ftpd_t)
')
-optional_policy(`
- tunable_policy(`ftp_home_dir',`
- apache_search_sys_content(ftpd_t)
- ')
-')
-
optional_policy(`
corecmd_exec_shell(ftpd_t)
@@ -363,9 +335,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
-
kerberos_read_keytab(ftpd_t)
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
kerberos_use(ftpd_t)
')
@@ -410,92 +381,49 @@ optional_policy(`
udev_read_db(ftpd_t)
')
+optional_policy(`
+ apache_manage_user_content(ftpd_t)
+')
+
########################################
#
# Ctl local policy
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-files_read_etc_files(ftpdctl_t)
files_search_pids(ftpdctl_t)
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
# Anon sftpd local policy
#
-files_read_etc_files(anon_sftpd_t)
-
miscfiles_read_public_files(anon_sftpd_t)
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(anon_sftpd_t)
-')
-
########################################
#
# Sftpd local policy
#
-files_read_etc_files(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
-tunable_policy(`sftpd_enable_homedirs',`
- allow sftpd_t self:capability { dac_override dac_read_search };
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
userdom_manage_user_home_content_dirs(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
- fs_manage_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
+userdom_home_reader(sftpd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/games.if b/games.if
index e2a3e0dba..50ebd4080 100644
--- a/games.if
+++ b/games.if
@@ -58,3 +58,23 @@ interface(`games_rw_data',`
files_search_var_lib($1)
rw_files_pattern($1, games_data_t, games_data_t)
')
+
+########################################
+##
+## Manage games data files.
+## games data.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`games_manage_data_files',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
index e5b15fb7e..220622e84 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
logging_send_syslog_msg(games_srv_t)
-miscfiles_read_localization(games_srv_t)
-
userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
corecmd_exec_bin(games_t)
-corenet_all_recvfrom_unlabeled(games_t)
corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
files_list_var(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
files_read_var_files(games_t)
init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
sysnet_dns_name_resolve(games_t)
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
allow games_t self:process execmem;
')
diff --git a/gatekeeper.te b/gatekeeper.te
index 28203689c..88c98f481 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
domain_use_interactive_fds(gatekeeper_t)
-files_read_etc_files(gatekeeper_t)
-
fs_getattr_all_fs(gatekeeper_t)
fs_search_auto_mountpoints(gatekeeper_t)
logging_send_syslog_msg(gatekeeper_t)
-miscfiles_read_localization(gatekeeper_t)
-
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gdomap.te b/gdomap.te
index db7b56c2d..3c2357965 100644
--- a/gdomap.te
+++ b/gdomap.te
@@ -32,6 +32,7 @@ files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
corenet_sendrecv_gdomap_server_packets(gdomap_t)
corenet_tcp_bind_generic_node(gdomap_t)
corenet_tcp_bind_gdomap_port(gdomap_t)
+corenet_tcp_connect_gdomap_port(gdomap_t)
corenet_tcp_sendrecv_gdomap_port(gdomap_t)
corenet_udp_bind_generic_node(gdomap_t)
corenet_udp_bind_gdomap_port(gdomap_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 000000000..4d7dc9991
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,6 @@
+/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
+
+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
+
+/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
index 000000000..2c08004bf
--- /dev/null
+++ b/gear.if
@@ -0,0 +1,288 @@
+
+## The open-source application container engine.
+
+########################################
+##
+## Execute gear in the gear domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gear_domtrans',`
+ gen_require(`
+ type gear_t, gear_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gear_exec_t, gear_t)
+')
+
+########################################
+##
+## Search gear lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_search_lib',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ allow $1 gear_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Execute gear lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_exec_lib',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ allow $1 gear_var_lib_t:dir search_dir_perms;
+ can_exec($1, gear_var_lib_t)
+')
+
+########################################
+##
+## Read gear lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_read_lib_files',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+##
+## Manage gear lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_manage_lib_files',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+##
+## Manage gear lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_manage_lib_dirs',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+##
+## Create objects in a gear var lib directory
+## with an automatic type transition to
+## a specified private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gear_lib_filetrans',`
+ gen_require(`
+ type gear_var_lib_t;
+ ')
+
+ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Read gear PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_read_pid_files',`
+ gen_require(`
+ type gear_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gear_var_run_t, gear_var_run_t)
+')
+
+########################################
+##
+## Execute gear server in the gear domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gear_systemctl',`
+ gen_require(`
+ type gear_t;
+ type gear_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 gear_unit_file_t:file read_file_perms;
+ allow $1 gear_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gear_t)
+')
+
+########################################
+##
+## Read and write gear shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_rw_sem',`
+ gen_require(`
+ type gear_t;
+ ')
+
+ allow $1 gear_t:sem rw_sem_perms;
+')
+
+#######################################
+##
+## Read and write the gear pty type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_use_ptys',`
+ gen_require(`
+ type gear_devpts_t;
+ ')
+
+ allow $1 gear_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## Allow domain to create gear content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_filetrans_named_content',`
+ gen_require(`
+ type gear_var_lib_t;
+ type gear_var_run_t;
+ ')
+
+ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
+ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an gear environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gear_admin',`
+ gen_require(`
+ type gear_t;
+ type gear_var_lib_t, gear_var_run_t;
+ type gear_unit_file_t;
+ type gear_log_t;
+ ')
+
+ allow $1 gear_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gear_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gear_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gear_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, gear_log_t)
+
+ gear_systemctl($1)
+ admin_pattern($1, gear_unit_file_t)
+ allow $1 gear_unit_file_t:service all_service_perms;
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 000000000..33dbdf7ec
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,136 @@
+policy_module(gear, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gear_t;
+type gear_exec_t;
+init_daemon_domain(gear_t, gear_exec_t)
+
+type gear_var_lib_t;
+files_type(gear_var_lib_t)
+
+type gear_log_t;
+logging_log_file(gear_log_t)
+
+type gear_var_run_t;
+files_pid_file(gear_var_run_t)
+
+type gear_unit_file_t;
+systemd_unit_file(gear_unit_file_t)
+
+########################################
+#
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:file read_file_perms;
+allow gear_t gear_unit_file_t:service manage_service_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
+
+gear_filetrans_named_content(gear_t)
+
+manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
+kernel_read_all_sysctls(gear_t)
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
+
+corenet_tcp_bind_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_if(gear_t)
+corenet_tcp_sendrecv_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_list_cgroup_dirs(gear_t)
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+fs_getattr_all_fs(gear_t)
+
+auth_use_nsswitch(gear_t)
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+logging_read_generic_logs(gear_t)
+
+miscfiles_read_localization(gear_t)
+
+mount_domtrans(gear_t)
+
+selinux_validate_context(gear_t)
+
+seutil_read_default_contexts(gear_t)
+seutil_read_config(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+systemd_exec_systemctl(gear_t)
+
+usermanage_domtrans_useradd(gear_t)
+usermanage_domtrans_passwd(gear_t)
+
+optional_policy(`
+ hostname_exec(gear_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
+ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
index 000000000..a97f14fd9
--- /dev/null
+++ b/geoclue.fc
@@ -0,0 +1,4 @@
+
+/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/geoclue.if b/geoclue.if
new file mode 100644
index 000000000..cf9f7bfca
--- /dev/null
+++ b/geoclue.if
@@ -0,0 +1,153 @@
+
+## Geoclue is a D-Bus service that provides location information
+
+########################################
+##
+## Execute geoclue in the geoclue domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`geoclue_domtrans',`
+ gen_require(`
+ type geoclue_t, geoclue_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, geoclue_exec_t, geoclue_t)
+')
+
+########################################
+##
+## Search geoclue lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`geoclue_search_lib',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ allow $1 geoclue_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read geoclue lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`geoclue_read_lib_files',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+##
+## Manage geoclue lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`geoclue_manage_lib_files',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+##
+## Manage geoclue lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`geoclue_manage_lib_dirs',`
+ gen_require(`
+ type geoclue_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## geoclue over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`geoclue_dbus_chat',`
+ gen_require(`
+ type geoclue_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 geoclue_t:dbus send_msg;
+ allow geoclue_t $1:dbus send_msg;
+ ps_process_pattern(geoclue_t, $1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an geoclue environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`geoclue_admin',`
+ gen_require(`
+ type geoclue_t;
+ type geoclue_var_lib_t;
+ ')
+
+ allow $1 geoclue_t:process { signal_perms };
+ ps_process_pattern($1, geoclue_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 geoclue_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, geoclue_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 000000000..efd838f74
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,71 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type geoclue_t;
+type geoclue_exec_t;
+application_domain(geoclue_t, geoclue_exec_t)
+role system_r types geoclue_t;
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+type geoclue_tmp_t;
+files_tmp_file(geoclue_tmp_t)
+
+########################################
+#
+# geoclue local policy
+#
+allow geoclue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
+manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+corenet_tcp_connect_http_cache_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+logging_send_syslog_msg(geoclue_t)
+
+miscfiles_read_certs(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+ kerberos_use(geoclue_t)
+')
+
+optional_policy(`
+ dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+ optional_policy(`
+ avahi_dbus_chat(geoclue_t)
+ ')
+ optional_policy(`
+ modemmanager_dbus_chat(geoclue_t)
+ ')
+ optional_policy(`
+ networkmanager_dbus_chat(geoclue_t)
+ ')
+')
+
+optional_policy(`
+ pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
index 8a820face..996b30c16 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
userdom_dontaudit_read_user_home_content_files(gift_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gift_t)
- fs_manage_nfs_files(gift_t)
- fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gift_t)
- fs_manage_cifs_files(gift_t)
- fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
optional_policy(`
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
corenet_tcp_connect_all_ports(giftd_t)
files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
sysnet_dns_name_resolve(giftd_t)
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(giftd_t)
- fs_manage_nfs_files(giftd_t)
- fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(giftd_t)
- fs_manage_cifs_files(giftd_t)
- fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.fc b/git.fc
index 24700f84b..6561d568e 100644
--- a/git.fc
+++ b/git.fc
@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0)
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
diff --git a/git.if b/git.if
index 1e29af196..6c64f55c3 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
- allow $2 git_session_t:process { ptrace signal_perms };
+ allow $2 git_session_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 git_session_t:process ptrace;
+ ')
ps_process_pattern($2, git_session_t)
tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
fs_read_nfs_files($1)
')
')
+
+#######################################
+##
+## Create Git user content with a
+## named file transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`git_filetrans_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index dc49c715e..43f79d6de 100644
--- a/git.te
+++ b/git.te
@@ -47,14 +47,6 @@ gen_tunable(git_session_bind_all_unreserved_ports, false)
##
gen_tunable(git_session_users, false)
-##
-##
-## Determine whether Git session daemons
-## can send syslog messages.
-##
-##
-gen_tunable(git_session_send_syslog_msg, false)
-
##
##
## Determine whether Git system daemon
@@ -83,6 +75,7 @@ attribute git_daemon;
attribute_role git_session_roles;
apache_content_template(git)
+apache_content_alias_template(git, git)
type git_system_t, git_daemon;
type gitd_exec_t;
@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
files_type(git_sys_content_t)
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
userdom_user_home_content(git_user_content_t)
+type git_script_tmp_t;
+files_tmp_file(git_script_tmp_t)
+
########################################
#
# Session policy
@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
+kernel_read_system_state(git_session_t)
+
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
-tunable_policy(`git_session_send_syslog_msg',`
- logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
+ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
+manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
+allow git_script_t git_sys_content_t:file map;
+allow git_script_t git_user_content_t:file map;
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
tunable_policy(`git_cgi_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_git_script_t)
+ userdom_search_user_home_dirs(git_script_t)
')
+fs_getattr_tmpfs(git_script_t)
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
+ fs_getattr_nfs(git_script_t)
+ fs_list_nfs(git_script_t)
+ fs_read_nfs_files(git_script_t)
',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ fs_dontaudit_read_nfs_files(git_script_t)
')
tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
+ fs_getattr_cifs(git_script_t)
+ fs_list_cifs(git_script_t)
+ fs_read_cifs_files(git_script_t)
',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
+ fs_dontaudit_read_cifs_files(git_script_t)
')
tunable_policy(`git_cgi_use_cifs',`
- fs_getattr_cifs(httpd_git_script_t)
- fs_list_cifs(httpd_git_script_t)
- fs_read_cifs_files(httpd_git_script_t)
+ fs_getattr_cifs(git_script_t)
+ fs_list_cifs(git_script_t)
+ fs_read_cifs_files(git_script_t)
',`
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
+ fs_dontaudit_read_cifs_files(git_script_t)
')
tunable_policy(`git_cgi_use_nfs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
- fs_read_nfs_files(httpd_git_script_t)
+ fs_getattr_nfs(git_script_t)
+ fs_list_nfs(git_script_t)
+ fs_read_nfs_files(git_script_t)
',`
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ fs_dontaudit_read_nfs_files(git_script_t)
')
########################################
@@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
corecmd_exec_bin(git_daemon)
-files_read_usr_files(git_daemon)
-
fs_search_auto_mountpoints(git_daemon)
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 582db0a2e..d77a1a549 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
files_search_var_lib(gitosis_t)
-miscfiles_read_localization(gitosis_t)
-
sysnet_read_config(gitosis_t)
tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.fc b/glance.fc
index c21a528b5..a746a2b16 100644
--- a/glance.fc
+++ b/glance.fc
@@ -1,8 +1,14 @@
/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-scrubber.* -- gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
+
+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
diff --git a/glance.if b/glance.if
index 9eacb2c9c..7b19ad2db 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,38 @@
## OpenStack image registry and delivery service.
+#######################################
+##
+## Creates types and rules for a basic
+## glance daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`glance_basic_types_template',`
+ gen_require(`
+ attribute glance_domain;
+ ')
+
+ type $1_t, glance_domain;
+ type $1_exec_t;
+
+ type $1_unit_file_t;
+ systemd_unit_file($1_unit_file_t)
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ auth_use_nsswitch($1_t)
+
+')
+
########################################
##
## Execute a domain transition to
@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
## run glance api.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`glance_domtrans_api',`
@@ -242,8 +275,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
- ps_process_pattern($1, { glance_api_t glance_registry_t })
+ allow $1 glance_registry_t:process signal_perms;
+ ps_process_pattern($1, glance_registry_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glance_registry_t:process ptrace;
+ allow $1 glance_api_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd09096a..bd3c3d21b 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
# Declarations
#
+##
+##
+## Determine whether glance-api can
+## connect to all TCP ports
+##
+##
+gen_tunable(glance_api_can_network, false)
+
+##
+##
+## Allow glance domain to manage fuse files
+##
+##
+gen_tunable(glance_use_fusefs, false)
+
+##
+##
+## Allow glance domain to use executable memory and executable stack
+##
+##
+gen_tunable(glance_use_execmem, false)
+
attribute glance_domain;
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
@@ -17,13 +38,21 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
init_script_file(glance_api_initrc_exec_t)
+glance_basic_types_template(glance_scrubber)
+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
+
+type glance_scrubber_initrc_exec_t;
+init_script_file(glance_scrubber_initrc_exec_t)
+
type glance_log_t;
logging_log_file(glance_log_t)
@@ -41,6 +70,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
+allow glance_domain self:process signal_perms;
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +86,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
corecmd_exec_bin(glance_domain)
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
libs_exec_ldconfig(glance_domain)
-miscfiles_read_localization(glance_domain)
-
sysnet_dns_name_resolve(glance_domain)
+tunable_policy(`glance_use_fusefs',`
+ fs_manage_fusefs_dirs(glance_domain)
+ fs_manage_fusefs_files(glance_domain)
+ fs_read_fusefs_symlinks(glance_domain)
+ fs_getattr_fusefs(glance_domain)
+')
+
+tunable_policy(`glance_use_execmem',`
+ allow glance_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+ mysql_read_db_lnk_files(glance_domain)
+')
+
########################################
#
# Registry local policy
@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+corenet_tcp_connect_keystone_port(glance_registry_t)
logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_glance_port(glance_api_t)
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
+
+tunable_policy(`glance_api_can_network',`
+ corenet_sendrecv_all_client_packets(glance_api_t)
+ corenet_tcp_connect_all_ports(glance_api_t)
+ corenet_tcp_sendrecv_all_ports(glance_api_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(glance_api_t)
+')
+
+########################################
+#
+# Scrubber local policy
+#
+
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 000000000..e42e81f5f
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+
+/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
+
+/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 000000000..a62e355ac
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,302 @@
+
+## policy for glusterd
+
+
+########################################
+##
+## Transition to glusterd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`glusterd_domtrans',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+##
+## Execute glusterd server in the glusterd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_initrc_domtrans',`
+ gen_require(`
+ type glusterd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+########################################
+##
+## Read glusterd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`glusterd_read_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## Append to glusterd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_append_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+#######################################
+##
+## Transition content labels to glusterd named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_filetrans_named_pid',`
+ gen_require(`
+ type glusterd_var_run_t;
+ ')
+ files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
+')
+
+########################################
+##
+## Manage glusterd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_pid',`
+ gen_require(`
+ type glusterd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+ manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+')
+
+########################################
+##
+## Manage glusterd log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log")
+')
+
+######################################
+##
+## Allow the specified domain to execute gluster's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gluster_execute_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ can_exec($1, glusterd_var_lib_t)
+')
+
+######################################
+##
+## Read glusterd's config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_read_conf',`
+ gen_require(`
+ type glusterd_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
+')
+
+######################################
+##
+## Dontaudit Read /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_dontaudit_read_lib_dirs',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
+')
+
+######################################
+##
+## Read and write /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_rw_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+##
+## Read /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_read_lib_files',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+##
+## Read and write /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_lib_files',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+##
+## All of the rules required to administrate
+## an glusterd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`glusterd_admin',`
+ gen_require(`
+ type glusterd_t;
+ type glusterd_initrc_exec_t;
+ type glusterd_log_t;
+ type glusterd_tmp_t;
+ type glusterd_conf_t;
+ ')
+
+ allow $1 glusterd_t:process { signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glusterd_t:process ptrace;
+ ')
+
+ glusterd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 glusterd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, glusterd_log_t)
+
+ admin_pattern($1, glusterd_tmp_t)
+
+ admin_pattern($1, glusterd_conf_t)
+
+')
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 000000000..7804cbaf4
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,330 @@
+policy_module(glusterd, 1.1.2)
+
+##
+##
+## Allow glusterfsd to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(gluster_anon_write, false)
+
+##
+##
+## Allow glusterfsd to share any file/directory read only.
+##
+##
+gen_tunable(gluster_export_all_ro, false)
+
+##
+##
+## Allow glusterfsd to share any file/directory read/write.
+##
+##
+gen_tunable(gluster_export_all_rw, true)
+
+##
+##
+## Allow glusterd_t domain to use executable memory
+##
+##
+gen_tunable(gluster_use_execmem, false)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+domain_obj_id_change_exemption(glusterd_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_tmpfs_t;
+files_tmpfs_file(glusterd_tmpfs_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+typealias glusterd_log_t alias ganesha_var_log_t;
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+allow glusterd_t self:rawip_socket create_socket_perms;
+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+corenet_raw_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+corenet_udp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+corenet_tcp_connect_all_rpc_ports(glusterd_t)
+corenet_tcp_connect_all_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
+dev_rw_infiniband_dev(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+fs_getattr_all_dirs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
+files_dontaudit_read_security_files(glusterd_t)
+files_dontaudit_list_security_dirs(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+#needed by /usr/sbin/xfs_db
+storage_raw_read_fixed_disk(glusterd_t)
+storage_raw_write_fixed_disk(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+init_domtrans_script(glusterd_t)
+init_initrc_domain(glusterd_t)
+init_read_script_state(glusterd_t)
+init_rw_script_tmp_files(glusterd_t)
+init_manage_script_status_files(glusterd_t)
+init_status(glusterd_t)
+init_stop_transient_unit(glusterd_t)
+
+systemd_config_systemd_services(glusterd_t)
+systemd_signal_passwd_agent(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+logging_dontaudit_search_audit_logs(glusterd_t)
+
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+userdom_read_user_tmp_files(glusterd_t)
+userdom_delete_user_tmp_files(glusterd_t)
+userdom_rw_user_tmp_files(glusterd_t)
+userdom_map_tmp_files(glusterd_t)
+userdom_kill_all_users(glusterd_t)
+userdom_signal_unpriv_users(glusterd_t)
+
+mount_domtrans(glusterd_t)
+
+fstools_domtrans(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+ miscfiles_manage_public_files(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_ro',`
+ fs_read_noxattr_fs_files(glusterd_t)
+ files_read_non_security_files(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_rw',`
+ fs_manage_noxattr_fs_files(glusterd_t)
+ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
+ files_relabel_base_file_types(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
+ files_map_non_security_files(glusterd_t)
+')
+
+tunable_policy(`gluster_use_execmem',`
+ allow glusterd_t self:process { execmem };
+')
+
+optional_policy(`
+ ctdbd_domtrans(glusterd_t)
+ ctdbd_signal(glusterd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(glusterd_t)
+ dbus_connect_system_bus(glusterd_t)
+ unconfined_dbus_chat(glusterd_t)
+
+ optional_policy(`
+ policykit_dbus_chat(glusterd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(glusterd_t)
+')
+
+
+optional_policy(`
+ kerberos_read_keytab(glusterd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(glusterd_t)
+')
+
+optional_policy(`
+ mount_domtrans_showmount(glusterd_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(glusterd_t)
+ samba_systemctl(glusterd_t)
+ samba_signal_smbd(glusterd_t)
+ samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(glusterd_t)
+')
+
+optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+ rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
+ rpc_domtrans_nfsd(glusterd_t)
+ rpc_dbus_chat_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+ rpc_manage_nfs_state_data_dir(glusterd_t)
+ rpcbind_stream_connect(glusterd_t)
+')
+
+optional_policy(`
+ rhcs_dbus_chat_cluster(glusterd_t)
+ rhcs_domtrans_cluster(glusterd_t)
+ rhcs_systemctl_cluster(glusterd_t)
+ rhcs_stream_connect_cluster(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade46..000000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c86e..000000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## Cluster File System binary, daemon and command line.
-
-########################################
-##
-## All of the rules required to
-## administrate an glusterfs environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
-')
-
-########################################
-##
-## All of the rules required to
-## administrate an glusterfs environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`glusterfs_admin',`
- gen_require(`
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
- type glusterd_var_run_t;
- ')
-
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- files_search_etc($1)
- admin_pattern($1, glusterd_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, glusterd_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, glusterd_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, glusterd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 4e95c7e2f..000000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,105 +0,0 @@
-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_read_all_domains_state(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de436a..5edcb8330 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,60 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d6195..2e8661416 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
-########################################
+#######################################
##
-## Role access for gnome. (Deprecated)
+## Role access for gnome. (Deprecated)
##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
-##
-## User domain for the role.
-##
+##
+## User domain for the role.
+##
##
#
interface(`gnome_role',`
- refpolicywarn(`$0($*) has been deprecated')
+ refpolicywarn(`$0($*) has been deprecated')
+ ')
+
+######################################
+##
+## The role template for the gnome-keyring-daemon.
+##
+##
+##
+## The user prefix.
+##
+##
+##
+##
+## The user role.
+##
+##
+##
+##
+## The user domain associated with the role.
+##
+##
+#
+interface(`gnome_role_gkeyringd',`
+ refpolicywarn(`$0($*) has been deprecated')
')
-#######################################
+######################################
##
-## The role template for gnome.
+## The role template for gnome.
##
##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
##
##
-##
-## The role associated with the user domain.
-##
+##
+## The role associated with the user domain.
+##
##
##
-##
-## The type of the user domain.
-##
+##
+## The type of the user domain.
+##
##
#
template(`gnome_role_template',`
- gen_require(`
- attribute gnomedomain, gkeyringd_domain;
+ gen_require(`
+ attribute gnomedomain, gkeyringd_domain, gnome_home_type;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
- type gconf_home_t;
+ class dbus send_msg;
')
########################################
@@ -74,14 +98,11 @@ template(`gnome_role_template',`
domtrans_pattern($3, gconfd_exec_t, gconfd_t)
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
+ allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
+
########################################
#
# Gkeyringd policy
@@ -89,37 +110,86 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-
- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+ userdom_home_manager($1_gkeyringd_t)
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ kernel_read_system_state($1_gkeyringd_t)
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
- gnome_stream_connect_gkeyringd($1, $3)
+ gnome_stream_connect_gkeyringd($3)
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ logging_send_syslog_msg($1_gkeyringd_t)
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
optional_policy(`
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
')
')
')
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+##
+##
+##
+## The user prefix.
+##
+##
+##
+##
+## The user role.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_run_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+')
+
########################################
##
-## Execute gconf in the caller domain.
+## gconf connection template.
##
##
##
@@ -127,18 +197,18 @@ template(`gnome_role_template',`
##
##
#
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
gen_require(`
- type gconfd_exec_t;
+ type gconfd_t, gconf_tmp_t;
')
- corecmd_search_bin($1)
- can_exec($1, gconfd_exec_t)
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
##
-## Read gconf configuration content.
+## Connect to gkeyringd with a unix stream socket.
##
##
##
@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',`
##
##
#
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
gen_require(`
- type gconf_etc_t;
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ type cache_home_t;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir list_dir_perms;
- allow $1 gconf_etc_t:file read_file_perms;
- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ userdom_search_user_tmp_dirs($1)
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
')
########################################
##
-## Do not audit attempts to read
-## inherited gconf configuration files.
+## Run gconfd in gconfd domain.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
gen_require(`
- type gconf_etc_t;
+ type gconfd_t, gconfd_exec_t;
')
- dontaudit $1 gconf_etc_t:file read;
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
-#######################################
+########################################
##
-## Create, read, write, and delete
-## gconf configuration content.
+## Dontaudit read gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
gen_require(`
- type gconf_etc_t;
+ attribute gnome_home_type;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir manage_dir_perms;
- allow $1 gconf_etc_t:file manage_file_perms;
- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
')
########################################
##
-## Connect to gconf using a unix
-## domain stream socket.
+## Dontaudit search gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ attribute gnome_home_type;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
##
-## Run gconfd in gconfd domain.
+## Dontaudit write gnome homedir content (.config)
##
##
##
-## Domain allowed to transition.
+## Domain to not audit.
##
##
#
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ attribute gnome_home_type;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ dontaudit $1 gnome_home_type:file append;
')
+
########################################
##
-## Create generic gnome home directories.
+## Dontaudit write gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:dir create_dir_perms;
+ dontaudit $1 gnome_home_type:file write;
')
########################################
##
-## Set attributes of generic gnome
-## user home directories. (Deprecated)
+## manage gnome homedir content (.config)
##
##
##
@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
-interface(`gnome_setattr_config_dirs',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
- gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file { manage_file_perms map };
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Set attributes of generic gnome
-## user home directories.
+## Send general signals to all gconf domains.
##
##
##
@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
gen_require(`
- type gnome_home_t;
+ attribute gnomedomain;
')
- userdom_search_user_home_dirs($1)
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 gnomedomain:process signal;
')
########################################
##
-## Read generic gnome user home content. (Deprecated)
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`gnome_read_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
- gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Read generic gnome home content.
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
')
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir list_dir_perms;
- allow $1 gnome_home_t:file read_file_perms;
- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
- allow $1 gnome_home_t:sock_file read_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## generic gnome user home content. (Deprecated)
+## Read generic cache home files (.cache)
##
##
##
@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
-interface(`gnome_manage_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
- gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Create, read, write, and delete
-## generic gnome home content.
+## Create generic cache home dir (.cache)
##
##
##
@@ -356,22 +462,18 @@ interface(`gnome_manage_config',`
##
##
#
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ allow $1 cache_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
')
########################################
##
-## Search generic gnome home directories.
+## Set attributes of cache home dir (.cache)
##
##
##
@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms;
')
########################################
##
-## Create objects in gnome user home
-## directories with a private type.
+## Manage cache home dir (.cache)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')
########################################
##
-## Create generic gconf home directories.
+## append to generic cache home files (.cache)
##
##
##
@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
##
##
#
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- allow $1 gconf_home_t:dir create_dir_perms;
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Read generic gconf home content.
+## write to generic cache home files (.cache)
##
##
##
@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## generic gconf home content.
+## write to generic cache home files (.cache)
##
##
##
@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
')
########################################
##
-## Search generic gconf home directories.
+## Manage a sock_file in the generic cache home files (.cache)
##
##
##
@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_manage_generic_cache_sockets',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir search_dir_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
##
-## Create objects in user home
-## directories with the generic gconf
-## home type.
+## Dontaudit read/write to generic cache home files (.cache)
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
##
-## Create objects in user home
-## directories with the generic gnome
-## home type.
+## read gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+ gnome_read_usr_config($1)
')
########################################
##
-## Create objects in gnome gconf home
-## directories with a private type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
-## Private file type.
+## The type of the object to create.
##
##
##
##
-## Class of the object being created.
+## The class of the object to be created.
##
##
##
@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
gen_require(`
- type gconf_home_t;
+ type data_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
-########################################
+#######################################
##
-## Read generic gnome keyring home files.
+## Read generic data home files.
##
##
##
@@ -612,46 +670,81 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
+ type data_home_t, gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
')
-########################################
+######################################
##
-## Send and receive messages from
-## gnome keyring daemon over dbus.
+## Read generic data home dirs.
##
-##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+##
+## Manage gconf data home files
+##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain allowed access.
##
##
+#
+interface(`gnome_manage_data',`
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+##
+## Read icc data home content.
+##
##
##
## Domain allowed access.
##
##
#
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ allow $1 icc_data_home_t:file map;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Read inherited icc data home files.
##
##
##
@@ -659,46 +752,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type icc_data_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Create gconf_home_t objects in the /root directory
##
-##
+##
+##
+## Domain allowed access.
+##
+##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The class of the object to be created.
##
##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+##
+## Do not audit attempts to read
+## inherited gconf config files.
+##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## read gconf config files
##
##
##
@@ -706,12 +817,985 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_config',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+##
+## Manage gconf config files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+##
+## Execute gconf programs in
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+##
+## Execute gnome keyringd in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+##
+## Search gconf home data dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gconf_data_dir',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+##
+## Search gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+##
+## List gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
+#######################################
+##
+## Delete gkeyringd temporary
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_gkeyringd_tmp_content',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+#######################################
+##
+## Manage gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
+##
+## search gconf homedir (.local)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Set attributes of Gnome config dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+##
+## Manage generic gnome home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_home_files',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+##
+## Manage generic gnome home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Append gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+##
+## manage gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+##
+## Connect to gnome over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+##
+## list gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_list_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Set attributes of gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## read gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+#######################################
+##
+## append gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_append_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ append_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+##
+## delete gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## Create gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
+')
+
+#######################################
+##
+## setattr gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+##
+## delete gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+######################################
+##
+## Allow to execute gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ can_exec($1, gstreamer_home_t)
+')
+
+######################################
+##
+## Allow to execute config home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_config_home_files',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ can_exec($1, config_home_t)
+')
+
+#######################################
+##
+## file name transition gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
+')
+
+#######################################
+##
+## manage gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gstreamer_home_dirs',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
+########################################
+##
+## Read/Write all inherited gnome home config
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Dontaudit Read/Write all inherited gnome home config
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`gnome_dontaudit_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Send and receive messages from
+## gconf system service over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## gkeyringd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signull signal to gkeyringd processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+##
+## Allow the domain to read gkeyringd state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gkeyringd_state',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+##
+## Create directories in user home directories
+## with the gnome home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_home_dir_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Check whether sendmail executable
+## files are executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_access_check_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ allow $1 config_usr_t:dir_file_class_set audit_access;;
+')
+
+######################################
+##
+## Allow read kde config content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+##
+## Allow manage kde config content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+##
+## Execute gnome-keyring in the user gkeyring domain
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process transition;
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+ allow gkeyringd_domain $1:process { sigchld signull };
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Create gnome content in the user home directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+########################################
+##
+## Create gnome dconf dir in the user home directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+##
+## Create gnome directory in the /root directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ gnome_filetrans_gstreamer_home_content($1)
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+#####################################
+##
+## Execute gnome-keyring executable
+## in the specified domain.
+##
+##
+##
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+## This interface was added to handle
+## the ssh-agent policy.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
index 63893eb2d..61dd9e336 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
# Declarations
#
-attribute gkeyringd_domain;
attribute gnomedomain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
attribute_role gconfd_roles;
type gconf_etc_t;
files_config_file(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type dbus_home_t, gnome_home_type;
+userdom_user_home_content(dbus_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t, gnome_home_type;
+userdom_user_home_content(gkeyringd_gnome_home_t)
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
##############################
#
-# Common local Policy
+# Local Policy
#
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
-dev_read_urand(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
-miscfiles_read_localization(gnomedomain)
-logging_send_syslog_msg(gnomedomain)
-userdom_use_user_terminals(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
+ nscd_dontaudit_search_pid(gconfd_t)
')
-##############################
+optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+')
+
+#######################################
#
-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
#
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+auth_read_passwd(gconfdefaultsm_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
optional_policy(`
- nscd_dontaudit_search_pid(gconfd_t)
+ consolekit_dbus_chat(gconfdefaultsm_t)
')
-##############################
+optional_policy(`
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
+
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
#
-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
#
allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+corecmd_search_bin(gkeyringd_domain)
+
dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
-files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
-selinux_getattr_fs(gkeyringd_domain)
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
optional_policy(`
- ssh_read_user_home_files(gkeyringd_domain)
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
')
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_create_home_config_dirs(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
index f9ba8cd99..690630113 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -1,7 +1,10 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702fb..25c7ab82c 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
########################################
##
-## Execute a domain transition to
-## run gnomeclock.
+## Execute a domain transition to run gnomeclock.
##
##
##
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
type gnomeclock_t, gnomeclock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
')
########################################
##
-## Execute gnomeclock in the gnomeclock
-## domain, and allow the specified
-## role the gnomeclock domain.
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
##
##
##
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
#
interface(`gnomeclock_run',`
gen_require(`
- attribute_role gnomeclock_roles;
+ type gnomeclock_t;
')
gnomeclock_domtrans($1)
- roleattribute $2 gnomeclock_roles;
+ role $2 types gnomeclock_t;
')
########################################
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
########################################
##
-## Do not audit attempts to send and
-## receive messages from gnomeclock
-## over dbus.
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
##
##
##
diff --git a/gnomeclock.te b/gnomeclock.te
index 7cd7435e6..8f26e9862 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
# Declarations
#
-attribute_role gnomeclock_roles;
-
type gnomeclock_t;
type gnomeclock_exec_t;
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+type gnomeclock_tmp_t;
+files_tmp_file(gnomeclock_tmp_t)
########################################
#
-# Local policy
+# gnomeclock local policy
#
-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override };
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
-files_read_usr_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
fs_getattr_xattr_fs(gnomeclock_t)
auth_use_nsswitch(gnomeclock_t)
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
logging_send_syslog_msg(gnomeclock_t)
-miscfiles_etc_filetrans_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
- chronyd_initrc_domtrans(gnomeclock_t)
+ chronyd_systemctl(gnomeclock_t)
')
optional_policy(`
+ clock_read_adjtime(gnomeclock_t)
clock_domtrans(gnomeclock_t)
')
optional_policy(`
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ consolekit_dbus_chat(gnomeclock_t)
+')
- optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+ consoletype_exec(gnomeclock_t)
+')
- optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+ gnome_manage_home_config(gnomeclock_t)
+ gnome_filetrans_admin_home_content(gnomeclock_t)
')
optional_policy(`
ntp_domtrans_ntpdate(gnomeclock_t)
ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
')
optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c68..c02fa5694 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,10 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 180f1b7cc..350cb4f87 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,57 +2,79 @@
############################################################
##
-## Role access for gpg.
+## Role access for gpg
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
- type gpg_t, gpg_exec_t, gpg_agent_t;
- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
')
- roleattribute $1 gpg_roles;
- roleattribute $1 gpg_agent_roles;
- roleattribute $1 gpg_helper_roles;
- roleattribute $1 gpg_pinentry_roles;
+ roleattribute $1 gpg_roles;
+ roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_helper_roles;
+ roleattribute $1 gpg_pinentry_roles;
+ # transition from the userdomain to the derived domain
domtrans_pattern($2, gpg_exec_t, gpg_t)
- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
- allow gpg_pinentry_t $2:process signull;
+ # communicate with the user
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+ allow gpg_pinentry_t $2:fifo_file { read write };
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
+
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
')
########################################
##
-## Execute the gpg in the gpg domain.
+## Transition to a user gpg domain.
##
##
##
@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
type gpg_t, gpg_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
-########################################
+######################################
##
-## Execute the gpg in the caller domain.
+## Execute gpg in the caller domain.
##
##
##
@@ -88,76 +109,46 @@ interface(`gpg_exec',`
can_exec($1, gpg_exec_t)
')
-########################################
-##
-## Execute gpg in a specified domain.
-##
-##
-##
-## Execute gpg in a specified domain.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-interface(`gpg_spec_domtrans',`
- gen_require(`
- type gpg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
-')
-
######################################
##
-## Execute gpg in the gpg web domain. (Deprecated)
+## Transition to a gpg web domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`gpg_domtrans_web',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
')
######################################
##
-## Make gpg executable files an
-## entrypoint for the specified domain.
+## Make gpg an entrypoint for
+## the specified domain.
##
##
-##
-## The domain for which gpg_exec_t is an entrypoint.
-##
+##
+## The domain for which cifs_t is an entrypoint.
+##
##
#
interface(`gpg_entry_type',`
- gen_require(`
- type gpg_exec_t;
- ')
+ gen_require(`
+ type gpg_exec_t;
+ ')
- domain_entry_file($1, gpg_exec_t)
+ domain_entry_file($1, gpg_exec_t)
')
########################################
##
-## Send generic signals to gpg.
+## Send generic signals to user gpg processes.
##
##
##
@@ -175,7 +166,7 @@ interface(`gpg_signal',`
########################################
##
-## Read and write gpg agent pipes.
+## Read and write GPG agent pipes.
##
##
##
@@ -184,6 +175,7 @@ interface(`gpg_signal',`
##
#
interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
gen_require(`
type gpg_agent_t;
')
@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
########################################
##
-## Send messages to and from gpg
-## pinentry over DBUS.
+## Send messages to and from GPG
+## Pinentry over DBUS.
##
##
##
@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
########################################
##
-## List gpg user secrets.
+## List Gnu Privacy Guard user secrets.
##
##
##
@@ -230,3 +222,57 @@ interface(`gpg_list_user_secrets',`
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
')
+###########################
+##
+## Allow to manage gpg named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_manage_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
+ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+########################################
+##
+## Transition to gpg named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_filetrans_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+
+########################################
+##
+## Connected to gpg_agent_t unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_agent_stream_connect',`
+ gen_require(`
+ type gpg_agent_t;
+ ')
+
+ allow $1 gpg_agent_t:unix_stream_socket connectto;
+')
diff --git a/gpg.te b/gpg.te
index 0e97e82f1..78a2afc95 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
#
# Declarations
#
-
-##
-##
-## Determine whether GPG agent can manage
-## generic user home content files. This is
-## required by the --write-env-file option.
-##
-##
-gen_tunable(gpg_agent_env_file, false)
+attribute gpgdomain;
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -24,7 +16,15 @@ roleattribute system_r gpg_helper_roles;
attribute_role gpg_pinentry_roles;
-type gpg_t;
+##
+##
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -69,95 +69,103 @@ type gpg_pinentry_tmpfs_t;
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
optional_policy(`
- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+ pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
########################################
#
-# Local policy
+# GPG local policy
#
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+allow gpgdomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
-corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
-dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+dev_dontaudit_getattr_all(gpg_t)
+dev_list_sysfs(gpg_t)
+dev_read_sysfs(gpg_t)
+dev_rw_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
-auth_use_nsswitch(gpg_t)
+files_dontaudit_search_var(gpg_t)
-logging_send_syslog_msg(gpg_t)
+auth_use_nsswitch(gpg_t)
-miscfiles_read_localization(gpg_t)
+init_dontaudit_getattr_initctl(gpg_t)
-userdom_use_user_terminals(gpg_t)
+logging_send_syslog_msg(gpg_t)
-userdom_manage_user_tmp_files(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
+userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
+mta_manage_config(gpg_t)
+mta_read_spool(gpg_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
optional_policy(`
- gnome_read_generic_home_content(gpg_t)
- gnome_stream_connect_all_gkeyringd(gpg_t)
+ gpm_dontaudit_getattr_gpmctl(gpg_t)
')
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_t)
+ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
- mta_read_spool_files(gpg_t)
- mta_write_config(gpg_t)
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
@@ -165,37 +173,55 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
')
optional_policy(`
- xserver_use_xdm_fds(gpg_t)
- xserver_rw_xdm_pipes(gpg_t)
+ udev_read_db(gpg_t)
')
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
+
########################################
#
-# Helper local policy
+# GPG helper local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
+
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,67 +233,84 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
-# Agent local policy
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process { setrlimit signal_perms };
-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+allow gpg_agent_t self:netlink_kobject_uevent_socket create_socket_perms;
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
dev_read_urand(gpg_agent_t)
+dev_rw_generic_usb_dev(gpg_agent_t)
+dev_list_sysfs(gpg_agent_t)
+dev_read_sysfs(gpg_agent_t)
+dev_dontaudit_getattr_all_chr_files(gpg_agent_t)
+dev_dontaudit_getattr_all_blk_files(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
+miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_filetrans_home_content(gpg_agent_t)
+
+userdom_manage_user_home_content_dirs(gpg_agent_t)
+userdom_manage_user_home_content_files(gpg_agent_t)
+userdom_manage_all_user_tmp_content(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')
-tunable_policy(`gpg_agent_env_file',`
- userdom_manage_user_home_content_dirs(gpg_agent_t)
- userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+userdom_home_manager(gpg_agent_t)
+
+optional_policy(`
+ gnome_manage_config(gpg_agent_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_agent_t)
- fs_manage_nfs_files(gpg_agent_t)
- fs_manage_nfs_symlinks(gpg_agent_t)
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_agent_t)
- fs_manage_cifs_files(gpg_agent_t)
- fs_manage_cifs_symlinks(gpg_agent_t)
+optional_policy(`
+ pcscd_stream_connect(gpg_agent_t)
')
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+ udev_read_db(gpg_agent_t)
')
##############################
@@ -277,63 +320,118 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+manage_dirs_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_pinentry_t, gpg_agent_tmp_t, { dir sock_file file })
+
manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-can_exec(gpg_pinentry_t, pinentry_exec_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)
-domain_use_interactive_fds(gpg_pinentry_t)
-
-files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_all_fs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmp_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmp_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
+userdom_map_tmp_files(gpg_pinentry_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+optional_policy(`
+ gnome_manage_home_config(gpg_pinentry_t)
')
optional_policy(`
- dbus_all_session_bus_client(gpg_pinentry_t)
+ dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
index 69734fd15..a659808d0 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
init_script_file(gpm_initrc_exec_t)
type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
# Local policy
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
-files_read_etc_files(gpm_t)
fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t)
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
logging_send_syslog_msg(gpm_t)
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.if b/gpsd.if
index 92eb56418..8aa8f6698 100644
--- a/gpsd.if
+++ b/gpsd.if
@@ -63,6 +63,7 @@ interface(`gpsd_rw_shm',`
allow $1 gpsd_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ allow $1 gpsd_tmpfs_t:file map;
fs_search_tmpfs($1)
')
diff --git a/gpsd.te b/gpsd.te
index fe3895ece..ce48f6c49 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,15 +28,17 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
-allow gpsd_t self:process { setsched signal_perms };
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
+allow gpsd_t self:process { setsched signal_perms getsession };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
allow gpsd_t self:tcp_socket { accept listen };
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+allow gpsd_t gpsd_tmpfs_t:file map;
manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
@@ -62,13 +64,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
+term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
logging_send_syslog_msg(gpsd_t)
-miscfiles_read_localization(gpsd_t)
-
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 000000000..f4659d125
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 000000000..8a2013af9
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,217 @@
+
+## policy for gssproxy
+
+########################################
+##
+## Execute TEMPLATE in the gssproxy domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+##
+## Search gssproxy lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read gssproxy lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Manage gssproxy lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Manage gssproxy lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Read gssproxy PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+##
+## Execute gssproxy server in the gssproxy domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+##
+## Connect to gssproxy over an unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an gssproxy environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_var_run_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_var_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_file_t)
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Read and write to svirt_image devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_noatsecure',`
+ gen_require(`
+ type gssproxy_t;
+ ')
+
+ allow $1 gssproxy_t:process { noatsecure rlimitinh };
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 000000000..79e22c58a
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ ipa_read_lib(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_use(gssproxy_t)
+ kerberos_filetrans_named_content(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssproxy, gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.if b/guest.if
index ad1653f9a..ff424b8e7 100644
--- a/guest.if
+++ b/guest.if
@@ -1,4 +1,4 @@
-## Least privledge terminal user role.
+## Least privileged terminal user role.
########################################
##
diff --git a/guest.te b/guest.te
index 19cdbe1d7..060577633 100644
--- a/guest.te
+++ b/guest.te
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
index e15137840..04d173d1d 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
domain_use_interactive_fds(hadoop_t)
files_dontaudit_search_spool(hadoop_t)
-files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
corecmd_exec_bin(hadoop_initrc_domain)
corecmd_exec_shell(hadoop_initrc_domain)
-files_read_etc_files(hadoop_initrc_domain)
-files_read_usr_files(hadoop_initrc_domain)
files_search_locks(hadoop_initrc_domain)
files_search_pids(hadoop_initrc_domain)
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
domain_use_interactive_fds(zookeeper_t)
-files_read_usr_files(zookeeper_t)
auth_use_nsswitch(zookeeper_t)
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
dev_read_sysfs(zookeeper_server_t)
dev_read_urand(zookeeper_server_t)
-files_read_usr_files(zookeeper_server_t)
fs_getattr_xattr_fs(zookeeper_server_t)
diff --git a/hal.te b/hal.te
index bbccc79f1..b02720214 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
# Common local policy
#
-files_read_usr_files(hald_domain)
miscfiles_read_localization(hald_domain)
@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
kernel_rw_net_sysctls(hald_t)
-kernel_setsched(hald_t)
+kernel_dontaudit_setsched(hald_t)
kernel_request_load_module(hald_t)
corecmd_exec_all_executables(hald_t)
@@ -339,7 +338,7 @@ optional_policy(`
# ACL local policy
#
-allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
-files_read_etc_files(hald_keymap_t)
logging_search_logs(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
index 1728071d0..6e2d333d9 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',`
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
')
+########################################
+##
+## Execute hddtemp in the hddtemp domain, and
+## allow the specified role the hddtemp domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`hddtemp_run',`
+ gen_require(`
+ type hddtemp_t;
+ attribute_role hddtemp_roles;
+ ')
+
+ hddtemp_domtrans($1)
+ roleattribute $2 hddtemp_roles;
+')
+
######################################
##
## Execute hddtemp in the caller domain.
@@ -60,9 +86,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
- allow $1 hddtemp_t:process { ptrace signal_perms };
+ allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hddtemp_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
index 9e11b9822..6338ea761 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0)
#
# Declarations
#
+attribute_role hddtemp_roles;
type hddtemp_t;
type hddtemp_exec_t;
init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+role hddtemp_roles types hddtemp_t;
type hddtemp_initrc_exec_t;
init_script_file(hddtemp_initrc_exec_t)
@@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
-corenet_all_recvfrom_unlabeled(hddtemp_t)
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
@@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_search_etc(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
@@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
diff --git a/hostapd.fc b/hostapd.fc
new file mode 100644
index 000000000..0ca97b84b
--- /dev/null
+++ b/hostapd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/hostapd.service -- gen_context(system_u:object_r:hostapd_unit_file_t,s0)
+
+/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
\ No newline at end of file
diff --git a/hostapd.if b/hostapd.if
new file mode 100644
index 000000000..d0016da91
--- /dev/null
+++ b/hostapd.if
@@ -0,0 +1,101 @@
+
+## policy for hostapd
+
+########################################
+##
+## Execute TEMPLATE in the hostapd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hostapd_domtrans',`
+ gen_require(`
+ type hostapd_t, hostapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hostapd_exec_t, hostapd_t)
+')
+########################################
+##
+## Execute hostapd server in the hostapd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hostapd_systemctl',`
+ gen_require(`
+ type hostapd_t;
+ type hostapd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 hostapd_unit_file_t:file read_file_perms;
+ allow $1 hostapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hostapd_t)
+')
+
+
+########################################
+##
+## Read hostapd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hostapd_read_pid_files',`
+ gen_require(`
+ type hostapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an hostapd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`hostapd_admin',`
+ gen_require(`
+ type hostapd_t;
+ type hostapd_unit_file_t;
+ type hostapd_var_run_t;
+ ')
+
+ allow $1 hostapd_t:process { signal_perms };
+ ps_process_pattern($1, hostapd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hostapd_t:process ptrace;
+ ')
+
+ hostapd_systemctl($1)
+ admin_pattern($1, hostapd_unit_file_t)
+ allow $1 hostapd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
+ admin_pattern($1, hostapd_var_run_t)
+')
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
index 000000000..ef3f6a939
--- /dev/null
+++ b/hostapd.te
@@ -0,0 +1,51 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_unit_file_t;
+systemd_unit_file(hostapd_unit_file_t)
+
+########################################
+#
+# hostapd local policy
+#
+allow hostapd_t self:capability { chown net_admin };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+files_read_etc_files(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)
diff --git a/howl.te b/howl.te
index b9e60ecfb..0477728a0 100644
--- a/howl.te
+++ b/howl.te
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_all_recvfrom_unlabeled(howl_t)
corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_generic_if(howl_t)
corenet_udp_sendrecv_generic_if(howl_t)
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
logging_send_syslog_msg(howl_t)
-miscfiles_read_localization(howl_t)
-
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hsqldb.fc b/hsqldb.fc
new file mode 100644
index 000000000..aa92d7118
--- /dev/null
+++ b/hsqldb.fc
@@ -0,0 +1,7 @@
+/usr/lib/hsqldb/hsqldb-post -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-stop -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-wrapper -- gen_context(system_u:object_r:hsqldb_exec_t,s0)
+
+/usr/lib/systemd/system/hsqldb.* -- gen_context(system_u:object_r:hsqldb_unit_file_t,s0)
+
+/var/lib/hsqldb(/.*)? gen_context(system_u:object_r:hsqldb_var_lib_t,s0)
diff --git a/hsqldb.if b/hsqldb.if
new file mode 100644
index 000000000..f43f7489f
--- /dev/null
+++ b/hsqldb.if
@@ -0,0 +1,241 @@
+
+## Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
+
+########################################
+##
+## Execute hsqldb_exec_t in the hsqldb domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hsqldb_domtrans',`
+ gen_require(`
+ type hsqldb_t, hsqldb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hsqldb_exec_t, hsqldb_t)
+')
+
+######################################
+##
+## Execute hsqldb in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_exec',`
+ gen_require(`
+ type hsqldb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, hsqldb_exec_t)
+')
+
+########################################
+##
+## Do not audit attempts to read,
+## hsqldb tmp files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hsqldb_dontaudit_read_tmp_files',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ dontaudit $1 hsqldb_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Read hsqldb tmp files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_read_tmp_files',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+##
+## Manage hsqldb tmp files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_manage_tmp',`
+ gen_require(`
+ type hsqldb_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+ manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+ manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+##
+## Search hsqldb lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_search_lib',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ allow $1 hsqldb_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read hsqldb lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_read_lib_files',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+##
+## Manage hsqldb lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_manage_lib_files',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+##
+## Manage hsqldb lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_manage_lib_dirs',`
+ gen_require(`
+ type hsqldb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+##
+## Execute hsqldb server in the hsqldb domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hsqldb_systemctl',`
+ gen_require(`
+ type hsqldb_t;
+ type hsqldb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 hsqldb_unit_file_t:file read_file_perms;
+ allow $1 hsqldb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hsqldb_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an hsqldb environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hsqldb_admin',`
+ gen_require(`
+ type hsqldb_t;
+ type hsqldb_tmp_t;
+ type hsqldb_var_lib_t;
+ type hsqldb_unit_file_t;
+ ')
+
+ allow $1 hsqldb_t:process { signal_perms };
+ ps_process_pattern($1, hsqldb_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hsqldb_t:process ptrace;
+ ')
+
+ files_search_tmp($1)
+ admin_pattern($1, hsqldb_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, hsqldb_var_lib_t)
+
+ hsqldb_systemctl($1)
+ admin_pattern($1, hsqldb_unit_file_t)
+ allow $1 hsqldb_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/hsqldb.te b/hsqldb.te
new file mode 100644
index 000000000..8035eaf53
--- /dev/null
+++ b/hsqldb.te
@@ -0,0 +1,61 @@
+policy_module(hsqldb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hsqldb_t;
+type hsqldb_exec_t;
+init_daemon_domain(hsqldb_t, hsqldb_exec_t)
+
+type hsqldb_tmp_t;
+files_tmp_file(hsqldb_tmp_t)
+
+type hsqldb_var_lib_t;
+files_type(hsqldb_var_lib_t)
+
+type hsqldb_unit_file_t;
+systemd_unit_file(hsqldb_unit_file_t)
+
+########################################
+#
+# hsqldb local policy
+#
+
+allow hsqldb_t self:process execmem;
+
+allow hsqldb_t self:fifo_file rw_fifo_file_perms;
+allow hsqldb_t self:stream_socket_class_set create_stream_socket_perms;
+
+manage_dirs_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+manage_files_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+files_tmp_filetrans(hsqldb_t, hsqldb_tmp_t, { dir file })
+allow hsqldb_t hsqldb_tmp_t:file map;
+
+manage_dirs_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_lnk_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_sock_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+files_var_lib_filetrans(hsqldb_t, hsqldb_var_lib_t, { dir })
+
+kernel_read_system_state(hsqldb_t)
+kernel_read_network_state(hsqldb_t)
+
+corecmd_exec_bin(hsqldb_t)
+
+corenet_tcp_bind_generic_node(hsqldb_t)
+corenet_tcp_bind_tor_port(hsqldb_t)
+corenet_tcp_connect_tor_port(hsqldb_t)
+
+dev_list_sysfs(hsqldb_t)
+
+dev_read_urand(hsqldb_t)
+dev_read_rand(hsqldb_t)
+
+fs_read_cgroup_files(hsqldb_t)
+fs_search_cgroup_dirs(hsqldb_t)
+
+auth_use_nsswitch(hsqldb_t)
+
+sysnet_read_config(hsqldb_t)
diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 000000000..d0c5a1502
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 000000000..f98e16612
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,110 @@
+## Dump topology and locality information from hardware tables.
+
+########################################
+##
+## Execute hwloc dhwd in the hwloc dhwd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hwloc_domtrans_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+ ')
+
+ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+##
+## Execute hwloc dhwd in the hwloc dhwd domain, and
+## allow the specified role the hwloc dhwd domain,
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`hwloc_run_dhwd',`
+ gen_require(`
+ attribute_role hwloc_dhwd_roles;
+ ')
+
+ hwloc_domtrans_dhwd($1)
+ roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+##
+## Execute hwloc dhwd in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hwloc_exec_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_exec_t;
+ ')
+
+ can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+##
+## Read hwloc runtime files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hwloc_read_runtime_files',`
+ gen_require(`
+ type hwloc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an hwloc environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`hwloc_admin',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_var_run_t;
+ ')
+
+ allow $1 hwloc_dhwd_t:process { signal_perms };
+ ps_process_pattern($1, hwloc_dhwd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hwloc_dhwd_t:process ptrace;
+ ')
+
+ admin_pattern($1, hwloc_var_run_t)
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 000000000..0f45fd50e
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+systemd_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130ef5..e2ae3b22b 100644
--- a/hypervkvp.fc
+++ b/hypervkvp.fc
@@ -1,3 +1,10 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
index 6517fadbb..f1837481b 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
@@ -1,32 +1,135 @@
-## HyperV key value pair (KVP).
+
+## policy for hypervkvp
+
+########################################
+##
+## Execute TEMPLATE in the hypervkvp domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hypervkvp_domtrans',`
+ gen_require(`
+ type hypervkvp_t, hypervkvp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
+
+########################################
+##
+## Search hypervkvp lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hypervkvp_search_lib',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read hypervkvp lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hypervkvp_read_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
########################################
##
-## All of the rules required to
-## administrate an hypervkvp environment.
+## Create, read, write, and delete
+## hypervkvp lib files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+#######################################
+##
+## Execute hypervkvp server in the hypervkvp domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hypervkvp_systemctl',`
+ gen_require(`
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 hypervkvp_unit_file_t:file read_file_perms;
+ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, hypervkvp_t)
+ ')
+
+########################################
+##
+## All of the rules required to administrate
+## an hypervkvp environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
+
+ allow $1 hypervkvp_t:process signal_perms;
+ ps_process_pattern($1, hypervkvp_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hypervkvp_t:process ptrace;
')
- allow $1 hypervkvpd_t:process { ptrace signal_perms };
- ps_process_pattern($1, hypervkvpd_t)
+ hypervkvp_manage_lib_files($1)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ hypervkvp_systemctl($1)
+ admin_pattern($1, hypervkvp_unit_file_t)
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
index 4eb7041ef..bce3f60a9 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
@@ -5,24 +5,161 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvpd_t;
-type hypervkvpd_exec_t;
-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+attribute hyperv_domain;
-type hypervkvpd_initrc_exec_t;
-init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+type hypervkvp_unit_file_t;
+systemd_unit_file(hypervkvp_unit_file_t)
+
+type hypervkvp_var_lib_t;
+files_type(hypervkvp_var_lib_t)
+
+type hypervkvp_tmp_t;
+files_tmpfs_file(hypervkvp_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
########################################
#
-# Local policy
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
#
+# hypervkvp local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
+manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvp_t)
+kernel_read_network_state(hypervkvp_t)
+kernel_rw_net_sysctls(hypervkvp_t)
+
+corecmd_getattr_all_executables(hypervkvp_t)
+
+dev_rw_hypervkvp(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+seutil_exec_setfiles(hypervkvp_t)
+seutil_read_file_contexts(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+dev_read_urand(hypervkvp_t)
+
+files_dontaudit_search_home(hypervkvp_t)
+files_dontaudit_getattr_non_security_files(hypervkvp_t)
+
+fs_getattr_all_fs(hypervkvp_t)
+fs_read_hugetlbfs_files(hypervkvp_t)
+fs_list_hugetlbfs(hypervkvp_t)
+
+auth_use_nsswitch(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
+logging_read_syslog_config(hypervkvp_t)
+
+libs_exec_ldconfig(hypervkvp_t)
+
+modutils_domtrans_insmod(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_domtrans_dhcpc(hypervkvp_t)
+sysnet_domtrans_ifconfig(hypervkvp_t)
+
+sysnet_manage_dhcpc_pid(hypervkvp_t)
+sysnet_signal_dhcpc(hypervkvp_t)
+
+sysnet_manage_config(hypervkvp_t)
+sysnet_read_dhcpc_state(hypervkvp_t)
+sysnet_read_dhcp_config(hypervkvp_t)
+sysnet_etc_filetrans_config(hypervkvp_t)
+
+systemd_exec_systemctl(hypervkvp_t)
+
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
+ dbus_read_pid_files(hypervkvp_t)
+ dbus_system_bus_client(hypervkvp_t)
+')
+
+optional_policy(`
+ brctl_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+ hostname_exec(hypervkvp_t)
+')
+
+optional_policy(`
+ firewalld_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(hypervkvp_t)
+ netutils_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+ networkmanager_read_pid_files(hypervkvp_t)
+ networkmanager_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+ sysnet_exec_ifconfig(hypervkvp_t)
+')
+
+optional_policy(`
+ rpm_exec(hypervkvp_t)
+')
+
+########################################
+#
+# hypervvssd local policy
+#
+
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
+
+dev_rw_hypervvssd(hypervvssd_t)
-logging_send_syslog_msg(hypervkvpd_t)
+files_list_all_mountpoints(hypervvssd_t)
+files_list_boot(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
-miscfiles_read_localization(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
-sysnet_dns_name_resolve(hypervkvpd_t)
+storage_raw_read_fixed_disk(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
index 369a0566b..65fde93d9 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_all_recvfrom_unlabeled(i18n_input_t)
corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_generic_node(i18n_input_t)
@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
fs_search_auto_mountpoints(i18n_input_t)
files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
auth_use_nsswitch(i18n_input_t)
@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
logging_send_syslog_msg(i18n_input_t)
-miscfiles_read_localization(i18n_input_t)
-
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(i18n_input_t)
- fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(i18n_input_t)
- fs_read_cifs_symlinks(i18n_input_t)
-')
+userdom_home_reader(i18n_input_t)
optional_policy(`
canna_stream_connect(i18n_input_t)
diff --git a/icecast.if b/icecast.if
index 580b533ce..c267cea58 100644
--- a/icecast.if
+++ b/icecast.if
@@ -176,6 +176,14 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
+ allow $1 icecast_t:process signal_perms;
+ ps_process_pattern($1, icecast_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 icecast_t:process ptrace;
+ ')
+
+ # Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
index a9e573a50..9a9245f49 100644
--- a/icecast.te
+++ b/icecast.te
@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t)
# Local policy
#
-allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice };
allow icecast_t self:process { getsched setsched signal };
allow icecast_t self:fifo_file rw_fifo_file_perms;
allow icecast_t self:unix_stream_socket create_stream_socket_perms;
@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
-domain_use_interactive_fds(icecast_t)
-
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
+files_dontaudit_list_tmp(icecast_t)
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
index 899989996..96909ae6a 100644
--- a/ifplugd.if
+++ b/ifplugd.if
@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
type ifplugd_initrc_exec_t;
')
- allow $1 ifplugd_t:process { ptrace signal_perms };
+ allow $1 ifplugd_t:process signal_perms;
ps_process_pattern($1, ifplugd_t)
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
index b0546b43b..98d7326a8 100644
--- a/ifplugd.te
+++ b/ifplugd.te
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
dev_read_sysfs(ifplugd_t)
domain_read_confined_domains_state(ifplugd_t)
-domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
logging_send_syslog_msg(ifplugd_t)
-miscfiles_read_localization(ifplugd_t)
-
netutils_domtrans(ifplugd_t)
sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
index 1eb24d8c8..b320d51ae 100644
--- a/imaze.te
+++ b/imaze.te
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_all_recvfrom_unlabeled(imazesrv_t)
corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
logging_send_syslog_msg(imazesrv_t)
-miscfiles_read_localization(imazesrv_t)
-
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
index fbb54e7d8..05c377768 100644
--- a/inetd.if
+++ b/inetd.if
@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
+ init_domain($1, $2)
+
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
')
########################################
diff --git a/inetd.te b/inetd.te
index c6450df8a..0c88e1cf7 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setuid setgid };
dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:process { setsched setexec };
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_exec_shell(inetd_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
+corenet_tcp_bind_time_port(inetd_t)
+corenet_udp_bind_time_port(inetd_t)
+
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
corenet_tcp_bind_git_port(inetd_t)
corenet_udp_bind_git_port(inetd_t)
+dev_read_urand(inetd_t)
+dev_read_rand(inetd_t)
+
dev_read_sysfs(inetd_t)
domain_use_interactive_fds(inetd_t)
@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
-miscfiles_read_localization(inetd_t)
-
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -188,17 +195,13 @@ optional_policy(`
')
optional_policy(`
- tftp_read_config_files(inetd_t)
+ tftp_read_config(inetd_t)
')
optional_policy(`
udev_read_db(inetd_t)
')
-optional_policy(`
- unconfined_domtrans(inetd_t)
-')
-
########################################
#
# Child local policy
@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+corecmd_bin_entry_type(inetd_child_t)
+
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
@@ -230,7 +243,23 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
-miscfiles_read_localization(inetd_child_t)
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+ abrt_dbus_chat(inetd_child_t)
+')
+
+optional_policy(`
+ chronyd_run_chronyc(inetd_child_t,system_r)
+')
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(inetd_child_t)
+')
optional_policy(`
unconfined_domain(inetd_child_t)
diff --git a/inn.fc b/inn.fc
index 8c0a48b1d..b9eabf145 100644
--- a/inn.fc
+++ b/inn.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
+/usr/lib/systemd/system/innd.* -- gen_context(system_u:object_r:innd_unit_file_t,s0)
+
/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
@@ -13,42 +15,43 @@
/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
-/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-/var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0)
+/usr/libexec/news/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/newsinnconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rc.news -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
/var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0)
diff --git a/inn.if b/inn.if
index eb87f2341..d3d32c3ad 100644
--- a/inn.if
+++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
+ files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -144,10 +145,29 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
')
+########################################
+##
+## Write innd inherited news library content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_write_inherited_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:file write_inherited_file_perms;
+')
+
########################################
##
## Read innd news spool content.
@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
+ files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
- type news_spool_t, innd_var_lib_t;
- type innd_var_run_t, innd_initrc_exec_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process signal_perms;
+ ps_process_pattern($1, innd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 innd_t:process ptrace;
')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
index d39f0cc51..fc0bd082b 100644
--- a/inn.te
+++ b/inn.te
@@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
type innd_initrc_exec_t;
init_script_file(innd_initrc_exec_t)
+type innd_unit_file_t;
+systemd_unit_file(innd_unit_file_t)
+
type innd_log_t;
logging_log_file(innd_log_t)
@@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
########################################
#
# Local policy
#
-allow innd_t self:capability { dac_override kill setgid setuid };
+allow innd_t self:capability { dac_read_search dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
allow innd_t self:fifo_file rw_fifo_file_perms;
@@ -43,29 +47,29 @@ allow innd_t self:tcp_socket { accept listen };
read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
-allow innd_t innd_log_t:dir setattr_dir_perms;
-append_files_pattern(innd_t, innd_log_t, innd_log_t)
-create_files_pattern(innd_t, innd_log_t, innd_log_t)
-setattr_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_dirs_pattern(innd_t, innd_log_t, innd_log_t)
+logging_log_filetrans(innd_t, innd_log_t, { dir file })
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+allow innd_t innd_var_lib_t:file map;
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+allow innd_t news_spool_t:file map;
can_exec(innd_t, innd_exec_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_all_recvfrom_unlabeled(innd_t)
corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_generic_if(innd_t)
corenet_tcp_sendrecv_generic_node(innd_t)
@@ -91,18 +95,18 @@ fs_search_auto_mountpoints(innd_t)
files_list_spool(innd_t)
files_read_etc_runtime_files(innd_t)
-files_read_usr_files(innd_t)
+
+inn_exec_config(innd_t)
auth_use_nsswitch(innd_t)
logging_send_syslog_msg(innd_t)
-miscfiles_read_localization(innd_t)
-
seutil_dontaudit_search_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
mta_send_mail(innd_t)
diff --git a/iodine.fc b/iodine.fc
index ca07a8744..6ea129cf6 100644
--- a/iodine.fc
+++ b/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
+/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
index a0bfbd04f..8dc7c3e31 100644
--- a/iodine.if
+++ b/iodine.if
@@ -1,5 +1,49 @@
## IP over DNS tunneling daemon.
+########################################
+##
+## Execute NetworkManager with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`iodined_domtrans',`
+ gen_require(`
+ type iodined_t, iodined_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iodined_exec_t, iodined_t)
+')
+
+########################################
+##
+## Execute iodined server in the iodined domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`iodined_systemctl',`
+ gen_require(`
+ type iodined_t;
+ type iodined_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iodined_t)
+')
+
########################################
##
## All of the rules required to
diff --git a/iodine.te b/iodine.te
index d443feee4..6cbbf7d84 100644
--- a/iodine.te
+++ b/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_unit_file_t;
+systemd_unit_file(iodined_unit_file_t)
+
########################################
#
# Local policy
@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
-files_read_etc_files(iodined_t)
+auth_use_nsswitch(iodined_t)
logging_send_syslog_msg(iodined_t)
diff --git a/iotop.fc b/iotop.fc
new file mode 100644
index 000000000..c8d2deac2
--- /dev/null
+++ b/iotop.fc
@@ -0,0 +1 @@
+/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
diff --git a/iotop.if b/iotop.if
new file mode 100644
index 000000000..7fc3464e6
--- /dev/null
+++ b/iotop.if
@@ -0,0 +1,46 @@
+## Simple top-like I/O monitor
+
+########################################
+##
+## Allow execution of iotop in the iotop domain from the target domain.
+##
+##
+##
+## Domain allowed to transition to iotop.
+##
+##
+#
+interface(`iotop_domtrans',`
+ gen_require(`
+ type iotop_t, iotop_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iotop_exec_t, iotop_t)
+')
+
+########################################
+##
+## Execute iotop in the iotop domain, and
+## allow the specified role to access the iotop domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed into the iotop domain.
+##
+##
+#
+interface(`iotop_run',`
+ gen_require(`
+ type iotop_t;
+ attribute_role iotop_roles;
+ ')
+
+ iotop_domtrans($1)
+ roleattribute $2 iotop_roles;
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
index 000000000..61f2003c8
--- /dev/null
+++ b/iotop.te
@@ -0,0 +1,39 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
+type iotop_t;
+type iotop_exec_t;
+application_domain(iotop_t, iotop_exec_t)
+
+role iotop_roles types iotop_t;
+
+########################################
+#
+# iotop local policy
+#
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
+allow iotop_t self:netlink_socket create_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
+auth_use_nsswitch(iotop_t)
+
+dev_read_urand(iotop_t)
+
+domain_getsched_all_domains(iotop_t)
+domain_read_all_domains_state(iotop_t)
+
+corecmd_exec_bin(iotop_t)
+
+miscfiles_read_localization(iotop_t)
+
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 000000000..0fe7ec597
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,25 @@
+/etc/httpd/alias/ipasession.key -- gen_context(system_u:object_r:ipa_cert_t,s0)
+
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+/usr/libexec/ipa/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+
+/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 000000000..c54d3d492
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,293 @@
+## Policy for IPA services.
+
+########################################
+##
+## Execute rtas_errd in the rtas_errd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ipa_domtrans_otpd',`
+ gen_require(`
+ type ipa_otpd_t, ipa_otpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
+########################################
+##
+## Connect to ipa-otpd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_stream_connect_otpd',`
+ gen_require(`
+ type ipa_otpd_t;
+ ')
+ allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute ipa-helper in the ipa_helper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ipa_domtrans_helper',`
+ gen_require(`
+ type ipa_helper_t, ipa_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
+')
+
+########################################
+##
+## Execute ipa-helper in the ipa_helper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`ipa_run_helper',`
+ gen_require(`
+ type ipa_helper_t;
+ attribute_role ipa_helper_roles;
+ ')
+
+ ipa_domtrans_helper($1)
+ roleattribute $2 ipa_helper_roles;
+')
+
+########################################
+##
+## Allow domain to manage ipa lib files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_search_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+##
+## Allow domain to manage ipa lib files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_manage_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+##
+## Allow domain to manage ipa log files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_manage_log',`
+ gen_require(`
+ type ipa_log_t;
+ ')
+
+ manage_files_pattern($1, ipa_log_t, ipa_log_t)
+ manage_dirs_pattern($1, ipa_log_t, ipa_log_t)
+')
+
+########################################
+##
+## Allow domain to manage ipa lib files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_read_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+##
+## Allow domain to manage ipa run files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_manage_pid_files',`
+ gen_require(`
+ type ipa_var_run_t;
+ ')
+ manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
+ manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
+')
+
+########################################
+##
+## Create specified objects in generic
+## pid directories with the ipa pid file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`ipa_filetrans_pid',`
+ gen_require(`
+ type ipa_var_run_t;
+ ')
+
+ files_pid_filetrans($1, ipa_var_run_t, file, $2)
+')
+
+########################################
+##
+## Allow domain to manage ipa tmp files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_delete_tmp',`
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 ipa_tmp_t:file unlink;
+')
+
+########################################
+##
+## Create log files with a named file
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_named_filetrans_log_dir',`
+ gen_require(`
+ type ipa_log_t;
+ ')
+
+ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
+')
+
+#######################################
+##
+## Allow domain to create /tmp/ca.p12
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_filetrans_named_content',`
+
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
+')
+
+########################################
+##
+## Create file ipasession.key in cert_t dir
+## with ipa_cert_t type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_cert_filetrans_named_content',`
+ gen_require(`
+ type ipa_cert_t;
+ type cert_t;
+ ')
+
+ filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
+ manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
+')
+
+########################################
+##
+## Allow domain to read ipa tmp files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipa_read_tmp',`
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 000000000..2e45bfd1f
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,222 @@
+policy_module(ipa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ipa_domain;
+
+attribute_role ipa_helper_roles;
+roleattribute system_r ipa_helper_roles;
+
+type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
+
+type ipa_dnskey_t, ipa_domain;
+type ipa_dnskey_exec_t;
+init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
+
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+type ipa_dnskey_unit_file_t;
+systemd_unit_file(ipa_dnskey_unit_file_t)
+
+type ipa_log_t;
+logging_log_file(ipa_log_t)
+
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
+type ipa_var_run_t;
+files_pid_file(ipa_var_run_t)
+
+type ipa_helper_t;
+type ipa_helper_exec_t;
+domain_type(ipa_helper_t)
+domain_obj_id_change_exemption(ipa_helper_t)
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
+type ipa_cert_t;
+miscfiles_cert_type(ipa_cert_t)
+
+type ipa_tmp_t;
+files_tmp_file(ipa_tmp_t)
+
+########################################
+#
+# ipa_otpd local policy
+#
+
+allow ipa_otpd_t self:capability2 block_suspend;
+
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+
+manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
+dev_read_urand(ipa_otpd_t)
+dev_read_rand(ipa_otpd_t)
+
+sysnet_dns_name_resolve(ipa_otpd_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_otpd_t)
+')
+
+optional_policy(`
+ kerberos_use(ipa_otpd_t)
+')
+
+########################################
+#
+# ipa-helper local policy
+#
+
+
+allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
+
+#kernel bug
+dontaudit ipa_helper_t self:capability2 block_suspend;
+
+allow ipa_helper_t self:process setfscreate;
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
+manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
+
+kernel_read_system_state(ipa_helper_t)
+kernel_read_network_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
+corenet_tcp_connect_http_port(ipa_helper_t)
+corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
+
+corecmd_exec_bin(ipa_helper_t)
+corecmd_exec_shell(ipa_helper_t)
+
+dev_read_urand(ipa_helper_t)
+
+auth_use_nsswitch(ipa_helper_t)
+
+files_list_tmp(ipa_helper_t)
+
+ipa_manage_pid_files(ipa_helper_t)
+ipa_read_lib(ipa_helper_t)
+
+logging_send_syslog_msg(ipa_helper_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(ipa_helper_t)
+')
+
+optional_policy(`
+ memcached_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
+')
+
+optional_policy(`
+ rpm_read_db(ipa_helper_t)
+')
+
+optional_policy(`
+ samba_read_config(ipa_helper_t)
+')
+
+optional_policy(`
+ sssd_manage_lib_files(ipa_helper_t)
+')
+
+########################################
+#
+# ipa-dnskey local policy
+#
+allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms;
+allow ipa_dnskey_t self:udp_socket create_socket_perms;
+allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
+allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
+
+read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t)
+files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file })
+
+kernel_dgram_send(ipa_dnskey_t)
+kernel_read_system_state(ipa_dnskey_t)
+kernel_read_network_state(ipa_dnskey_t)
+
+auth_use_nsswitch(ipa_dnskey_t)
+
+corecmd_exec_bin(ipa_dnskey_t)
+corecmd_exec_shell(ipa_dnskey_t)
+
+corenet_tcp_bind_generic_node(ipa_dnskey_t)
+corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
+corenet_tcp_connect_rndc_port(ipa_dnskey_t)
+
+dev_read_rand(ipa_dnskey_t)
+
+can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
+
+libs_exec_ldconfig(ipa_dnskey_t)
+
+logging_send_syslog_msg(ipa_dnskey_t)
+
+miscfiles_read_certs(ipa_dnskey_t)
+
+sysnet_read_config(ipa_dnskey_t)
+
+optional_policy(`
+ apache_search_config(ipa_dnskey_t)
+')
+
+optional_policy(`
+ bind_domtrans_ndc(ipa_dnskey_t)
+ bind_read_dnssec_keys(ipa_dnskey_t)
+ bind_manage_zone(ipa_dnskey_t)
+ bind_manage_zone_dirs(ipa_dnskey_t)
+ bind_search_cache(ipa_dnskey_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_dnskey_t)
+')
+
+optional_policy(`
+ opendnssec_domtrans(ipa_dnskey_t)
+ opendnssec_manage_config(ipa_dnskey_t)
+ opendnssec_manage_var_files(ipa_dnskey_t)
+ opendnssec_filetrans_etc_content(ipa_dnskey_t)
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
index 000000000..0f598ca9f
--- /dev/null
+++ b/ipmievd.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
+
+/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
+
+/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0)
diff --git a/ipmievd.if b/ipmievd.if
new file mode 100644
index 000000000..e86db5418
--- /dev/null
+++ b/ipmievd.if
@@ -0,0 +1,120 @@
+## IPMI event daemon for sending events to syslog.
+
+########################################
+##
+## Execute ipmievd_exec_t in the ipmievd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ipmievd_domtrans',`
+ gen_require(`
+ type ipmievd_t, ipmievd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
+')
+
+######################################
+##
+## Execute ipmievd in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipmievd_exec',`
+ gen_require(`
+ type ipmievd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ipmievd_exec_t)
+')
+
+########################################
+##
+## Read ipmievd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipmievd_read_pid_files',`
+ gen_require(`
+ type ipmievd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
+')
+
+########################################
+##
+## Execute ipmievd server in the ipmievd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ipmievd_systemctl',`
+ gen_require(`
+ type ipmievd_t;
+ type ipmievd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ipmievd_unit_file_t:file read_file_perms;
+ allow $1 ipmievd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ipmievd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ipmievd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipmievd_admin',`
+ gen_require(`
+ type ipmievd_t;
+ type ipmievd_var_run_t;
+ type ipmievd_unit_file_t;
+ ')
+
+ allow $1 ipmievd_t:process { signal_perms };
+ ps_process_pattern($1, ipmievd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ipmievd_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, ipmievd_var_run_t)
+
+ ipmievd_systemctl($1)
+ admin_pattern($1, ipmievd_unit_file_t)
+ allow $1 ipmievd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ipmievd.te b/ipmievd.te
new file mode 100644
index 000000000..d36f842c6
--- /dev/null
+++ b/ipmievd.te
@@ -0,0 +1,54 @@
+policy_module(ipmievd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ipmievd_t;
+type ipmievd_exec_t;
+init_daemon_domain(ipmievd_t, ipmievd_exec_t)
+
+type ipmievd_var_run_t;
+files_pid_file(ipmievd_var_run_t)
+
+type ipmievd_lock_t;
+files_lock_file(ipmievd_lock_t)
+
+type ipmievd_unit_file_t;
+systemd_unit_file(ipmievd_unit_file_t)
+
+########################################
+#
+# ipmievd local policy
+#
+
+allow ipmievd_t self:process { fork setpgid };
+allow ipmievd_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
+
+manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t)
+files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
+
+kernel_read_system_state(ipmievd_t)
+kernel_load_module(ipmievd_t)
+
+auth_use_nsswitch(ipmievd_t)
+
+corecmd_exec_bin(ipmievd_t)
+
+dev_manage_ipmi_dev(ipmievd_t)
+dev_filetrans_ipmi(ipmievd_t)
+dev_read_sysfs(ipmievd_t)
+
+files_read_kernel_modules(ipmievd_t)
+files_map_kernel_modules(ipmievd_t)
+
+logging_send_syslog_msg(ipmievd_t)
+
+miscfiles_read_certs(ipmievd_t)
+
+modutils_exec_insmod(ipmievd_t)
+modutils_read_module_config(ipmievd_t)
diff --git a/irc.fc b/irc.fc
index 48e7739f9..1bf0326cd 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
diff --git a/irc.if b/irc.if
index ac00fb0fb..36ef2e59c 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
attribute_role irc_roles;
type irc_t, irc_exec_t, irc_home_t;
type irc_tmp_t, irc_log_home_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
')
########################################
@@ -37,12 +38,42 @@ interface(`irc_role',`
domtrans_pattern($2, irc_exec_t, irc_t)
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process { ptrace signal_perms };
-
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+ allow $2 irc_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irc_t:process ptrace;
+ ')
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+ allow $2 irssi_t:process signal_perms;
+ ps_process_pattern($2, irssi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irssi_t:process ptrace;
+ ')
+
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ irc_filetrans_home_content($2)
+')
+
+#######################################
+##
+## Transition to alsa named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`irc_filetrans_home_content',`
+ gen_require(`
+ type irc_home_t;
+ type irssi_home_t;
+ ')
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
index 263650367..5910c5931 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
userdom_user_home_content(irc_home_t)
-type irc_log_home_t;
-userdom_user_home_content(irc_log_home_t)
-
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_tmp_file(irc_tmp_t)
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+##
+##
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+##
+##
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+role irc_roles types irssi_t;
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
########################################
#
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
-
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+irc_filetrans_home_content(irc_t)
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
+corecmd_exec_shell(irc_t)
+corecmd_exec_bin(irc_t)
+
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
-
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
@@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
-
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_filetrans_home_content(irc_t)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
+
+userdom_home_manager(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };
@@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
- fs_manage_nfs_files(irc_t)
- fs_manage_nfs_symlinks(irc_t)
+optional_policy(`
+ nis_use_ypbind(irc_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(irc_t)
- fs_manage_cifs_files(irc_t)
- fs_manage_cifs_symlinks(irc_t)
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+irc_filetrans_home_content(irssi_t)
+userdom_search_user_home_dirs(irssi_t)
+
+kernel_read_system_state(irssi_t)
+
+corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# tcp:7000 is often used for SSL irc
+corenet_tcp_connect_gatekeeper_port(irssi_t)
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+
+fs_search_auto_mountpoints(irssi_t)
+
+auth_use_nsswitch(irssi_t)
+
+
+userdom_use_inherited_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
')
+userdom_home_manager(irssi_t)
+
optional_policy(`
seutil_use_newrole_fds(irc_t)
')
diff --git a/ircd.if b/ircd.if
index ade980323..3620c9a67 100644
--- a/ircd.if
+++ b/ircd.if
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
-
- logging_search_log($1)
+
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
index efaf4b10a..bd1a132ac 100644
--- a/ircd.te
+++ b/ircd.te
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_exec_bin(ircd_t)
-corenet_all_recvfrom_unlabeled(ircd_t)
corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_generic_node(ircd_t)
@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
logging_send_syslog_msg(ircd_t)
-miscfiles_read_localization(ircd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
index e1f302ddb..1e5418a2e 100644
--- a/irqbalance.te
+++ b/irqbalance.te
@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
-files_read_etc_files(irqbalance_t)
files_read_etc_runtime_files(irqbalance_t)
fs_getattr_all_fs(irqbalance_t)
@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
logging_send_syslog_msg(irqbalance_t)
-miscfiles_read_localization(irqbalance_t)
-
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
diff --git a/iscsi.fc b/iscsi.fc
index 08b756047..417e63004 100644
--- a/iscsi.fc
+++ b/iscsi.fc
@@ -1,19 +1,18 @@
-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
index 1a354203e..77004ecad 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -17,6 +17,53 @@ interface(`iscsid_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
+ allow $1 iscsid_exec_t:file map;
+')
+
+########################################
+##
+## Execute iscsid programs in the iscsid domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the iscsid domain.
+##
+##
+##
+#
+interface(`iscsid_run',`
+ gen_require(`
+ attribute_role iscsid_roles;
+ ')
+
+ iscsid_domtrans($1)
+ roleattribute $2 iscsid_roles;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## iscsid lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`iscsi_manage_lock',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
+ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
')
########################################
@@ -80,17 +127,54 @@ interface(`iscsi_read_lib_files',`
########################################
##
-## All of the rules required to
-## administrate an iscsi environment.
+## Transition to iscsi named content
##
##
##
-## Domain allowed access.
+## Domain allowed access.
##
##
-##
+#
+interface(`iscsi_filetrans_named_content',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
+########################################
+##
+## Execute iscsi server in the iscsi domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`iscsi_systemctl',`
+ gen_require(`
+ type iscsid_t;
+ type iscsi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file read_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iscsid_t)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an iscsi environment.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
@@ -99,16 +183,16 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
- type iscsi_initrc_exec_t;
+ type iscsi_unit_file_t;
')
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
index ca020faa9..5b3ff1668 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
# Declarations
#
+attribute_role iscsid_roles;
+
type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
+role iscsid_roles types iscsid_t;
-type iscsi_initrc_exec_t;
-init_script_file(iscsi_initrc_exec_t)
+type iscsi_unit_file_t;
+systemd_unit_file(iscsi_unit_file_t)
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
@@ -32,17 +35,18 @@ files_pid_file(iscsi_var_run_t)
# Local policy
#
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket nlmsg_write;
allow iscsid_t self:tcp_socket { listen accept };
+allow iscsid_t self:system module_load;
manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
@@ -54,21 +58,24 @@ logging_log_filetrans(iscsid_t, iscsi_log_t, file)
manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+allow iscsid_t iscsi_tmp_t:file map;
-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
+kernel_load_module(iscsid_t)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
+kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
@@ -85,22 +92,43 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
-dev_read_raw_memory(iscsid_t)
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
+corecmd_exec_bin(iscsid_t)
+corecmd_exec_shell(iscsid_t)
+
+dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
+dev_map_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
+dev_map_userio_dev(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+files_read_kernel_modules(iscsid_t)
+files_map_kernel_modules(iscsid_t)
+
auth_use_nsswitch(iscsid_t)
init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
+
+mount_read_pid_files(iscsid_t)
+
+optional_policy(`
+ iscsi_systemctl(iscsid_t)
+')
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
')
+
+optional_policy(`
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+')
diff --git a/isns.te b/isns.te
index bc1103493..5a8ae798f 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
allow isnsd_t self:capability kill;
allow isnsd_t self:process signal;
allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen accept };
allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen };
@@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
+kernel_read_system_state(isnsd_t)
+kernel_read_network_state(isnsd_t)
+
corenet_all_recvfrom_unlabeled(isnsd_t)
corenet_all_recvfrom_netlabel(isnsd_t)
corenet_tcp_sendrecv_generic_if(isnsd_t)
@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
+auth_use_nsswitch(isnsd_t)
logging_send_syslog_msg(isnsd_t)
-
-miscfiles_read_localization(isnsd_t)
-
-sysnet_dns_name_resolve(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index 59ad3b3c4..bd02cc87d 100644
--- a/jabber.fc
+++ b/jabber.fc
@@ -1,25 +1,18 @@
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
+# pyicq-t
-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
index 7eb381121..8075ba5f0 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
-## Jabber instant messaging servers.
+## Jabber instant messaging server
+
+#####################################
+##
+## Creates types and rules for a basic
+## jabber init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`jabber_domain_template',`
+ gen_require(`
+ attribute jabberd_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, jabberd_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+')
#######################################
##
-## The template to define a jabber domain.
+## Execute a domain transition to run jabberd services
##
-##
+##
##
-## Domain prefix to be used.
+## Domain allowed to transition.
##
##
#
-template(`jabber_domain_template',`
+interface(`jabber_domtrans_jabberd',`
gen_require(`
- attribute jabberd_domain;
+ type jabberd_t, jabberd_exec_t;
')
- type $1_t, jabberd_domain;
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
')
-########################################
+######################################
##
-## Create, read, write, and delete
-## jabber lib files.
+## Execute a domain transition to run jabberd router service
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`jabber_domtrans_jabberd_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+##
+## Read jabberd lib files.
##
##
##
@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
##
##
#
-interface(`jabber_manage_lib_files',`
+interface(`jabberd_read_lib_files',`
gen_require(`
type jabberd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
-########################################
+#######################################
+##
+## Dontaudit inherited read jabberd lib files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
##
-## Connect to jabber over a TCP socket (Deprecated)
+## Create, read, write, and delete
+## jabberd lib files.
##
##
##
@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
##
##
#
-interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
########################################
##
-## All of the rules required to
-## administrate an jabber environment.
+## All of the rules required to administrate
+## an jabber environment
##
##
##
@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the jabber domain.
##
##
##
#
interface(`jabber_admin',`
gen_require(`
- attribute jabberd_domain;
- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
+ type jabberd_t, jabberd_var_lib_t;
+ type jabberd_initrc_exec_t, jabberd_router_t;
+ type jabberd_lock_t;
+ type jabberd_var_spool_t;
')
- allow $1 jabberd_domain:process { ptrace signal_perms };
- ps_process_pattern($1, jabberd_domain)
+ allow $1 jabberd_t:process signal_perms;
+ ps_process_pattern($1, jabberd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jabberd_t:process ptrace;
+ allow $1 jabberd_router_t:process ptrace;
+ ')
+
+ allow $1 jabberd_router_t:process signal_perms;
+ ps_process_pattern($1, jabberd_router_t)
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -89,15 +168,9 @@ interface(`jabber_admin',`
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
- logging_search_logs($1)
- admin_pattern($1, jabberd_log_t)
-
files_search_spool($1)
- admin_pattern($1, jabberd_spool_t)
+ admin_pattern($1, jabberd_var_spool_t)
files_search_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
index af67c36ee..4755e0af8 100644
--- a/jabber.te
+++ b/jabber.te
@@ -9,129 +9,137 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-type jabberd_lock_t;
-files_lock_file(jabberd_lock_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_spool_t;
-files_type(jabberd_spool_t)
-
+# type which includes log/pid files pro jabberd components
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
+# pyicq-t types
+type pyicqt_log_t;
+logging_log_file(pyicqt_log_t);
-########################################
-#
-# Common local policy
-#
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
-allow jabberd_domain self:process signal_perms;
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-allow jabberd_domain self:tcp_socket { accept listen };
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
-kernel_read_system_state(jabberd_domain)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-corenet_all_recvfrom_unlabeled(jabberd_domain)
-corenet_all_recvfrom_netlabel(jabberd_domain)
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
-corenet_tcp_bind_generic_node(jabberd_domain)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-dev_read_urand(jabberd_domain)
-dev_read_sysfs(jabberd_domain)
+kernel_read_network_state(jabberd_router_t)
-fs_getattr_all_fs(jabberd_domain)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+corenet_tcp_connect_postgresql_port(jabberd_router_t)
-logging_send_syslog_msg(jabberd_domain)
+fs_getattr_all_fs(jabberd_router_t)
-miscfiles_read_localization(jabberd_domain)
+miscfiles_read_generic_certs(jabberd_router_t)
optional_policy(`
- nis_use_ypbind(jabberd_domain)
+ kerberos_use(jabberd_router_t)
')
optional_policy(`
- seutil_sigchld_newrole(jabberd_domain)
+ nis_use_ypbind(jabberd_router_t)
')
-########################################
+#####################################
#
-# Local policy
+# Local policy for other jabberd components
#
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:tcp_socket create_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+corenet_tcp_connect_postgresql_port(jabberd_t)
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+miscfiles_read_certs(jabberd_t)
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
-kernel_read_kernel_sysctls(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-dev_read_rand(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-domain_use_interactive_fds(jabberd_t)
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
+corecmd_exec_bin(pyicqt_t)
-fs_search_auto_mountpoints(jabberd_t)
+dev_read_urand(pyicqt_t)
-sysnet_read_config(jabberd_t)
+auth_use_nsswitch(pyicqt_t)
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
+# needed for pyicq-t-mysql
+optional_policy(`
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
+')
optional_policy(`
- udev_read_db(jabberd_t)
+ sysnet_use_ldap(pyicqt_t)
')
-########################################
+#######################################
#
-# Router local policy
+# Local policy for jabberd domains
#
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
-kernel_read_network_state(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
+dev_read_sysfs(jabberd_domain)
+dev_read_urand(jabberd_domain)
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
+files_read_etc_runtime_files(jabberd_domain)
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
index a7ae1531b..6341e3119 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
## its stack executable.
##
##
-gen_tunable(allow_java_execstack, false)
+gen_tunable(java_execstack, false)
attribute java_domain;
@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
-files_read_usr_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
userdom_manage_user_home_content_symlinks(java_domain)
userdom_manage_user_home_content_pipes(java_domain)
userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_filetrans_home_content(java_domain_t)
userdom_write_user_tmp_sockets(java_domain)
-tunable_policy(`allow_java_execstack',`
+tunable_policy(`java_execstack',`
allow java_domain self:process { execmem execstack };
libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 000000000..1725b7e69
--- /dev/null
+++ b/jetty.fc
@@ -0,0 +1,9 @@
+
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
+
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
+
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
+
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
+
diff --git a/jetty.if b/jetty.if
new file mode 100644
index 000000000..2abc285a7
--- /dev/null
+++ b/jetty.if
@@ -0,0 +1,268 @@
+
+## policy for jetty
+
+########################################
+##
+## Search jetty cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_search_cache',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ allow $1 jetty_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read jetty cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## jetty cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Manage jetty cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_cache_dirs',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Read jetty's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`jetty_read_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Append to jetty log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_append_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Manage jetty log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
+ manage_files_pattern($1, jetty_log_t, jetty_log_t)
+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Search jetty lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_search_lib',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ allow $1 jetty_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read jetty lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Manage jetty lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Manage jetty lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_lib_dirs',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Read jetty PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_pid_files',`
+ gen_require(`
+ type jetty_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 jetty_var_run_t:file read_file_perms;
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an jetty environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`jetty_admin',`
+ gen_require(`
+ type jetty_cache_t;
+ type jetty_log_t;
+ type jetty_var_lib_t;
+ type jetty_var_run_t;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, jetty_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jetty_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, jetty_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, jetty_var_run_t)
+')
diff --git a/jetty.te b/jetty.te
new file mode 100644
index 000000000..af510eac6
--- /dev/null
+++ b/jetty.te
@@ -0,0 +1,25 @@
+policy_module(jetty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type jetty_cache_t;
+files_type(jetty_cache_t)
+
+type jetty_log_t;
+logging_log_file(jetty_log_t)
+
+type jetty_var_lib_t;
+files_type(jetty_var_lib_t)
+
+type jetty_var_run_t;
+files_pid_file(jetty_var_run_t)
+
+########################################
+#
+# jetty local policy
+#
+
+# No local policy. This module just contains type definitions
diff --git a/jockey.if b/jockey.if
index 2fb7a20fa..c6ba00798 100644
--- a/jockey.if
+++ b/jockey.if
@@ -1 +1,131 @@
-## Jockey driver manager.
+
+## policy for jockey
+
+########################################
+##
+## Transition to jockey.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`jockey_domtrans',`
+ gen_require(`
+ type jockey_t, jockey_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, jockey_exec_t, jockey_t)
+')
+
+########################################
+##
+## Search jockey cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_search_cache',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ allow $1 jockey_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read jockey cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_read_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## jockey cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_manage_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## Manage jockey cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_manage_cache_dirs',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an jockey environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_admin',`
+ gen_require(`
+ type jockey_t;
+ type jockey_cache_t;
+ type jockey_var_log_t;
+ ')
+
+ allow $1 jockey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jockey_t)
+
+ files_search_var($1)
+ admin_pattern($1, jockey_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jockey_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jockey.te b/jockey.te
index d59ec10a2..a46018d04 100644
--- a/jockey.te
+++ b/jockey.te
@@ -15,6 +15,9 @@ files_type(jockey_cache_t)
type jockey_var_log_t;
logging_log_file(jockey_var_log_t)
+type jockey_tmpfs_t;
+files_tmpfs_file(jockey_tmpfs_t)
+
########################################
#
# Local policy
@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file })
+
kernel_read_system_state(jockey_t)
corecmd_exec_bin(jockey_t)
@@ -44,16 +51,19 @@ dev_read_urand(jockey_t)
domain_use_interactive_fds(jockey_t)
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
-miscfiles_read_localization(jockey_t)
+auth_read_passwd(jockey_t)
optional_policy(`
dbus_system_domain(jockey_t, jockey_exec_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(jockey_t)
+')
+
optional_policy(`
modutils_domtrans_insmod(jockey_t)
modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
')
diff --git a/journalctl.fc b/journalctl.fc
new file mode 100644
index 000000000..f27065286
--- /dev/null
+++ b/journalctl.fc
@@ -0,0 +1 @@
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
index 000000000..17126b64c
--- /dev/null
+++ b/journalctl.if
@@ -0,0 +1,95 @@
+
+## policy for journalctl
+
+########################################
+##
+## Execute TEMPLATE in the journalctl domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`journalctl_domtrans',`
+ gen_require(`
+ type journalctl_t, journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+######################################
+##
+## Execute journalctl in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`journalctl_exec',`
+ gen_require(`
+ type journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, journalctl_exec_t)
+')
+
+########################################
+##
+## Execute journalctl in the journalctl domain, and
+## allow the specified role the journalctl domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the journalctl domain.
+##
+##
+#
+interface(`journalctl_run',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ journalctl_domtrans($1)
+ roleattribute $2 journalctl_roles;
+')
+
+########################################
+##
+## Role access for journalctl
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`journalctl_role',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ roleattribute $1 journalctl_roles;
+
+ journalctl_domtrans($2)
+
+ ps_process_pattern($2, journalctl_t)
+ allow $2 journalctl_t:process { signull signal sigkill };
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
index 000000000..68dd2b7d6
--- /dev/null
+++ b/journalctl.te
@@ -0,0 +1,47 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+auth_use_nsswitch(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+
+logging_read_generic_logs(journalctl_t)
+logging_read_syslog_pid(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_rw_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 000000000..25e4b6817
--- /dev/null
+++ b/kde.fc
@@ -0,0 +1 @@
+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
diff --git a/kde.if b/kde.if
new file mode 100644
index 000000000..cf6557769
--- /dev/null
+++ b/kde.if
@@ -0,0 +1,22 @@
+## Policy for KDE components
+
+#######################################
+##
+## Send and receive messages from
+## firewallgui over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kde_dbus_chat_backlighthelper',`
+ gen_require(`
+ type kdebacklighthelper_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdebacklighthelper_t:dbus send_msg;
+ allow kdebacklighthelper_t $1:dbus send_msg;
+')
diff --git a/kde.te b/kde.te
new file mode 100644
index 000000000..dbe3f038d
--- /dev/null
+++ b/kde.te
@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
+# backlighthelper local policy
+#
+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
+
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
+files_read_etc_runtime_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
+logging_send_syslog_msg(kdebacklighthelper_t)
+
+optional_policy(`
+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdebacklighthelper_t)
+')
+
diff --git a/kdump.fc b/kdump.fc
index a49ae4e91..0c0e987a8 100644
--- a/kdump.fc
+++ b/kdump.fc
@@ -1,13 +1,16 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
index 3a00b3a13..04dd6e97a 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
-## Kernel crash dumping mechanism.
+## Kernel crash dumping mechanism
######################################
##
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
domtrans_pattern($1, kdump_exec_t, kdump_t)
')
+######################################
+##
+## Execute kdumpctl in the kdumpctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdumpctl_domtrans',`
+ gen_require(`
+ type kdumpctl_t, kdumpctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
+')
+
+
#######################################
##
## Execute kdump in the kdump domain.
@@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
+########################################
+##
+## Execute kdump server in the kdump domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdump_systemctl',`
+ gen_require(`
+ type kdump_unit_file_t;
+ type kdump_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, kdump_t)
+')
+
#####################################
##
-## Read kdump configuration files.
+## Read kdump configuration file.
##
##
##
@@ -56,10 +101,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+##
+## Read kdump crash files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_read_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+##
+## Read kdump crash files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_manage_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+##
+## Dontaudit read kdump configuration file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kdump_dontaudit_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
####################################
##
-## Create, read, write, and delete
-## kdmup configuration files.
+## Manage kdump configuration file.
##
##
##
@@ -76,10 +178,89 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
+#####################################
+##
+## Read and write kdump lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_rw_lock',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_search_locks($1)
+ rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
+')
+
+###################################
+##
+## Read/write inherited kdump /var/tmp named pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+###################################
+##
+## Manage kdump /var/tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_manage_kdumpctl_tmp_files',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ allow $1 kdumpctl_tmp_t:file map;
+')
+
+#######################################
+##
+## Transition content labels to kdump named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_filetrans_named_content',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_lock_filetrans($1, kdump_lock_t, file, "kdump")
+')
+
######################################
##
-## All of the rules required to
-## administrate an kdump environment.
+## All of the rules required to administrate
+## an kdump environment
##
##
##
@@ -88,19 +269,24 @@ interface(`kdump_manage_config',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the kdump domain.
##
##
##
#
interface(`kdump_admin',`
gen_require(`
- type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
- type kdump_initrc_exec_t, kdumpctl_t;
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
+ type kdump_crash_t;
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { kdump_t kdumpctl_t })
+ allow $1 kdump_t:process signal_perms;
+ ps_process_pattern($1, kdump_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
@@ -110,6 +296,29 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
- files_search_tmp($1)
- admin_pattern($1, kdumpctl_tmp_t)
+ files_search_var($1)
+ admin_pattern($1, kdump_crash_t)
+
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
+
+###################################
+##
+## Dontaudit Read/write inherited kdump /var/tmp named pipes.
+##
+##
+##
+## Domain to not audit
+##
+##
+#
+interface(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
diff --git a/kdump.te b/kdump.te
index 715fc211c..41e1154ae 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,34 +12,59 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
+type kdump_crash_t;
+files_type(kdump_crash_t)
+
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
+type kdump_lock_t;
+files_lock_file(kdump_lock_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
-application_executable_file(kdumpctl_exec_t)
+init_initrc_domain(kdumpctl_t)
type kdumpctl_tmp_t;
files_tmp_file(kdumpctl_tmp_t)
#####################################
#
-# Local policy
+# kdump local policy
#
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override };
+allow kdump_t self:capability2 compromise_kernel;
-allow kdump_t kdump_etc_t:file read_file_perms;
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
+files_read_kernel_symbol_table(kdump_t)
+files_read_kernel_modules(kdump_t)
files_read_kernel_img(kdump_t)
+files_map_boot_files(kdump_t)
+kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
kernel_read_debugfs(kdump_t)
-kernel_read_system_state(kdump_t)
kernel_request_load_module(kdump_t)
+kernel_read_ring_buffer(kdump_t)
+
+mls_file_read_all_levels(kdump_t)
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
@@ -48,69 +73,105 @@ term_use_console(kdump_t)
#######################################
#
-# Ctl local policy
+# kdumpctl local policy
#
-allow kdumpctl_t self:capability { dac_override sys_chroot };
+#cjp:almost all rules are needed by dracut
+
+kdump_domtrans(kdumpctl_t)
+
+allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot };
allow kdumpctl_t self:process setfscreate;
+
allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
+manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_fifo_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
kernel_read_system_state(kdumpctl_t)
+kernel_stream_connect(kdumpctl_t)
+
+mls_file_read_all_levels(kdumpctl_t)
corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
+# dracut
dev_manage_all_dev_nodes(kdumpctl_t)
domain_use_interactive_fds(kdumpctl_t)
files_create_kernel_img(kdumpctl_t)
-files_read_etc_files(kdumpctl_t)
files_read_etc_runtime_files(kdumpctl_t)
-files_read_usr_files(kdumpctl_t)
files_read_kernel_modules(kdumpctl_t)
files_getattr_all_dirs(kdumpctl_t)
+files_delete_kernel(kdumpctl_t)
fs_getattr_all_fs(kdumpctl_t)
fs_search_all(kdumpctl_t)
-init_domtrans_script(kdumpctl_t)
+application_executable_ioctl(kdumpctl_t)
+
+auth_read_passwd(kdumpctl_t)
+
init_exec(kdumpctl_t)
+systemd_exec_systemctl(kdumpctl_t)
+systemd_read_unit_files(kdumpctl_t)
libs_exec_ld_so(kdumpctl_t)
logging_send_syslog_msg(kdumpctl_t)
+# Need log file from /var/log/dracut.log
+logging_write_generic_logs(kdumpctl_t)
+
+selinux_get_enforce_mode(kdumpctl_t)
+
+storage_raw_read_fixed_disk(kdumpctl_t)
+storage_getattr_fixed_disk_dev(kdumpctl_t)
-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
+ networkmanager_dbus_chat(kdumpctl_t)
+')
+
+optional_policy(`
+ gpg_exec(kdumpctl_t)
+')
optional_policy(`
- gpg_exec(kdumpctl_t)
+ lvm_read_config(kdumpctl_t)
')
optional_policy(`
- lvm_read_config(kdumpctl_t)
+ modutils_domtrans_insmod(kdumpctl_t)
+ modutils_list_module_config(kdumpctl_t)
+ modutils_read_module_config(kdumpctl_t)
')
optional_policy(`
- modutils_domtrans_insmod(kdumpctl_t)
- modutils_read_module_config(kdumpctl_t)
+ plymouthd_domtrans_plymouth(kdumpctl_t)
')
optional_policy(`
- plymouthd_domtrans_plymouth(kdumpctl_t)
+ ssh_exec(kdumpctl_t)
')
optional_policy(`
- ssh_exec(kdumpctl_t)
+ unconfined_domain(kdumpctl_t)
')
diff --git a/kdumpgui.if b/kdumpgui.if
index 182ab8b58..8b1d9c23c 100644
--- a/kdumpgui.if
+++ b/kdumpgui.if
@@ -1 +1,23 @@
-## System-config-kdump GUI.
+## system-config-kdump GUI
+
+########################################
+##
+## Send and receive messages from
+## kdumpgui over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdumpgui_dbus_chat',`
+ gen_require(`
+ type kdumpgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdumpgui_t:dbus send_msg;
+ allow kdumpgui_t $1:dbus send_msg;
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
index 2990962b6..abd217f1d 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
+##
+##
+## Allow s-c-kdump to run bootloader in bootloader_t.
+##
+##
+gen_tunable(kdumpgui_run_bootloader, false)
+
type kdumpgui_t;
type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
type kdumpgui_tmp_t;
files_tmp_file(kdumpgui_tmp_t)
######################################
#
-# Local policy
+# system-config-kdump local policy
#
allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
-allow kdumpgui_t self:process { setsched sigkill };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdumpgui_t self:process { setsched sigkill };
manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
-kernel_getattr_core_if(kdumpgui_t)
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
+kernel_getattr_core_if(kdumpgui_t)
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
-dev_getattr_all_blk_files(kdumpgui_t)
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t)
+dev_read_nvme(kdumpgui_t)
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
+fs_manage_dos_files(kdumpgui_t)
fs_getattr_all_fs(kdumpgui_t)
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
+logging_send_syslog_msg(kdumpgui_t)
logging_list_logs(kdumpgui_t)
logging_read_generic_logs(kdumpgui_t)
-logging_send_syslog_msg(kdumpgui_t)
-
-miscfiles_read_localization(kdumpgui_t)
mount_exec(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
-optional_policy(`
- bootloader_exec(kdumpgui_t)
- bootloader_rw_config(kdumpgui_t)
-')
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
- consoletype_exec(kdumpgui_t)
+ tunable_policy(`kdumpgui_run_bootloader',`
+ bootloader_domtrans(kdumpgui_t)
+ #if s-c-kdump is involved
+ bootloader_manage_config(kdumpgui_t)
+ ',`
+ bootloader_exec(kdumpgui_t)
+ bootloader_manage_config(kdumpgui_t)
+ ')
')
optional_policy(`
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(kdumpgui_t)
- ')
')
optional_policy(`
@@ -87,4 +97,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
+ kdump_systemctl(kdumpgui_t)
+ kdumpctl_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
')
diff --git a/keepalived.fc b/keepalived.fc
new file mode 100644
index 000000000..9a19f91f3
--- /dev/null
+++ b/keepalived.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0)
+
+/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0)
+
+/usr/libexec/keepalived(/.*)? gen_context(system_u:object_r:keepalived_unconfined_script_exec_t,s0)
+
+/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
diff --git a/keepalived.if b/keepalived.if
new file mode 100644
index 000000000..bd7e7fa17
--- /dev/null
+++ b/keepalived.if
@@ -0,0 +1,80 @@
+
+## keepalived - load-balancing and high-availability service
+
+########################################
+##
+## Execute keepalived in the keepalived domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keepalived_domtrans',`
+ gen_require(`
+ type keepalived_t, keepalived_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, keepalived_exec_t, keepalived_t)
+')
+########################################
+##
+## Execute keepalived server in the keepalived domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keepalived_systemctl',`
+ gen_require(`
+ type keepalived_t;
+ type keepalived_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keepalived_unit_file_t:file read_file_perms;
+ allow $1 keepalived_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keepalived_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an keepalived environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`keepalived_admin',`
+ gen_require(`
+ type keepalived_t;
+ type keepalived_unit_file_t;
+ ')
+
+ allow $1 keepalived_t:process { signal_perms };
+ ps_process_pattern($1, keepalived_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 keepalived_t:process ptrace;
+ ')
+
+ keepalived_systemctl($1)
+ admin_pattern($1, keepalived_unit_file_t)
+ allow $1 keepalived_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 000000000..eb1bb07eb
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,119 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether keepalived can
+## connect to all TCP ports.
+##
+##
+gen_tunable(keepalived_connect_any, false)
+
+type keepalived_t;
+type keepalived_exec_t;
+init_daemon_domain(keepalived_t, keepalived_exec_t)
+
+type keepalived_unit_file_t;
+systemd_unit_file(keepalived_unit_file_t)
+
+type keepalived_var_run_t;
+files_pid_file(keepalived_var_run_t)
+
+type keepalived_unconfined_script_exec_t;
+application_executable_file(keepalived_unconfined_script_exec_t)
+
+########################################
+#
+# keepalived local policy
+#
+
+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
+allow keepalived_t self:process { signal_perms setpgid };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
+allow keepalived_t self:netlink_route_socket nlmsg_write;
+allow keepalived_t self:packet_socket create_socket_perms;
+allow keepalived_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
+files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
+
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
+kernel_read_usermodehelper_state(keepalived_t)
+kernel_search_network_sysctl(keepalived_t)
+kernel_read_net_sysctls(keepalived_t)
+kernel_getattr_proc(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
+corenet_tcp_connect_http_port(keepalived_t)
+corenet_tcp_connect_mysqld_port(keepalived_t)
+corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
+corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
+domain_getattr_all_domains(keepalived_t)
+
+dev_read_urand(keepalived_t)
+
+modutils_domtrans_insmod(keepalived_t)
+
+logging_send_syslog_msg(keepalived_t)
+
+optional_policy(`
+ iptables_domtrans(keepalived_t)
+')
+
+optional_policy(`
+ rhcs_signull_haproxy(keepalived_t)
+')
+
+optional_policy(`
+ snmp_manage_var_lib_files(keepalived_t)
+ snmp_manage_var_lib_sock_files(keepalived_t)
+ snmp_manage_var_lib_dirs(keepalived_t)
+ snmp_stream_connect(keepalived_t)
+')
+
+tunable_policy(`keepalived_connect_any',`
+ corenet_tcp_connect_all_ports(keepalived_t)
+ corenet_tcp_bind_all_ports(keepalived_t)
+ corenet_sendrecv_all_packets(keepalived_t)
+ corenet_tcp_sendrecv_all_ports(keepalived_t)
+')
+
+########################################
+#
+# keepalived_unconfined_script_script_t local policy
+#
+
+optional_policy(`
+ type keepalived_unconfined_script_t;
+ domain_type(keepalived_unconfined_script_t)
+
+ domain_entry_file(keepalived_unconfined_script_t, keepalived_unconfined_script_exec_t)
+ role system_r types keepalived_unconfined_script_t;
+
+ domtrans_pattern(keepalived_t, keepalived_unconfined_script_exec_t, keepalived_unconfined_script_t)
+
+ allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms;
+ allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms;
+ allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl;
+
+ optional_policy(`
+ unconfined_domain(keepalived_unconfined_script_t)
+ ')
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd63..3504a9bf7 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -1,52 +1,54 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/\_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-
-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/kadmin_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/kiprop_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8e6..79ea4d8d2 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
-## MIT Kerberos admin and KDC.
+## MIT Kerberos admin and KDC
+##
+##
+## This policy supports:
+##
+##
+## Servers:
+##
+## - kadmind
+## - krb5kdc
+##
+##
+##
+## Clients:
+##
+## - kinit
+## - kdestroy
+## - klist
+## - ksu (incomplete)
+##
+##
+##
########################################
##
-## Role access for kerberos.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-template(`kerberos_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-##
-## Execute kadmind in the caller domain.
+## Execute kadmind in the current domain
##
##
##
@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
type kadmind_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, kadmind_exec_t)
')
@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
type kpropd_t, kpropd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, kpropd_exec_t, kpropd_t)
')
########################################
##
-## Support kerberos services.
+## Use kerberos services
##
##
##
@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
- type krb5kdc_conf_t, krb5_host_rcache_t;
+ type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
- kerberos_read_config($1)
-
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ list_dirs_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+ #kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
+ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_tcp_connect_kerberos_port($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
-
- corenet_sendrecv_ocsp_client_packets($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_connect_kerberos_port($1)
corenet_tcp_connect_ocsp_port($1)
- corenet_tcp_sendrecv_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
pcscd_stream_connect($1)
')
')
@@ -119,7 +119,7 @@ interface(`kerberos_use',`
########################################
##
-## Read kerberos configuration files.
+## Read the kerberos configuration file (/etc/krb5.conf).
##
##
##
@@ -135,15 +135,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
-
- userdom_search_user_home_dirs($1)
allow $1 krb5_home_t:file read_file_perms;
')
########################################
##
-## Do not audit attempts to write
-## kerberos configuration files.
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
##
##
##
@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ dontaudit $1 krb5_conf_t:file write;
')
########################################
##
-## Read and write kerberos
-## configuration files.
+## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
##
@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',`
########################################
##
-## Create, read, write, and delete
-## kerberos home files.
+## Read the kerberos key table.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`kerberos_manage_krb5_home_files',`
+interface(`kerberos_read_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file manage_file_perms;
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file read_file_perms;
')
########################################
##
-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
##
##
##
@@ -210,220 +207,252 @@ interface(`kerberos_manage_krb5_home_files',`
##
##
#
-interface(`kerberos_relabel_krb5_home_files',`
+interface(`kerberos_rw_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file relabel_file_perms;
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file rw_file_perms;
')
########################################
##
-## Create objects in user home
-## directories with the krb5 home type.
+## Create keytab file in /etc
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
##
##
## The name of the object being created.
##
##
#
-interface(`kerberos_home_filetrans_krb5_home',`
+interface(`kerberos_etc_filetrans_keytab',`
gen_require(`
- type krb5_home_t;
+ type krb5_keytab_t;
')
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
')
########################################
##
-## Read kerberos key table files.
+## Create a derived type for kerberos keytab
##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
##
##
## Domain allowed access.
##
##
-##
#
-interface(`kerberos_read_keytab',`
- gen_require(`
- type krb5_keytab_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_keytab_t:file read_file_perms;
+template(`kerberos_keytab_template',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ kerberos_read_keytab($2)
+ kerberos_use($2)
')
########################################
##
-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`kerberos_rw_keytab',`
+interface(`kerberos_read_kdc_config',`
gen_require(`
- type krb5_keytab_t;
+ type krb5kdc_conf_t;
')
files_search_etc($1)
- allow $1 krb5_keytab_t:file rw_file_perms;
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
##
-## Create, read, write, and delete
-## kerberos key table files.
+## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`kerberos_manage_keytab_files',`
+interface(`kerberos_manage_kdc_config',`
gen_require(`
- type krb5_keytab_t;
+ type krb5kdc_conf_t;
')
files_search_etc($1)
- allow $1 krb5_keytab_t:file manage_file_perms;
+ manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
##
-## Create specified objects in generic
-## etc directories with the kerberos
-## keytab file type.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_read_host_rcache',`
gen_require(`
- type krb5_keytab_t;
+ type krb5_host_rcache_t;
')
-
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
')
########################################
##
-## Create a derived type for kerberos
-## keytab files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
-##
-##
-## The prefix to be used for deriving type names.
-##
-##
##
##
## Domain allowed access.
##
##
+##
#
-template(`kerberos_keytab_template',`
- refpolicywarn(`$0($*) has been deprecated.')
- kerberos_read_keytab($2)
- kerberos_use($2)
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
+ domain_obj_id_change_exemption($1)
+
+ tunable_policy(`kerberos_enabled',`
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_search_tmp($1)
+ ')
')
########################################
##
-## Read kerberos kdc configuration files.
+## All of the rules required to administrate
+## an kerberos environment
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the kerberos domain.
+##
+##
##
#
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_admin',`
gen_require(`
- type krb5kdc_conf_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
')
- files_search_etc($1)
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kadmind_t:process ptrace;
+ allow $1 krb5kdc_t:process ptrace;
+ allow $1 kpropd_t:process ptrace;
+ ')
+
+ allow $1 krb5kdc_t:process signal_perms;
+ ps_process_pattern($1, krb5kdc_t)
+
+ allow $1 kpropd_t:process signal_perms;
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerberos_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, kadmind_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, kadmind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, kadmind_var_run_t)
+
+ admin_pattern($1, krb5_conf_t)
+
+ admin_pattern($1, krb5_host_rcache_t)
+
+ admin_pattern($1, krb5_keytab_t)
+
+ admin_pattern($1, krb5kdc_principal_t)
+
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
')
########################################
##
-## Create, read, write, and delete
-## kerberos host rcache files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
##
##
##
## Domain allowed access.
##
##
-##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`kerberos_manage_host_rcache',`
+interface(`kerberos_tmp_filetrans_host_rcache',`
gen_require(`
type krb5_host_rcache_t;
')
- domain_obj_id_change_exemption($1)
-
- tunable_policy(`allow_kerberos',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
- files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
##
-## Create objects in generic temporary
-## directories with the kerberos host
-## rcache type.
+## Type transition files created in /tmp
+## to the kadmind_tmp type.
##
##
##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Class of the object being created.
+## Domain allowed access.
##
##
##
@@ -432,17 +461,18 @@ interface(`kerberos_manage_host_rcache',`
##
##
#
-interface(`kerberos_tmp_filetrans_host_rcache',`
+interface(`kerberos_tmp_filetrans_kadmin',`
gen_require(`
- type krb5_host_rcache_t;
+ type kadmind_tmp_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
')
########################################
##
-## Connect to krb524 service.
+## read kerberos homedir content (.k5login)
##
##
##
@@ -450,82 +480,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
##
##
#
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
+interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
##
-## All of the rules required to
-## administrate an kerberos environment.
+## Manage the kerberos kdc /var/lib files
+## and directories.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
##
#
-interface(`kerberos_admin',`
+interface(`kerberos_manage_kdc_var_lib',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
+ type krb5kdc_var_lib_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
-
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ files_search_etc($1)
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+')
- logging_list_logs($1)
- admin_pattern($1, kadmind_log_t)
+########################################
+##
+## create kerberos content in the in the /root directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
- files_list_tmp($1)
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+########################################
+##
+## Transition to kerberos named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
+########################################
+##
+## Transition to kerberos named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
-
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-
- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+ kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
index 8833d596d..3519d8b7b 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
#
##
-##
-## Determine whether kerberos is supported.
-##
+##
+## Allow confined applications to run with kerberos.
+##
##
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
type kadmind_t;
type kadmind_exec_t;
@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
+# types for general configuration files in /etc
type krb5_keytab_t;
files_security_file(krb5_keytab_t)
+# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
+type krb5kdc_var_lib_t;
+files_type(krb5kdc_var_lib_t)
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice };
allow kadmind_t self:capability2 block_suspend;
+dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:tcp_socket { accept listen };
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
allow kadmind_t self:udp_socket create_socket_perms;
-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow kadmind_t kadmind_log_t:file manage_file_perms;
logging_log_filetrans(kadmind_t, kadmind_log_t, file)
allow kadmind_t krb5_conf_t:file read_file_perms;
-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+allow kadmind_t krb5kdc_principal_t:file { manage_file_perms map };
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+allow kadmind_t krb5_keytab_t:file read_file_perms;
+
+can_exec(kadmind_t, kadmind_exec_t)
+
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
-can_exec(kadmind_t, kadmind_exec_t)
-
kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-corenet_all_recvfrom_unlabeled(kadmind_t)
+corecmd_exec_bin(kadmind_t)
+corecmd_exec_shell(kadmind_t)
+
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
-
-corenet_sendrecv_all_server_packets(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_bind_kprop_port(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t)
dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
+fs_rw_anon_inodefs_files(kadmind_t)
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
-files_read_usr_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
files_read_var_files(kadmind_t)
selinux_validate_context(kadmind_t)
+auth_read_passwd(kadmind_t)
+
logging_send_syslog_msg(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
miscfiles_read_localization(kadmind_t)
+seutil_read_config(kadmind_t)
seutil_read_file_contexts(kadmind_t)
+sysnet_read_config(kadmind_t)
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -153,12 +179,17 @@ optional_policy(`
ldap_stream_connect(kadmind_t)
')
+optional_policy(`
+ dirsrv_stream_connect(kadmind_t)
+')
+
optional_policy(`
nis_use_ypbind(kadmind_t)
')
optional_policy(`
sssd_read_public_files(kadmind_t)
+ sssd_stream_connect(kadmind_t)
')
optional_policy(`
@@ -174,24 +205,28 @@ optional_policy(`
# Krb5kdc local policy
#
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice };
allow krb5kdc_t self:capability2 block_suspend;
+dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket { accept listen };
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
allow krb5kdc_t krb5_conf_t:file read_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -201,77 +236,93 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
-can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_all_recvfrom_unlabeled(krb5kdc_t)
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
corenet_tcp_sendrecv_generic_node(krb5kdc_t)
corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
corenet_tcp_bind_generic_node(krb5kdc_t)
corenet_udp_bind_generic_node(krb5kdc_t)
-
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
corenet_tcp_bind_kerberos_port(krb5kdc_t)
corenet_udp_bind_kerberos_port(krb5kdc_t)
-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
-
-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
corenet_tcp_connect_ocsp_port(krb5kdc_t)
-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
+fs_rw_anon_inodefs_files(krb5kdc_t)
domain_use_interactive_fds(krb5kdc_t)
-files_read_etc_files(krb5kdc_t)
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
selinux_validate_context(krb5kdc_t)
+auth_use_nsswitch(krb5kdc_t)
+
logging_send_syslog_msg(krb5kdc_t)
miscfiles_read_generic_certs(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
+sysnet_read_config(krb5kdc_t)
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+optional_policy(`
+ ipa_stream_connect_otpd(krb5kdc_t)
+')
+
optional_policy(`
ldap_stream_connect(krb5kdc_t)
')
+optional_policy(`
+ dirsrv_stream_connect(krb5kdc_t)
+')
+
optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
optional_policy(`
- sssd_read_public_files(krb5kdc_t)
+ realmd_read_var_lib(krb5kdc_t)
')
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
')
+optional_policy(`
+ sssd_read_public_files(krb5kdc_t)
+')
+
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -281,10 +332,12 @@ optional_policy(`
# kpropd local policy
#
+allow kpropd_t self:capability net_bind_service;
allow kpropd_t self:process setfscreate;
-allow kpropd_t self:fifo_file rw_fifo_file_perms;
-allow kpropd_t self:unix_stream_socket { accept listen };
-allow kpropd_t self:tcp_socket { accept listen };
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -296,32 +349,35 @@ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+allow kpropd_t krb5kdc_principal_t:file map;
manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+kernel_read_system_state(kpropd_t)
+kernel_read_network_state(kpropd_t)
+
+can_exec(kpropd_t,kpropd_exec_t)
+
corecmd_exec_bin(kpropd_t)
-corenet_all_recvfrom_unlabeled(kpropd_t)
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
corenet_tcp_bind_generic_node(kpropd_t)
-
-corenet_sendrecv_kprop_server_packets(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
+corenet_tcp_connect_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
-files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
selinux_validate_context(kpropd_t)
-logging_send_syslog_msg(kpropd_t)
+auth_use_nsswitch(kpropd_t)
-miscfiles_read_localization(kpropd_t)
+logging_send_syslog_msg(kpropd_t)
seutil_read_file_contexts(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
index 714448f8d..fa0c994e5 100644
--- a/kerneloops.if
+++ b/kerneloops.if
@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
+ allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kerneloops_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
index bcdb29599..f6e3736dd 100644
--- a/kerneloops.te
+++ b/kerneloops.te
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
-corenet_all_recvfrom_unlabeled(kerneloops_t)
corenet_all_recvfrom_netlabel(kerneloops_t)
corenet_tcp_sendrecv_generic_if(kerneloops_t)
corenet_tcp_sendrecv_generic_node(kerneloops_t)
@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
-miscfiles_read_localization(kerneloops_t)
-
optional_policy(`
dbus_system_domain(kerneloops_t, kerneloops_exec_t)
')
diff --git a/keyboardd.if b/keyboardd.if
index 8982b9106..6134ef258 100644
--- a/keyboardd.if
+++ b/keyboardd.if
@@ -1,19 +1,39 @@
-## Xorg.conf keyboard layout callout.
-######################################
+## policy for system-setup-keyboard daemon
+
+########################################
##
-## Read keyboardd unnamed pipes.
+## Execute a domain transition to run keyboard setup daemon.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
-interface(`keyboardd_read_pipes',`
+interface(`keyboardd_domtrans',`
gen_require(`
- type keyboardd_t;
+ type keyboardd_t, keyboardd_exec_t;
+ ')
+
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+######################################
+##
+## Allow attempts to read to
+## keyboardd unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keyboardd_read_pipes',`
+ gen_require(`
+ type keyboardd_t;
')
- allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
')
diff --git a/keyboardd.te b/keyboardd.te
index 628b78b4b..fe656175e 100644
--- a/keyboardd.te
+++ b/keyboardd.te
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
files_manage_etc_runtime_files(keyboardd_t)
files_etc_filetrans_etc_runtime(keyboardd_t, file)
-files_read_etc_files(keyboardd_t)
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
index b273d803c..6b2b50d69 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,7 +1,13 @@
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
index e88fb16e0..ec6121a5c 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,219 @@
-## Python implementation of the OpenStack identity service API.
+
+## policy for keystone
########################################
##
-## All of the rules required to
-## administrate an keystone environment.
+## Transition to keystone.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keystone_domtrans',`
+ gen_require(`
+ type keystone_t, keystone_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, keystone_exec_t, keystone_t)
+')
+########################################
+##
+## Read keystone's log files.
##
##
##
## Domain allowed access.
##
##
-##
+##
+#
+interface(`keystone_read_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Append to keystone log files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_append_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Manage keystone log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
+ manage_files_pattern($1, keystone_log_t, keystone_log_t)
+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Search keystone lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_search_lib',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ allow $1 keystone_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read keystone lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_read_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Manage keystone lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Manage keystone lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_lib_dirs',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Execute keystone server in the keystone domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keystone_systemctl',`
+ gen_require(`
+ type keystone_t;
+ type keystone_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
+ allow $1 keystone_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keystone_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an keystone environment
+##
+##
+##
+## Domain allowed access.
##
##
-##
#
interface(`keystone_admin',`
gen_require(`
- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
- type keystone_var_lib_t, keystone_tmp_t;
+ type keystone_t;
+ type keystone_log_t;
+ type keystone_var_lib_t;
+ type keystone_unit_file_t;
')
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
-
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, keystone_tmp_t)
+ keystone_systemctl($1)
+ admin_pattern($1, keystone_unit_file_t)
+ allow $1 keystone_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/keystone.te b/keystone.te
index 992964774..c573d0ed5 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
type keystone_var_lib_t;
files_type(keystone_var_lib_t)
+type keystone_var_run_t;
+files_pid_file(keystone_var_run_t)
+
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
+type keystone_unit_file_t;
+systemd_unit_file(keystone_unit_file_t)
+
########################################
#
# Local policy
#
+allow keystone_t self:process { getsched setsched signal };
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
+manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
+
can_exec(keystone_t, keystone_tmp_t)
kernel_read_system_state(keystone_t)
@@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
+corenet_tcp_connect_ldap_port(keystone_t)
+corenet_tcp_connect_keystone_port(keystone_t)
+corenet_tcp_connect_amqp_port(keystone_t)
+corenet_tcp_connect_osapi_compute_port(keystone_t)
corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
-files_read_usr_files(keystone_t)
+corenet_tcp_bind_keystone_port(keystone_t)
auth_use_pam(keystone_t)
libs_exec_ldconfig(keystone_t)
-miscfiles_read_localization(keystone_t)
+optional_policy(`
+ ldap_stream_connect(keystone_t)
+')
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
+ mysql_read_db_lnk_files(keystone_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(keystone_t)
+')
+
+optional_policy(`
+ rpm_exec(keystone_t)
+')
+
+#######################################
+#
+# Cgi local policy
+#
+
+optional_policy(`
+ apache_content_template(keystone_cgi)
+ apache_content_alias_template(keystone_cgi, keystone_cgi)
+
+ getattr_dirs_pattern(keystone_cgi_script_t, keystone_var_lib_t, keystone_var_lib_t)
+
+ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
+
+ corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t)
+ corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t)
')
diff --git a/kismet.if b/kismet.if
index aa2a3379b..7ff229f32 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
allow $2 system_r;
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
index 8ad0d4d50..01e503790 100644
--- a/kismet.te
+++ b/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
# Local policy
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
-corenet_all_recvfrom_unlabeled(kismet_t)
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
-corenet_sendrecv_kismet_server_packets(kismet_t)
-corenet_tcp_bind_kismet_port(kismet_t)
-corenet_sendrecv_kismet_client_packets(kismet_t)
-corenet_tcp_connect_kismet_port(kismet_t)
-corenet_tcp_sendrecv_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
-auth_use_nsswitch(kismet_t)
-
-files_read_usr_files(kismet_t)
+corenet_sendrecv_rtsclient_server_packets(kismet_t)
+corenet_tcp_bind_rtsclient_port(kismet_t)
+corenet_sendrecv_rtsclient_client_packets(kismet_t)
+corenet_tcp_connect_rtsclient_port(kismet_t)
-miscfiles_read_localization(kismet_t)
+auth_use_nsswitch(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
+userdom_read_user_tmp_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
diff --git a/kmscon.fc b/kmscon.fc
new file mode 100644
index 000000000..ccd29c079
--- /dev/null
+++ b/kmscon.fc
@@ -0,0 +1,3 @@
+/usr/bin/kmscon -- gen_context(system_u:object_r:kmscon_exec_t,s0)
+/usr/lib/systemd/system/kmscon.*\.* -- gen_context(system_u:object_r:kmscon_unit_file_t,s0)
+/etc/kmscon(/.*)? gen_context(system_u:object_r:kmscon_conf_t,s0)
diff --git a/kmscon.if b/kmscon.if
new file mode 100644
index 000000000..b9347faa9
--- /dev/null
+++ b/kmscon.if
@@ -0,0 +1,25 @@
+## Terminal emulator for Linux graphical console
+
+########################################
+##
+## Execute kmscon in the kmscon domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kmscon_systemctl',`
+ gen_require(`
+ type kmscon_unit_file_t;
+ type kmscon_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 kmscon_unit_file_t:file read_file_perms;
+ allow $1 kmscon_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, kmscon_t)
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
index 000000000..32a9e1356
--- /dev/null
+++ b/kmscon.te
@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel
+
+########################################
+#
+# Declarations
+#
+policy_module(kmscon, 1.0)
+
+type kmscon_t;
+type kmscon_exec_t;
+init_daemon_domain(kmscon_t, kmscon_exec_t)
+
+type kmscon_conf_t;
+files_config_file(kmscon_conf_t)
+
+type kmscon_unit_file_t;
+systemd_unit_file(kmscon_unit_file_t)
+
+type kmscon_devpts_t;
+term_pty(kmscon_devpts_t)
+# Label this as t, so that login_t can read our terminal with use_all_ttys()
+term_tty(kmscon_devpts_t)
+
+########################################
+#
+# zoneminder local policy
+#
+
+# Switch the VT into a graphics mode ; Set DRM master
+allow kmscon_t self:capability {sys_admin sys_tty_config};
+
+dontaudit kmscon_t self:capability2 block_suspend;
+
+# Create an udev monitor
+allow kmscon_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+
+allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(kmscon_t, kmscon_devpts_t)
+
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
+kernel_read_system_state(kmscon_t)
+
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
+dev_read_sysfs(kmscon_t)
+dev_read_framebuffer(kmscon_t)
+dev_write_framebuffer(kmscon_t)
+dev_rw_input_dev(kmscon_t)
+
+# Get allowed path length for directory with modules
+fs_getattr_xattr_fs(kmscon_t)
+
+locallogin_domtrans(kmscon_t)
+
+miscfiles_read_fonts(kmscon_t)
+miscfiles_manage_fonts_cache(kmscon_t)
+
+# Open the tty, so that it can be handed over to the seat manager
+term_use_unallocated_ttys(kmscon_t)
+
+optional_policy(`
+ # Learn about the input devices
+ udev_read_db(kmscon_t)
+')
+
+optional_policy(`
+ # Fontconfig and Pango configuration
+ gnome_read_home_config(kmscon_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(kmscon_t)
+ init_dbus_chat(kmscon_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(kmscon_t)
+
+ # List seats
+ systemd_login_list_pid_dirs(kmscon_t)
+ systemd_login_read_pid_files(kmscon_t)
+
+ kmscon_systemctl(systemd_logind_t)
+ ')
+')
diff --git a/ksmtuned.fc b/ksmtuned.fc
index e736c450c..4b1e1e453 100644
--- a/ksmtuned.fc
+++ b/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
index 93a64bc50..af6d741d6 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',`
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
')
+#######################################
+##
+## Execute ksmtuned server in the ksmtunedd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ksmtuned_systemctl',`
+ gen_require(`
+ type ksmtuned_unit_file_t;
+ type ksmtuned_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ksmtuned_t)
+')
+
########################################
##
## All of the rules required to
@@ -48,30 +72,28 @@ interface(`ksmtuned_initrc_domtrans',`
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
##
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
+ type ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
ps_process_pattern($1, ksmtuned_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
+
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
logging_search_logs($1)
admin_pattern($1, ksmtuned_log_t)
+
+ ksmtuned_systemctl($1)
+ admin_pattern($1, ksmtuned_unit_file_t)
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
index 8eef134ac..9636a5343 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
# Declarations
#
+##
+##
+## Allow ksmtuned to use nfs file systems
+##
+##
+gen_tunable(ksmtuned_use_nfs, false)
+
+##
+##
+## Allow ksmtuned to use cifs/Samba file systems
+##
+##
+gen_tunable(ksmtuned_use_cifs, false)
+
type ksmtuned_t;
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+type ksmtuned_unit_file_t;
+systemd_unit_file(ksmtuned_unit_file_t)
+
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t)
corecmd_exec_bin(ksmtuned_t)
corecmd_exec_shell(ksmtuned_t)
-dev_rw_sysfs(ksmtuned_t)
+dev_manage_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
mls_file_read_to_clearance(ksmtuned_t)
@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t)
logging_send_syslog_msg(ksmtuned_t)
-miscfiles_read_localization(ksmtuned_t)
+tunable_policy(`ksmtuned_use_nfs',`
+ fs_read_nfs_files(ksmtuned_t)
+')
+
+tunable_policy(`ksmtuned_use_cifs',`
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
diff --git a/ktalk.fc b/ktalk.fc
index 38ecb07d1..451067ebd 100644
--- a/ktalk.fc
+++ b/ktalk.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
+
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
index 19777b806..cd721fd6b 100644
--- a/ktalk.if
+++ b/ktalk.if
@@ -1 +1,77 @@
-## KDE Talk daemon.
+
+## talk-server - daemon programs for the Internet talk
+
+########################################
+##
+## Execute TEMPLATE in the ktalkd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ktalk_domtrans',`
+ gen_require(`
+ type ktalkd_t, ktalkd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
+')
+########################################
+##
+## Execute ktalkd server in the ktalkd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ktalk_systemctl',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ktalkd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an ktalkd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ktalk_admin',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ allow $1 ktalkd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ktalkd_t)
+
+ ktalk_systemctl($1)
+ admin_pattern($1, ktalkd_unit_file_t)
+ allow $1 ktalkd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
index c5548c5ed..1356fcbd2 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
type ktalkd_log_t;
logging_log_file(ktalkd_log_t)
+type ktalkd_unit_file_t;
+systemd_unit_file(ktalkd_unit_file_t)
+
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@@ -50,7 +53,8 @@ dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
-term_use_all_terms(ktalkd_t)
+term_search_ptys(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
@@ -58,4 +62,5 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
-miscfiles_read_localization(ktalkd_t)
+userdom_use_user_ptys(ktalkd_t)
+userdom_use_user_ttys(ktalkd_t)
diff --git a/kubernetes.fc b/kubernetes.fc
new file mode 100644
index 000000000..6ab641c51
--- /dev/null
+++ b/kubernetes.fc
@@ -0,0 +1,13 @@
+/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kubelet_unit_file_t,s0)
+/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
+/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_manager_unit_file_t,s0)
+/usr/lib/systemd/system/kube-proxy.* -- gen_context(system_u:object_r:kube_proxy_unit_file_t,s0)
+
+/usr/bin/kubelet -- gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/kube-apiserver -- gen_context(system_u:object_r:kube_apiserver_exec_t,s0)
+/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_manager_exec_t,s0)
+/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0)
+
+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
+
+
diff --git a/kubernetes.if b/kubernetes.if
new file mode 100644
index 000000000..b2841e526
--- /dev/null
+++ b/kubernetes.if
@@ -0,0 +1,87 @@
+## SELinux policy for Kubernetes container management
+
+######################################
+##
+## Creates types and rules for a basic
+## kube init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`kubernetes_domain_template',`
+ gen_require(`
+ attribute kubernetes_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, kubernetes_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_unit_file_t;
+ systemd_unit_file($1_unit_file_t)
+')
+
+########################################
+##
+## Search kubernetes lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kubernetes_search_lib_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ allow $1 kubelet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read kubernetes lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kubernetes_read_lib_files_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
+
+########################################
+##
+## Manage kubernetes lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kubernetes_manage_lib_files_kubelet',`
+ gen_require(`
+ type kubelet_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
diff --git a/kubernetes.te b/kubernetes.te
new file mode 100644
index 000000000..b625b5343
--- /dev/null
+++ b/kubernetes.te
@@ -0,0 +1,76 @@
+policy_module(kubernetes, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute kubernetes_domain;
+
+kubernetes_domain_template(kube_apiserver)
+kubernetes_domain_template(kube_controller_manager)
+kubernetes_domain_template(kube_proxy)
+kubernetes_domain_template(kubelet)
+
+permissive kube_apiserver_t;
+permissive kube_controller_manager_t;
+permissive kube_proxy_t;
+permissive kubelet_t;
+
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+########################################
+#
+# kubernetes domain local policy
+#
+
+# this is kernel bug which is going to be fixed
+# needs to be removed then
+dontaudit kubernetes_domain self:capability2 block_suspend;
+
+allow kubernetes_domain self:tcp_socket create_stream_socket_perms;
+
+kernel_read_unix_sysctls(kubernetes_domain)
+kernel_read_net_sysctls(kubernetes_domain)
+
+auth_read_passwd(kubernetes_domain)
+
+corenet_tcp_bind_generic_node(kubernetes_domain)
+
+corenet_tcp_connect_http_cache_port(kubernetes_domain)
+corenet_tcp_connect_kubernetes_port(kubernetes_domain)
+
+########################################
+#
+# kubelet local policy
+#
+
+allow kubelet_t self:capability net_admin;
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)
+
+corenet_tcp_bind_kubernetes_port(kubelet_t)
+
+########################################
+#
+# kube_controller local policy
+#
+
+
+########################################
+#
+# kube_apiserver local policy
+#
+
+corenet_tcp_bind_http_cache_port(kube_apiserver_t)
+
+########################################
+#
+# kube_proxy local policy
+#
+
+allow kube_proxy_t self:capability net_admin;
diff --git a/kudzu.if b/kudzu.if
index 52970645f..6ba810834 100644
--- a/kudzu.if
+++ b/kudzu.if
@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
type kudzu_tmp_t;
')
- allow $1 kudzu_t:process { ptrace signal_perms };
+ allow $1 kudzu_t:process { signal_perms };
ps_process_pattern($1, kudzu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kudzu_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
index 16640364b..ee7a9a1d5 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
kernel_read_kernel_sysctls(kudzu_t)
kernel_read_network_state(kudzu_t)
kernel_read_system_state(kudzu_t)
-kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_usermodehelper_state(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
corecmd_exec_all_executables(kudzu_t)
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_read_kernel_modules(kudzu_t)
-files_read_usr_files(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
sysnet_read_config(kudzu_t)
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
@@ -121,10 +119,6 @@ optional_policy(`
modutils_domtrans_insmod(kudzu_t)
')
-optional_policy(`
- nscd_use(kudzu_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
@@ -132,7 +126,3 @@ optional_policy(`
optional_policy(`
udev_read_db(kudzu_t)
')
-
-optional_policy(`
- unconfined_domtrans(kudzu_t)
-')
diff --git a/l2tp.fc b/l2tp.fc
index d5d1572b1..ddc6ef210 100644
--- a/l2tp.fc
+++ b/l2tp.fc
@@ -5,7 +5,9 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+/var/run/*.xl2tpd.* -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803ee..34ca3aa22 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
-## Layer 2 Tunneling Protocol.
+## Layer 2 Tunneling Protocol daemons.
########################################
##
-## Send to l2tpd with a unix
-## domain dgram socket.
+## Transition to l2tpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`l2tpd_domtrans',`
+ gen_require(`
+ type l2tpd_t, l2tpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+########################################
+##
+## Execute l2tpd server in the l2tpd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_initrc_domtrans',`
+ gen_require(`
+ type l2tpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+########################################
+##
+## Send to l2tpd via a unix dgram socket.
##
##
##
@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
')
- files_search_pids($1)
files_search_tmp($1)
dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
')
@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
allow $1 l2tpd_t:socket rw_socket_perms;
')
+########################################
+##
+## Read l2tpd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_read_pid_files',`
+ gen_require(`
+ type l2tpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
#####################################
##
-## Connect to l2tpd with a unix
-## domain stream socket.
+## Connect to l2tpd over a unix domain
+## stream socket.
##
##
##
@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
- files_search_tmp($1)
- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
')
########################################
##
-## All of the rules required to
-## administrate an l2tp environment.
+## Read and write l2tpd unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_rw_pipes',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow send a signal to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_signal',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signal;
+')
+
+########################################
+##
+## Allow send signull to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_signull',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signull;
+')
+
+########################################
+##
+## Allow send sigkill to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_sigkill',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process sigkill;
+')
+
+########################################
+##
+## Send and receive messages from
+## l2tpd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_dbus_chat',`
+ gen_require(`
+ type l2tpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 l2tpd_t:dbus send_msg;
+ allow l2tpd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an l2tpd environment
##
##
##
@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
##
##
#
-interface(`l2tp_admin',`
+interface(`l2tpd_admin',`
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
type l2tp_conf_t, l2tpd_tmp_t;
')
- allow $1 l2tpd_t:process { ptrace signal_perms };
+ allow $1 l2tpd_t:process signal_perms;
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
+
+ l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
index bb06a7fee..01e784bf5 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
#
allow l2tpd_t self:capability net_admin;
-allow l2tpd_t self:process signal;
+allow l2tpd_t self:process signal_perms;
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+can_exec(l2tpd_t, l2tpd_exec_t)
+
corenet_all_recvfrom_unlabeled(l2tpd_t)
corenet_all_recvfrom_netlabel(l2tpd_t)
corenet_raw_sendrecv_generic_if(l2tpd_t)
@@ -75,18 +77,36 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
-files_read_etc_files(l2tpd_t)
-
term_setattr_generic_ptys(l2tpd_t)
term_use_generic_ptys(l2tpd_t)
term_use_ptmx(l2tpd_t)
-logging_send_syslog_msg(l2tpd_t)
+auth_read_passwd(l2tpd_t)
-miscfiles_read_localization(l2tpd_t)
+logging_send_syslog_msg(l2tpd_t)
sysnet_dns_name_resolve(l2tpd_t)
+optional_policy(`
+ dbus_system_bus_client(l2tpd_t)
+ dbus_connect_system_bus(l2tpd_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(l2tpd_t)
+ ')
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(l2tpd_t)
+ ipsec_mgmt_read_pid(l2tpd_t)
+ ipsec_filetrans_key_file(l2tpd_t)
+ ipsec_manage_key_file(l2tpd_t)
+')
+
+optional_policy(`
+ networkmanager_manage_pid_files(l2tpd_t)
+')
+
optional_policy(`
ppp_domtrans(l2tpd_t)
ppp_signal(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
index b7e567916..c93db3316 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -1,8 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -22,8 +25,7 @@
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
index 3602712d0..af83a5b6b 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,69 @@
-## OpenLDAP directory server.
+## OpenLDAP directory server
+
+#######################################
+##
+## Execute OpenLDAP in the ldap domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+##
+## Execute OpenLDAP server in the ldap domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+##
+## Execute slapd server in the slapd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ldap_systemctl',`
+ gen_require(`
+ type slapd_unit_file_t;
+ type slapd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
########################################
##
-## List ldap database directories.
+## Read the contents of the OpenLDAP
+## database directories.
##
##
##
@@ -15,13 +76,31 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
- files_search_etc($1)
allow $1 slapd_db_t:dir list_dir_perms;
')
########################################
##
-## Read ldap configuration files.
+## Read the contents of the OpenLDAP
+## database files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_read_db_files',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+##
+## Read the OpenLDAP configuration files.
##
##
##
@@ -41,22 +120,29 @@ interface(`ldap_read_config',`
########################################
##
-## Use LDAP over TCP connection. (Deprecated)
+## Read the OpenLDAP cert files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`ldap_read_certs',`
+ gen_require(`
+ type slapd_cert_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
##
-## Connect to slapd over an unix
-## stream socket.
+## Use LDAP over TCP connection. (Deprecated)
##
##
##
@@ -64,18 +150,13 @@ interface(`ldap_use',`
##
##
#
-interface(`ldap_stream_connect',`
- gen_require(`
- type slapd_t, slapd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+interface(`ldap_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
##
-## Connect to ldap over the network.
+## Connect to slapd over an unix stream socket.
##
##
##
@@ -83,21 +164,19 @@ interface(`ldap_stream_connect',`
##
##
#
-interface(`ldap_tcp_connect',`
+interface(`ldap_stream_connect',`
gen_require(`
- type slapd_t;
+ type slapd_t, slapd_var_run_t;
')
- corenet_sendrecv_ldap_client_packets($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_tcp_recvfrom_labeled($1, slapd_t)
- corenet_tcp_sendrecv_ldap_port($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ldap environment.
+## All of the rules required to administrate
+## an ldap environment
##
##
##
@@ -106,7 +185,7 @@ interface(`ldap_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the ldap domain.
##
##
##
@@ -117,11 +196,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
+ type slapd_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
+ allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 slapd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
@@ -130,13 +214,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
- files_list_locks($1)
admin_pattern($1, slapd_lock_t)
- logging_list_logs($1)
- admin_pattern($1, slapd_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
@@ -144,4 +224,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
+ admin_pattern($1, slapd_unit_file_t)
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
index 4c2b1110e..1c922b340 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
type slapd_keytab_t;
files_type(slapd_keytab_t)
@@ -49,7 +52,8 @@ files_pid_file(slapd_var_run_t)
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
-allow slapd_t self:process setsched;
+dontaudit slapd_t self:capability2 block_suspend;
+allow slapd_t self:process { setsched signal } ;
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
@@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+allow slapd_t slapd_db_t:file map;
allow slapd_t slapd_etc_t:file read_file_perms;
@@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -80,7 +83,8 @@ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
-files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_lnk_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file lnk_file dir })
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
@@ -89,11 +93,11 @@ manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+allow slapd_t slapd_var_run_t:file map;
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
@@ -115,25 +119,27 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
-files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
+auth_rw_cache(slapd_t)
logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
-miscfiles_read_localization(slapd_t)
+miscfiles_map_generic_certs(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
+usermanage_read_crack_db(slapd_t)
+
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
kerberos_use(slapd_t)
')
diff --git a/lightsquid.fc b/lightsquid.fc
index 044390c6e..63e205863 100644
--- a/lightsquid.fc
+++ b/lightsquid.fc
@@ -1,11 +1,11 @@
/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0)
+/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0)
diff --git a/lightsquid.if b/lightsquid.if
index 33a28b9ad..33ffe2484 100644
--- a/lightsquid.if
+++ b/lightsquid.if
@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
files_search_var_lib($1)
admin_pattern($1, lightsquid_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
index 09c4f27ba..6c7855e4e 100644
--- a/lightsquid.te
+++ b/lightsquid.te
@@ -13,38 +13,34 @@ type lightsquid_exec_t;
application_domain(lightsquid_t, lightsquid_exec_t)
role lightsquid_roles types lightsquid_t;
-type lightsquid_rw_content_t;
-files_type(lightsquid_rw_content_t)
+type lightsquid_report_content_t;
+files_type(lightsquid_report_content_t)
########################################
#
# Local policy
#
-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
+manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
corecmd_exec_bin(lightsquid_t)
corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
-files_read_etc_files(lightsquid_t)
-files_read_usr_files(lightsquid_t)
-
-miscfiles_read_localization(lightsquid_t)
-
squid_read_config(lightsquid_t)
squid_read_log(lightsquid_t)
optional_policy(`
apache_content_template(lightsquid)
+ apache_content_alias_template(lightsquid, lightsquid)
- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
')
optional_policy(`
diff --git a/likewise.if b/likewise.if
index bd20e8cc9..3393a01e6 100644
--- a/likewise.if
+++ b/likewise.if
@@ -1,9 +1,22 @@
## Likewise Active Directory support for UNIX.
+##
+##
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+##
+##
#######################################
##
## The template to define a likewise domain.
##
+##
+##
+## This template creates a domain to be used for
+## a new likewise daemon.
+##
+##
##
##
## The type of daemon to be used.
@@ -11,6 +24,7 @@
##
#
template(`likewise_domain_template',`
+
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
typeattribute $1_t likewise_domains;
@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
####################################
#
- # Policy
+ # Local Policy
#
allow $1_t self:process { signal_perms getsched setsched };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_stream_socket { accept listen };
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
##
-## Connect to lsassd with a unix domain
-## stream socket.
+## Connect to lsassd.
##
##
##
@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
files_search_pids($1)
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
')
-
-########################################
-##
-## All of the rules required to
-## administrate an likewise environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`likewise_admin',`
- gen_require(`
- attribute likewise_domains;
- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
- ')
-
- allow $1 likewise_domains:process { ptrace signal_perms };
- ps_process_pattern($1, likewise_domains)
-
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_list_etc($1)
- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
-
- files_search_var_lib($1)
- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
- admin_pattern($1, dcerpcd_var_lib_t)
-
- files_list_tmp($1)
- admin_pattern($1, lsassd_tmp_t)
-
- files_list_pids($1)
- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
index d8c2442a8..f5dff3173 100644
--- a/likewise.te
+++ b/likewise.te
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
type likewise_pstore_lock_t;
-files_type(likewise_pstore_lock_t)
+files_lock_file(likewise_pstore_lock_t)
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
-kernel_read_system_state(likewise_domains)
-
dev_read_rand(likewise_domains)
dev_read_urand(likewise_domains)
domain_use_interactive_fds(likewise_domains)
-files_read_etc_files(likewise_domains)
files_search_var_lib(likewise_domains)
-logging_send_syslog_msg(likewise_domains)
-
-miscfiles_read_localization(likewise_domains)
-
#################################
#
# dcerpcd local policy
@@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
# lsassd local policy
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
corecmd_exec_shell(lsassd_t)
corenet_all_recvfrom_netlabel(lsassd_t)
-corenet_all_recvfrom_unlabeled(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
@@ -165,7 +157,7 @@ optional_policy(`
# lwiod local policy
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# netlogond local policy
#
-allow netlogond_t self:capability dac_override;
+allow netlogond_t self:capability { dac_read_search dac_override };
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
corenet_all_recvfrom_netlabel(srvsvcd_t)
-corenet_all_recvfrom_unlabeled(srvsvcd_t)
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
diff --git a/linuxptp.fc b/linuxptp.fc
new file mode 100644
index 000000000..d2061a9e4
--- /dev/null
+++ b/linuxptp.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
+
+/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
+
+/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0)
+
+/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0)
+/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0)
+/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0)
+
+/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
index 000000000..e2c96f4a8
--- /dev/null
+++ b/linuxptp.if
@@ -0,0 +1,142 @@
+## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.
+
+########################################
+##
+## Execute domain in the phc2sys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`linuxptp_domtrans_phc2sys',`
+ gen_require(`
+ type phc2sys_t, phc2sys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
+')
+
+########################################
+##
+## Execute domain in the phc2sys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`linuxptp_domtrans_ptp4l',`
+ gen_require(`
+ type ptp4l_t, ptp4l_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
+')
+######################################
+##
+## Connect to timemaster using a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_stream_connect',`
+ gen_require(`
+ type timemaster_t, timemaster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
+########################################
+##
+## Read timemaster conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_read_pid_files',`
+ gen_require(`
+ type timemaster_var_run_t;
+ ')
+
+ read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
+')
+
+########################################
+##
+## Read and write timemaster shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_rw_shm',`
+ gen_require(`
+ type timemaster_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 timemaster_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read and write ptp4l_t shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ptp4l_rw_shm',`
+ gen_require(`
+ type ptp4l_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 ptp4l_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read and write phc2sys_t shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`phc2sys_rw_shm',`
+ gen_require(`
+ type phc2sys_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 phc2sys_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 000000000..75611d3e8
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,188 @@
+policy_module(linuxptp, 1.0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+type timemaster_t;
+type timemaster_exec_t;
+init_daemon_domain(timemaster_t, timemaster_exec_t)
+
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
+type phc2sys_t;
+type phc2sys_exec_t;
+init_daemon_domain(phc2sys_t, phc2sys_exec_t)
+
+type phc2sys_unit_file_t;
+systemd_unit_file(phc2sys_unit_file_t)
+
+type ptp4l_t;
+type ptp4l_exec_t;
+init_daemon_domain(ptp4l_t, ptp4l_exec_t)
+
+type ptp4l_unit_file_t;
+systemd_unit_file(ptp4l_unit_file_t)
+
+########################################
+#
+# timemaster local policy
+#
+
+allow timemaster_t self:process { signal_perms setcap};
+allow timemaster_t self:fifo_file rw_fifo_file_perms;
+allow timemaster_t self:capability { setuid sys_time kill setgid };
+allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
+allow timemaster_t self:shm create_shm_perms;
+allow timemaster_t self:udp_socket create_socket_perms;
+
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
+
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
+dev_read_urand(timemaster_t)
+
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
+ ntp_domtrans(timemaster_t)
+ ntp_signal(timemaster_t)
+')
+
+optional_policy(`
+ chronyd_domtrans(timemaster_t)
+ chronyd_rw_shm(timemaster_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(timemaster_t)
+')
+
+
+optional_policy(`
+ chronyd_signal(timemaster_t)
+')
+
+
+optional_policy(`
+ linuxptp_domtrans_ptp4l(timemaster_t)
+')
+
+optional_policy(`
+ linuxptp_domtrans_phc2sys(timemaster_t)
+')
+
+########################################
+#
+# phc2sys local policy
+#
+
+allow phc2sys_t self:capability sys_time;
+allow phc2sys_t self:fifo_file rw_fifo_file_perms;
+allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
+allow phc2sys_t self:shm create_shm_perms;
+allow phc2sys_t self:udp_socket create_socket_perms;
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
+ chronyd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ ntp_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ ptp4l_rw_shm(phc2sys_t)
+')
+
+########################################
+#
+# ptp4l local policy
+#
+
+allow ptp4l_t self:fifo_file rw_fifo_file_perms;
+allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
+allow ptp4l_t self:shm create_shm_perms;
+allow ptp4l_t self:udp_socket create_socket_perms;
+allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { wake_alarm };
+allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+ chronyd_rw_shm(ptp4l_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(ptp4l_t)
+')
diff --git a/lircd.if b/lircd.if
index dff21a7c4..b6981c846 100644
--- a/lircd.if
+++ b/lircd.if
@@ -81,8 +81,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
- allow $1 lircd_t:process { ptrace signal_perms };
+ allow $1 lircd_t:process signal_perms;
ps_process_pattern($1, lircd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lircd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
index 483c87bb6..f9d2e10b1 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
-files_type(lircd_etc_t)
+files_config_file(lircd_etc_t)
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t)
# Local policy
#
-allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:capability { chown kill setgid setuid sys_admin dac_read_search dac_override };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -38,6 +39,12 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
kernel_request_load_module(lircd_t)
+kernel_read_system_state(lircd_t)
+
+auth_read_passwd(lircd_t)
+
+corecmd_exec_shell(lircd_t)
+corecmd_exec_bin(lircd_t)
corenet_all_recvfrom_unlabeled(lircd_t)
corenet_all_recvfrom_netlabel(lircd_t)
@@ -64,9 +71,14 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
+auth_use_nsswitch(lircd_t)
logging_send_syslog_msg(lircd_t)
-miscfiles_read_localization(lircd_t)
-
sysnet_dns_name_resolve(lircd_t)
+
+optional_policy(`
+ sssd_read_public_files(lircd_t)
+')
diff --git a/livecd.if b/livecd.if
index e3541811a..fc614bac2 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,11 +38,36 @@ interface(`livecd_domtrans',`
#
interface(`livecd_run',`
gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
attribute_role livecd_roles;
')
livecd_domtrans($1)
roleattribute $2 livecd_roles;
+ role_transition $2 livecd_exec_t system_r;
+
+ optional_policy(`
+ rpm_transition_script(livecd_t, $2)
+ ')
+')
+
+########################################
+##
+## Dontaudit read/write to a livecd leaks
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
')
########################################
diff --git a/livecd.te b/livecd.te
index 2f974bf83..f6e97faaf 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
# Local policy
#
-dontaudit livecd_t self:capability2 mac_admin;
+allow livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(livecd_t)
+')
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
optional_policy(`
- mount_run(livecd_t, livecd_roles)
+ mount_run(livecd_t, livecd_roles)
')
optional_policy(`
- rpm_domtrans(livecd_t)
+ seutil_run_setfiles_mac(livecd_t, livecd_roles)
')
optional_policy(`
diff --git a/lldpad.fc b/lldpad.fc
index 8031a78eb..72e56acc3 100644
--- a/lldpad.fc
+++ b/lldpad.fc
@@ -5,3 +5,5 @@
/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
/var/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0)
+
+/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
diff --git a/lldpad.if b/lldpad.if
index d18c96023..fb5b67416 100644
--- a/lldpad.if
+++ b/lldpad.if
@@ -1,5 +1,24 @@
## Intel LLDP Agent.
+#######################################
+##
+## Transition to lldpad.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lldpad_domtrans',`
+ gen_require(`
+ type lldpad_t, lldpad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
#######################################
##
## Send to lldpad with a unix dgram socket.
@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
type lldpad_var_run_t;
')
- allow $1 lldpad_t:process { ptrace signal_perms };
+ allow $1 lldpad_t:process { signal_perms };
ps_process_pattern($1, lldpad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lldpad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
index 2a491d96c..d909b408c 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
-allow lldpad_t self:capability { net_admin net_raw };
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
@@ -36,6 +36,7 @@ allow lldpad_t self:udp_socket create_socket_perms;
manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t)
fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file)
+allow lldpad_t lldpad_tmpfs_t:file map;
manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
@@ -51,12 +52,20 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
-files_read_etc_files(lldpad_t)
+fs_getattr_tmpfs(lldpad_t)
logging_send_syslog_msg(lldpad_t)
-miscfiles_read_localization(lldpad_t)
+userdom_dgram_send(lldpad_t)
optional_policy(`
fcoe_dgram_send_fcoemon(lldpad_t)
')
+
+optional_policy(`
+ networkmanager_dgram_send(lldpad_t)
+')
+
+optional_policy(`
+ virt_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
index d2f464375..ecbfa88ff 100644
--- a/loadkeys.te
+++ b/loadkeys.te
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
-files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+auth_read_passwd(loadkeys_t)
+
init_dontaudit_use_fds(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
locallogin_use_fds(loadkeys_t)
-miscfiles_read_localization(loadkeys_t)
-
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
@@ -52,3 +51,8 @@ optional_policy(`
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+optional_policy(`
+ sssd_read_public_files(loadkeys_t)
+ sssd_stream_connect(loadkeys_t)
+')
diff --git a/lockdev.if b/lockdev.if
index 4313b8bc0..cd1435cdf 100644
--- a/lockdev.if
+++ b/lockdev.if
@@ -1,5 +1,25 @@
## Library for locking devices.
+#######################################
+##
+## Create, read, write, and delete
+## lockdev lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lockdev_manage_files',`
+ gen_require(`
+ type lockdev_lock_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
+')
+
########################################
##
## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index 61db5a0a7..9d5d25524 100644
--- a/lockdev.te
+++ b/lockdev.te
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
index a11d5be99..dc14626a9 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,6 +1,7 @@
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+
diff --git a/logrotate.if b/logrotate.if
index dd8e01af3..9cd6b0b8e 100644
--- a/logrotate.if
+++ b/logrotate.if
@@ -1,4 +1,4 @@
-## Rotates, compresses, removes and mails system log files.
+## Rotate and archive system logs
########################################
##
@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
########################################
##
-## Execute logrotate in the logrotate
-## domain, and allow the specified
-## role the logrotate domain.
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
##
##
##
@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
#
interface(`logrotate_run',`
gen_require(`
- attribute_role logrotate_roles;
+ type logrotate_t;
')
logrotate_domtrans($1)
- roleattribute $2 logrotate_roles;
+ role $2 types logrotate_t;
')
########################################
@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
########################################
##
-## Do not audit attempts to inherit
-## logrotate file descriptors.
+## Do not audit attempts to inherit logrotate file descriptors.
##
##
##
@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
########################################
##
-## Read logrotate temporary files.
+## Read a logrotate temporary files.
##
##
##
diff --git a/logrotate.te b/logrotate.te
index be0ab84b3..91cf286d5 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
# Declarations
#
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
+gen_require(`
+ class passwd passwd;
+')
+
+##
+##
+## Allow logrotate to manage nfs files
+##
+##
+gen_tunable(logrotate_use_nfs, false)
+
+##
+##
+## Allow logrotate to read logs inside
+##
+##
+gen_tunable(logrotate_read_inside_containers, false)
+
type logrotate_t;
-type logrotate_exec_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
domain_entry_file(logrotate_t, logrotate_exec_t)
-role logrotate_roles types logrotate_t;
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
@@ -25,21 +42,30 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
-mta_base_mail_template(logrotate)
-role system_r types logrotate_mail_t;
-
########################################
#
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow logrotate_t self:passwd { passwd };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:netlink_selinux_socket create_socket_perms;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +74,53 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+can_exec(logrotate_t, logrotate_tmp_t)
+
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-can_exec(logrotate_t, logrotate_tmp_t)
-
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
+dev_write_kmsg(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+mls_process_write_to_clearance(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
corecmd_getattr_all_executables(logrotate_t)
-dev_read_urand(logrotate_t)
-
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
-files_read_usr_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -95,32 +138,58 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
+application_exec_all(logrotate_t)
+
+auth_domtrans_chk_passwd(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t)
+init_reload_transient_unit(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
-miscfiles_read_localization(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
+systemd_reload_all_services(logrotate_t)
+systemd_status_all_unit_files(logrotate_t)
+systemd_dbus_chat_logind(logrotate_t)
+systemd_config_generic_services(logrotate_t)
+init_stream_connect(logrotate_t)
+init_reload_transient_unit(logrotate_t)
+
+miscfiles_read_hwdata(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
+term_dontaudit_use_unallocated_ttys(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
+userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+tunable_policy(`logrotate_use_nfs',`
+ fs_manage_nfs_files(logrotate_t)
+ fs_manage_nfs_dirs(logrotate_t)
+ fs_manage_nfs_symlinks(logrotate_t)
+')
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
can_exec(logrotate_t, logrotate_exec_t)
- logging_check_exec_syslog(logrotate_t)
+ # for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
@@ -135,16 +204,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
+ apache_read_sys_content_rw_dirs(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
- asterisk_domtrans(logrotate_t)
+ awstats_domtrans(logrotate_t)
')
optional_policy(`
- awstats_domtrans(logrotate_t)
+ asterisk_domtrans(logrotate_t)
')
optional_policy(`
@@ -170,6 +240,11 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(logrotate_t)
+')
+
+optional_policy(`
+ fail2ban_domtrans_client(logrotate_t)
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +253,8 @@ optional_policy(`
')
optional_policy(`
- chronyd_read_key_files(logrotate_t)
+ chronyd_domtrans_chronyc(logrotate_t)
+ chronyd_read_keys(logrotate_t)
')
optional_policy(`
@@ -198,23 +274,32 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_home_content(logrotate_t)
mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
+ prosody_stream_connect(logrotate_t)
')
optional_policy(`
psad_domtrans(logrotate_t)
')
+optional_policy(`
+ rabbitmq_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(logrotate_t)
+')
+
optional_policy(`
samba_exec_log(logrotate_t)
')
@@ -227,27 +312,51 @@ optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
+optional_policy(`
+ openshift_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
+ openvswitch_read_pid_files(logrotate_t)
+ openvswitch_domtrans(logrotate_t)
+')
+
optional_policy(`
squid_domtrans(logrotate_t)
+ squid_read_config(logrotate_t)
')
optional_policy(`
+ #Red Hat bug 564565
su_exec(logrotate_t)
')
+optional_policy(`
+ rpm_read_cache(logrotate_t)
+')
+
optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ virt_manage_cache(logrotate_t)
+')
+
+
+optional_policy(`
+ tunable_policy(`logrotate_read_inside_containers',`
+ virt_read_sandbox_files(logrotate_t)
+ ')
+')
+
#######################################
#
-# Mail local policy
+# logrotate_mail local policy
#
-allow logrotate_mail_t logrotate_t:fd use;
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
-allow logrotate_mail_t logrotate_t:process sigchld;
-
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.if b/logwatch.if
index 06c3d36ca..37e71b3d7 100644
--- a/logwatch.if
+++ b/logwatch.if
@@ -37,3 +37,42 @@ interface(`logwatch_search_cache_dir',`
files_search_var($1)
allow $1 logwatch_cache_t:dir search_dir_perms;
')
+
+#######################################
+##
+## Dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`logwatch_dontaudit_leaks',`
+ gen_require(`
+ type logwatch_t;
+ ')
+
+ dontaudit $1 logwatch_t:fifo_file { read write };
+')
+
+########################################
+##
+## Create, read, write, and delete
+## svirt cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logwatch_manage_cache',`
+ gen_require(`
+ type logwatch_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, logwatch_cache_t, logwatch_cache_t)
+ manage_dirs_pattern($1, logwatch_cache_t, logwatch_cache_t)
+')
diff --git a/logwatch.te b/logwatch.te
index ab650340c..6d6816bb6 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
+init_daemon_domain(logwatch_t, logwatch_exec_t)
+application_domain(logwatch_t, logwatch_exec_t)
type logwatch_cache_t;
files_type(logwatch_cache_t)
@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
+corenet_all_recvfrom_unlabeled(logwatch_t)
+corenet_all_recvfrom_netlabel(logwatch_t)
+corenet_tcp_sendrecv_generic_if(logwatch_t)
+corenet_tcp_sendrecv_generic_node(logwatch_t)
+
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
@@ -75,10 +82,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
-files_read_usr_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
fs_getattr_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
+fs_getattr_all_dirs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
-miscfiles_read_localization(logwatch_t)
+miscfiles_read_hwdata(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
-userdom_dontaudit_search_user_home_dirs(logwatch_t)
-
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
tunable_policy(`logwatch_can_network_connect_mail',`
- corenet_all_recvfrom_unlabeled(logwatch_t)
- corenet_all_recvfrom_netlabel(logwatch_t)
- corenet_tcp_sendrecv_generic_if(logwatch_t)
- corenet_tcp_sendrecv_generic_node(logwatch_t)
-
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
@@ -159,6 +160,16 @@ optional_policy(`
ntp_domtrans(logwatch_t)
')
+optional_policy(`
+ postfix_domtrans_postqueue(logwatch_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
+ raid_read_conf_files(logwatch_t)
+')
+
optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -187,6 +198,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
')
+
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(logwatch_mail_t)
+ qmail_domtrans_queue(logwatch_mail_t)
+')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2ec2..08974e376 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -19,6 +19,7 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
index 62563717b..ce2acb881 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
-## Line printer daemon.
+## Line printer daemon
########################################
##
-## Role access for lpd.
+## Role access for lpd
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`lpd_role',`
gen_require(`
attribute_role lpr_roles;
- type lpr_t, lpr_exec_t;
+ type lpr_t, lpr_exec_t, print_spool_t;
')
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
roleattribute $1 lpr_roles;
- ########################################
- #
- # Policy
- #
+ ########################################
+ #
+ # Policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
- allow $2 lpr_t:process { ptrace signal_perms };
ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process signal_perms;
- dontaudit lpr_t $2:unix_stream_socket { read write };
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 lpr_t:process ptrace;
+ ')
optional_policy(`
cups_read_config($2)
@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
type checkpc_t, checkpc_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, checkpc_exec_t, checkpc_t)
')
########################################
##
-## Execute amrecover in the lpd
-## domain, and allow the specified
-## role the lpd domain.
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
##
##
##
@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
#
interface(`lpd_run_checkpc',`
gen_require(`
- attribute_role checkpc_roles;
+ type checkpc_t;
')
lpd_domtrans_checkpc($1)
- roleattribute $2 checkpc_roles;
+ role $2 types checkpc_t;
')
########################################
##
-## List printer spool directories.
+## List the contents of the printer spool directories.
##
##
##
@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
########################################
##
-## Read printer spool files.
+## Read the printer spool files.
##
##
##
@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
########################################
##
-## Create, read, write, and delete
-## printer spool content.
+## Create, read, write, and delete printer spool files.
##
##
##
@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
manage_dirs_pattern($1, print_spool_t, print_spool_t)
manage_files_pattern($1, print_spool_t, print_spool_t)
manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+ manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
')
########################################
##
-## Relabel spool files.
+## Relabel from and to the spool files.
##
##
##
@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
########################################
##
-## Read printer configuration files.
+## List the contents of the printer spool directories.
##
##
##
@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
##
##
#
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
gen_require(`
type lpr_t, lpr_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
########################################
##
-## Execute lpr in the caller domain.
+## Allow the specified domain to execute lpr
+## in the caller domain.
##
##
##
@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
index 39d31640e..1ec2cd26e 100644
--- a/lpd.te
+++ b/lpd.te
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
ubac_constrained(print_spool_t)
type printer_t;
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
# Checkpc local policy
#
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { setgid setuid dac_read_search dac_override };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
-corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_generic_if(checkpc_t)
corenet_tcp_sendrecv_generic_node(checkpc_t)
@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
domain_use_interactive_fds(checkpc_t)
-files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)
files_search_pids(checkpc_t)
files_search_spool(checkpc_t)
@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
-corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_generic_if(lpd_t)
corenet_tcp_sendrecv_generic_node(lpd_t)
@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
domain_use_interactive_fds(lpd_t)
files_read_etc_runtime_files(lpd_t)
-files_read_usr_files(lpd_t)
files_list_world_readable(lpd_t)
files_read_world_readable_files(lpd_t)
files_read_world_readable_symlinks(lpd_t)
files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
-files_read_etc_files(lpd_t)
files_search_spool(lpd_t)
fs_getattr_all_fs(lpd_t)
@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
logging_send_syslog_msg(lpd_t)
miscfiles_read_fonts(lpd_t)
-miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
@@ -214,7 +208,7 @@ optional_policy(`
# Lpr local policy
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
kernel_read_crypto_sysctls(lpr_t)
kernel_read_kernel_sysctls(lpr_t)
-corenet_all_recvfrom_unlabeled(lpr_t)
corenet_all_recvfrom_netlabel(lpr_t)
corenet_tcp_sendrecv_generic_if(lpr_t)
corenet_tcp_sendrecv_generic_node(lpr_t)
@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
domain_use_interactive_fds(lpr_t)
files_search_spool(lpr_t)
-files_read_usr_files(lpr_t)
files_list_home(lpr_t)
fs_getattr_all_fs(lpr_t)
@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
-logging_send_syslog_msg(lpr_t)
-
miscfiles_read_fonts(lpr_t)
-miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
-userdom_use_user_terminals(lpr_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
+userdom_write_user_tmp_sockets(lpr_t)
+userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
- allow lpr_t lpd_t:process signal;
-
- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_nfs_files(lpr_t)
- fs_read_nfs_symlinks(lpr_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_cifs_files(lpr_t)
- fs_read_cifs_symlinks(lpr_t)
-')
+userdom_home_reader(lpr_t)
optional_policy(`
cups_read_config(lpr_t)
@@ -298,5 +284,13 @@ optional_policy(`
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(lpr_t)
+ gnome_stream_connect_gkeyringd(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/lsm.fc b/lsm.fc
index c45573053..6e1466794 100644
--- a/lsm.fc
+++ b/lsm.fc
@@ -1,3 +1,7 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
index d3143334d..27ede090c 100644
--- a/lsm.if
+++ b/lsm.if
@@ -1,25 +1,86 @@
-## Storage array management library.
+
+## libStorageMgmt plug-in daemon
########################################
##
-## All of the rules required to administrate
-## an lsmd environment.
+## Execute TEMPLATE in the lsmd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lsmd_domtrans',`
+ gen_require(`
+ type lsmd_t, lsmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+##
+## Read lsmd PID files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
+ type lsmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+##
+## Execute lsmd server in the lsmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lsmd_systemctl',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an lsmd environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t, type lsmd_var_run_t;
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -27,4 +88,13 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/lsm.te b/lsm.te
index 4ec0eea30..32d0ded84 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
#
# Declarations
#
+##
+##
+## Determine whether lsmd_plugin can
+## connect to all TCP ports.
+##
+##
+gen_tunable(lsmd_plugin_connect_any, false)
type lsmd_t;
type lsmd_exec_t;
@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+type lsmd_plugin_t;
+type lsmd_plugin_exec_t;
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
+role system_r types lsmd_plugin_t;
+
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
########################################
#
# Local policy
#
-allow lsmd_t self:capability setgid;
+allow lsmd_t self:capability { setuid setgid };
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+auth_use_nsswitch(lsmd_t)
+
+corecmd_exec_bin(lsmd_t)
+corecmd_getattr_all_executables(lsmd_t)
+
logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
+# Local lsmd plugin policy
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow lsmd_plugin_t self:capability { sys_admin sys_rawio } ;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
+
+allow lsmd_t lsmd_plugin_exec_t:file { map read_file_perms };
+stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
+tunable_policy(`lsmd_plugin_connect_any',`
+ corenet_tcp_connect_all_ports(lsmd_plugin_t)
+ corenet_sendrecv_all_packets(lsmd_plugin_t)
+ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
+')
+
+kernel_read_system_state(lsmd_plugin_t)
+
+auth_read_passwd(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+dev_read_sysfs(lsmd_plugin_t)
+dev_getattr_sysfs_fs(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
+corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_https_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_http_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
+auth_use_nsswitch(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
+libs_exec_ldconfig(lsmd_plugin_t)
+
+logging_send_syslog_msg(lsmd_plugin_t)
+
+miscfiles_read_certs(lsmd_plugin_t)
+miscfiles_read_hwdata(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
+
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
+storage_create_fixed_disk_dev(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
diff --git a/lttng-tools.fc b/lttng-tools.fc
new file mode 100644
index 000000000..bdd17ca85
--- /dev/null
+++ b/lttng-tools.fc
@@ -0,0 +1,5 @@
+/usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0)
+
+/usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0)
+
+/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
diff --git a/lttng-tools.if b/lttng-tools.if
new file mode 100644
index 000000000..e86897d29
--- /dev/null
+++ b/lttng-tools.if
@@ -0,0 +1,117 @@
+
+## LTTng 2.x central tracing registry session daemon.
+
+########################################
+##
+## Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lttng_sessiond_domtrans',`
+ gen_require(`
+ type lttng_sessiond_t, lttng_sessiond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
+')
+
+######################################
+##
+## Execute lttng_sessiond in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lttng_sessiond_exec',`
+ gen_require(`
+ type lttng_sessiond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, lttng_sessiond_exec_t)
+')
+
+########################################
+##
+## Execute lttng_sessiond server in the lttng_sessiond domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lttng_sessiond_systemctl',`
+ gen_require(`
+ type lttng_sessiond_t;
+ type lttng_sessiond_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
+ allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lttng_sessiond_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an lttng_sessiond environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lttng_sessiond_admin',`
+ gen_require(`
+ type lttng_sessiond_t;
+ type lttng_sessiond_unit_file_t;
+ ')
+
+ allow $1 lttng_sessiond_t:process { signal_perms };
+ ps_process_pattern($1, lttng_sessiond_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lttng_sessiond_t:process ptrace;
+ ')
+
+ lttng_sessiond_systemctl($1)
+ admin_pattern($1, lttng_sessiond_unit_file_t)
+ allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Read and write lttng-tools shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lttng_read_shm',`
+ gen_require(`
+ type lttng_sessiond_tmpfs_t;
+ ')
+
+ read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/lttng-tools.te b/lttng-tools.te
new file mode 100644
index 000000000..1d2ca2224
--- /dev/null
+++ b/lttng-tools.te
@@ -0,0 +1,60 @@
+policy_module(lttng-tools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lttng_sessiond_t;
+type lttng_sessiond_exec_t;
+init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t)
+
+type lttng_sessiond_tmpfs_t;
+files_tmpfs_file(lttng_sessiond_tmpfs_t)
+
+type lttng_sessiond_var_run_t;
+files_pid_file(lttng_sessiond_var_run_t)
+
+type lttng_sessiond_unit_file_t;
+systemd_unit_file(lttng_sessiond_unit_file_t)
+
+########################################
+#
+# lttng_sessiond local policy
+#
+
+allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
+allow lttng_sessiond_t self:capability2 block_suspend;
+allow lttng_sessiond_t self:process { setrlimit signal_perms };
+allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
+allow lttng_sessiond_t self:tcp_socket listen;
+allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir })
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file })
+
+kernel_read_system_state(lttng_sessiond_t)
+kernel_read_net_sysctls(lttng_sessiond_t)
+kernel_read_fs_sysctls(lttng_sessiond_t)
+
+corecmd_exec_shell(lttng_sessiond_t)
+
+corenet_tcp_bind_generic_node(lttng_sessiond_t)
+corenet_tcp_bind_lltng_port(lttng_sessiond_t)
+
+dev_read_sysfs(lttng_sessiond_t)
+
+fs_getattr_tmpfs(lttng_sessiond_t)
+
+auth_use_nsswitch(lttng_sessiond_t)
+
+modutils_exec_insmod(lttng_sessiond_t)
+modutils_read_module_config(lttng_sessiond_t)
+files_read_kernel_modules(lttng_sessiond_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5d3..3d40d59d2 100644
--- a/mailman.fc
+++ b/mailman.fc
@@ -2,10 +2,12 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
diff --git a/mailman.if b/mailman.if
index 108c0f1f5..a2485018e 100644
--- a/mailman.if
+++ b/mailman.if
@@ -1,44 +1,70 @@
-## Manage electronic mail discussion and e-newsletter lists.
+## Mailman is for managing electronic mail discussion and e-newsletter lists
#######################################
##
-## The template to define a mailman domain.
+## The template to define a mailmain domain.
##
-##
+##
+##
+## This template creates a domain to be used for
+## a new mailman daemon.
+##
+##
+##
##
-## Domain prefix to be used.
+## The type of daemon to be used eg, cgi would give mailman_cgi_
##
##
#
-template(`mailman_domain_template',`
- gen_require(`
- attribute mailman_domain;
- ')
+template(`mailman_domain_template', `
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
- type mailman_$1_t;
- type mailman_$1_exec_t;
+ gen_require(`
+ attribute mailman_domain;
+ ')
+
+ type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
+ type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
role system_r types mailman_$1_t;
type mailman_$1_tmp_t;
files_tmp_file(mailman_$1_tmp_t)
- ####################################
- #
- # Policy
- #
+ ####################################
+ #
+ # Policy
+ #
manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_generic_node(mailman_$1_t)
+ corenet_udp_bind_generic_node(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
auth_use_nsswitch(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
')
#######################################
@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
########################################
##
-## Execute the mailman program in the
-## mailman domain and allow the
-## specified role the mailman domain.
+## Execute the mailman program in the mailman domain.
##
##
##
@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
##
##
##
-## Role allowed access.
+## The role to allow the mailman domain.
##
##
##
#
interface(`mailman_run',`
gen_require(`
- attribute_role mailman_roles;
+ type mailman_mail_t;
')
mailman_domtrans($1)
- roleattribute $2 mailman_roles;
+ role $2 types mailman_mail_t;
')
#######################################
@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
@@ -122,13 +144,12 @@ interface(`mailman_exec',`
type mailman_mail_exec_t;
')
- libs_search_lib($1)
can_exec($1, mailman_mail_exec_t)
')
#######################################
##
-## Send generic signals to mailman cgi.
+## Send generic signals to the mailman cgi domain.
##
##
##
@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
#######################################
##
-## Search mailman data directories.
+## Allow domain to search data directories.
##
##
##
@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir search_dir_perms;
')
#######################################
##
-## Read mailman data content.
+## Allow domain to to read mailman data files.
##
##
##
@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
#######################################
##
-## Create, read, write, and delete
-## mailman data files.
+## Allow domain to to create mailman data files
+## and write the directory.
##
##
##
@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
#######################################
##
-## List mailman data directories.
+## List the contents of mailman data directories.
##
##
##
@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir list_dir_perms;
')
#######################################
##
-## Read mailman data symbolic links.
+## Allow read acces to mailman data symbolic links.
##
##
##
@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
#######################################
##
-## Read mailman log files.
+## Read mailman logs.
##
##
##
@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
type mailman_log_t;
')
- logging_search_logs($1)
read_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
-## Append mailman log files.
+## Append to mailman logs.
##
##
##
@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
type mailman_log_t;
')
- logging_search_logs($1)
append_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
## Create, read, write, and delete
-## mailman log content.
+## mailman logs.
##
##
##
@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
- logging_search_logs($1)
manage_files_pattern($1, mailman_log_t, mailman_log_t)
manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
-## Read mailman archive content.
+## Allow domain to read mailman archive files.
##
##
##
@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
- files_search_var_lib($1)
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
#######################################
##
-## Execute mailman_queue in the
-## mailman_queue domain.
+## Execute mailman_queue in the mailman_queue domain.
##
##
##
@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
index ac81c7fa9..2bbde0b7c 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
#
# Declarations
#
+##
+##
+## Allow mailman to access FUSE file systems
+##
+##
+gen_tunable(mailman_use_fusefs, false)
attribute mailman_domain;
@@ -50,16 +56,12 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
files_lock_filetrans(mailman_domain, mailman_lock_t, file)
-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
-kernel_read_system_state(mailman_domain)
+kernel_read_network_state(mailman_domain)
-corenet_all_recvfrom_unlabeled(mailman_domain)
-corenet_all_recvfrom_netlabel(mailman_domain)
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
@@ -82,10 +84,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
-logging_send_syslog_msg(mailman_domain)
-
-miscfiles_read_localization(mailman_domain)
-
########################################
#
# CGI local policy
@@ -103,7 +101,7 @@ optional_policy(`
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
- apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+ apache_rw_stream_sockets(mailman_cgi_t)
')
optional_policy(`
@@ -115,20 +113,23 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config };
+allow mailman_mail_t self:process { setsched signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
corenet_sendrecv_innd_client_packets(mailman_mail_t)
corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
-corenet_tcp_connect_spamd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
@@ -137,10 +138,18 @@ fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
+optional_policy(`
+ apache_search_config(mailman_mail_t)
+')
+
optional_policy(`
courier_read_spool(mailman_mail_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
optional_policy(`
cron_read_pipes(mailman_mail_t)
')
@@ -182,3 +191,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
+
+tunable_policy(`mailman_use_fusefs',`
+ fs_manage_fusefs_dirs(mailman_domain)
+ fs_manage_fusefs_files(mailman_domain)
+ fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
index 214cb4498..bd1d48e4f 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
########################################
##
-## Create, read, write, and delete
-## mscan spool content.
+## Execute a domain transition to run
+## MailScanner.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mscan_manage_spool_content',`
+interface(`mailscanner_initrc_domtrans',`
gen_require(`
- type mscan_spool_t;
+ type mscan_initrc_exec_t;
')
- files_search_spool($1)
- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
')
########################################
##
-## All of the rules required to
-## administrate an mscan environment
+## All of the rules required to administrate
+## an mailscanner environment.
##
##
##
@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
##
##
#
-interface(`mscan_admin',`
+interface(`mailscanner_admin',`
gen_require(`
- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
- type mscan_var_run_t, mscan_spool_t;
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
+ type mscan_initrc_exec_t;
')
- allow $1 mscan_t:process { ptrace signal_perms };
- ps_process_pattern($1, mscan_t)
-
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ mailscanner_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ allow $1 mscan_t:process signal_perms;
+ ps_process_pattern($1, mscan_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mscan_t:process ptrace;
+ ')
+
admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
- files_search_pids($1)
admin_pattern($1, mscan_var_run_t)
-
- files_search_spool($1)
- admin_pattern($1, mscan_spool_t)
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
index 6b6e2e130..3fb3393ba 100644
--- a/mailscanner.te
+++ b/mailscanner.te
@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t)
# Local policy
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
dev_read_urand(mscan_t)
-files_read_usr_files(mscan_t)
fs_getattr_xattr_fs(mscan_t)
@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
logging_send_syslog_msg(mscan_t)
-miscfiles_read_localization(mscan_t)
-
optional_policy(`
- clamav_domtrans_clamscan(mscan_t)
+ antivirus_domtrans(mscan_t)
+ antivirus_manage_pid(mscan_t)
')
optional_policy(`
@@ -97,5 +96,6 @@ optional_policy(`
')
optional_policy(`
+ spamassassin_read_home_client(mscan_t)
spamassassin_read_lib_files(mscan_t)
')
diff --git a/man2html.fc b/man2html.fc
index 82f625551..368673237 100644
--- a/man2html.fc
+++ b/man2html.fc
@@ -1,5 +1,5 @@
-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0)
diff --git a/man2html.if b/man2html.if
index 54ec04d3b..53eaf61d6 100644
--- a/man2html.if
+++ b/man2html.if
@@ -1 +1,137 @@
## A Unix manpage-to-HTML converter.
+
+########################################
+##
+## Transition to man2html_script.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`man2html_script_domtrans',`
+ gen_require(`
+ type man2html_script_t, man2html_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+')
+
+########################################
+##
+## Search man2html_script content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`man2html_search_content',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read man2html cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`man2html_read_content_files',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ read_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## man2html content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`man2html_manage_content_files',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ manage_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## man2html content dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`man2html_manage_content_dirs',`
+ gen_require(`
+ type man2html_content_t;
+ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+ manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an man2html environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`man2html_admin',`
+ gen_require(`
+ type man2html_script_t;
+ type man2html_rw_content_t;
+ type man2html_content_t;
+ ')
+
+ allow $1 man2html_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, man2html_script_t)
+
+ files_search_var($1)
+ admin_pattern($1, man2html_content_t)
+ admin_pattern($1, man2html_rw_content_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/man2html.te b/man2html.te
index e08c55d43..24b56e9ee 100644
--- a/man2html.te
+++ b/man2html.te
@@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0)
# Declarations
#
-apache_content_template(man2html)
-
-type httpd_man2html_script_cache_t;
-files_type(httpd_man2html_script_cache_t)
########################################
#
-# Local policy
+# man2html_script local policy
#
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
+ apache_content_template(man2html)
+ apache_content_alias_template(man2html, man2html)
-files_read_etc_files(httpd_man2html_script_t)
+ allow man2html_script_t self:process fork;
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
+ typealias man2html_rw_content_t alias man2html_script_cache_t;
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5bf..b365cddec 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,12 @@
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
+/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f726..d6ae4eab6 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
-## On-line manual database.
+
+## policy for mandb
########################################
##
-## Execute the mandb program in
-## the mandb domain.
+## Transition to mandb.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`mandb_domtrans',`
@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
########################################
##
-## Execute mandb in the mandb
-## domain, and allow the specified
-## role the mandb domain.
+## Search mandb cache directories.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
-##
+#
+interface(`mandb_search_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read mandb cache files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
#
-interface(`mandb_run',`
+interface(`mandb_read_cache_files',`
gen_require(`
- attribute_role mandb_roles;
+ type mandb_cache_t;
')
- lightsquid_domtrans($1)
- roleattribute $2 mandb_roles;
+ files_search_var($1)
+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
##
-## Search mandb cache directories.
+## Mmap mandb cache files.
##
##
##
@@ -56,13 +68,17 @@ interface(`mandb_run',`
##
##
#
-interface(`mandb_search_cache',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_map_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:file map;
')
########################################
##
-## Delete mandb cache content.
+## Relabel mandb cache files/directories
##
##
##
@@ -70,13 +86,18 @@ interface(`mandb_search_cache',`
##
##
#
-interface(`mandb_delete_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_relabel_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir relabel_dir_perms;
+ allow $1 mandb_cache_t:file relabel_file_perms;
')
########################################
##
-## Read mandb cache content.
+## Set attributes on mandb cache files.
##
##
##
@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',`
##
##
#
-interface(`mandb_read_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_setattr_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir setattr;
+')
+
+########################################
+##
+## Delete mandb cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mandb_delete_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir list_dir_perms;
+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',`
##
##
#
-interface(`mandb_manage_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_manage_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
##
-## All of the rules required to
-## administrate an mandb environment.
+## Manage mandb cache dirs.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`mandb_manage_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+')
+
+########################################
+##
+## Create configuration files in user
+## home directories with a named file
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mandb_filetrans_named_home_content',`
+ gen_require(`
+ type mandb_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mandb environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`mandb_admin',`
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
+ type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
ps_process_pattern($1, mandb_t)
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
+ files_search_locks($1)
+ admin_pattern($1, mandb_lock_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/mandb.te b/mandb.te
index e6136fd37..2edabefc3 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,19 +10,41 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_daemon_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+type mandb_home_t;
+userdom_user_home_content(mandb_home_t)
+
+type mandb_lock_t;
+files_lock_file(mandb_lock_t)
+
########################################
#
# Local policy
#
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { dac_read_search dac_override setuid setgid fsetid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
+allow mandb_t mandb_cache_t:file map;
+
+userdom_search_user_home_dirs(mandb_t)
+allow mandb_t mandb_home_t:file read_file_perms;
+
+allow mandb_t mandb_lock_t:file manage_file_perms;
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
+
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
@@ -33,11 +55,14 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
+
+fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
miscfiles_read_man_pages(mandb_t)
-miscfiles_read_localization(mandb_t)
ifdef(`distro_debian',`
optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index f89651e75..c73214d81 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+######################################
+##
+## Read mcelog logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcelog_read_log',`
+ gen_require(`
+ type mcelog_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mcelog_log_t, mcelog_log_t)
+')
+
########################################
##
## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3dd6..494c4f3a4 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
##
gen_tunable(mcelog_server, false)
-##
-##
-## Determine whether mcelog can use syslog.
-##
-##
-gen_tunable(mcelog_syslog, false)
-
type mcelog_t;
type mcelog_exec_t;
init_daemon_domain(mcelog_t, mcelog_exec_t)
@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
+corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)
-
-files_read_etc_files(mcelog_t)
+dev_rw_cpu_microcode(mcelog_t)
mls_file_read_all_levels(mcelog_t)
+auth_use_nsswitch(mcelog_t)
+
locallogin_use_fds(mcelog_t)
-miscfiles_read_localization(mcelog_t)
+logging_send_syslog_msg(mcelog_t)
tunable_policy(`mcelog_client',`
allow mcelog_t self:unix_stream_socket connectto;
@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
')
-tunable_policy(`mcelog_syslog',`
- logging_send_syslog_msg(mcelog_t)
-')
optional_policy(`
cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/mcollective.fc b/mcollective.fc
new file mode 100644
index 000000000..821bf8822
--- /dev/null
+++ b/mcollective.fc
@@ -0,0 +1,3 @@
+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
+
+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
diff --git a/mcollective.if b/mcollective.if
new file mode 100644
index 000000000..3f433f1e2
--- /dev/null
+++ b/mcollective.if
@@ -0,0 +1,109 @@
+
+## policy for mcollective
+
+########################################
+##
+## Execute TEMPLATE in the mcollective domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mcollective_domtrans',`
+ gen_require(`
+ type mcollective_t, mcollective_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
+')
+
+########################################
+##
+## Search mcollective conf directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_search_conf',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Read mcollective conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_read_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Manage mcollective conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_manage_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an mcollective environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_admin',`
+ gen_require(`
+ type mcollective_t;
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mcollective_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mcollective_etc_rw_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
index 000000000..8bc27f4c5
--- /dev/null
+++ b/mcollective.te
@@ -0,0 +1,27 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcollective_t;
+type mcollective_exec_t;
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
+########################################
+#
+# mcollective local policy
+#
+allow mcollective_t self:fifo_file rw_fifo_file_perms;
+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
+
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.fc b/mediawiki.fc
index 99f7c4187..174560318 100644
--- a/mediawiki.fc
+++ b/mediawiki.fc
@@ -1,8 +1,8 @@
-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
+/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4ba3..9b183e62b 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
-## Open source wiki package written in PHP.
+## Mediawiki policy
+
+#######################################
+##
+## Allow the specified domain to read
+## mediawiki tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+ type mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
+
+#######################################
+##
+## Delete mediawiki tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+ type mediawiki_tmp_t;
+ ')
+
+ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
index c528b9fa7..f577a7fa6 100644
--- a/mediawiki.te
+++ b/mediawiki.te
@@ -5,13 +5,29 @@ policy_module(mediawiki, 1.0.0)
# Declarations
#
-apache_content_template(mediawiki)
+type mediawiki_tmp_t;
+files_tmp_file(mediawiki_tmp_t)
########################################
#
# Local policy
#
-files_search_var_lib(httpd_mediawiki_script_t)
+optional_policy(`
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+ apache_content_template(mediawiki)
+ apache_content_alias_template(mediawiki, mediawiki)
+
+ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
+
+ files_search_var_lib(mediawiki_script_t)
+
+ miscfiles_read_tetex_data(mediawiki_script_t)
+
+ auth_read_passwd(mediawiki_script_t)
+
+')
diff --git a/memcached.if b/memcached.if
index 1d4eb19b8..650014e0f 100644
--- a/memcached.if
+++ b/memcached.if
@@ -1,4 +1,4 @@
-## High-performance memory object caching system.
+## high-performance memory object caching system
########################################
##
@@ -12,17 +12,16 @@
#
interface(`memcached_domtrans',`
gen_require(`
- type memcached_t,memcached_exec_t;
+ type memcached_t;
+ type memcached_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, memcached_exec_t, memcached_t)
')
########################################
##
-## Create, read, write, and delete
-## memcached pid files.
+## Read memcached PID files.
##
##
##
@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
##
##
#
-interface(`memcached_manage_pid_files',`
+interface(`memcached_read_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
+ allow $1 memcached_var_run_t:file read_file_perms;
')
########################################
##
-## Read memcached pid files.
+## Manage memcached PID files
##
##
##
@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
##
##
#
-interface(`memcached_read_pid_files',`
+interface(`memcached_manage_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- allow $1 memcached_var_run_t:file read_file_perms;
+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
')
########################################
##
-## Connect to memcached using a unix
-## domain stream socket.
+## Connect to memcached over a unix stream socket.
##
##
##
@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
########################################
##
-## Connect to memcache over the network.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`memcached_tcp_connect',`
- gen_require(`
- type memcached_t;
- ')
-
- corenet_sendrecv_memcache_client_packets($1)
- corenet_tcp_connect_memcache_port($1)
- corenet_tcp_recvfrom_labeled($1, memcached_t)
- corenet_tcp_sendrecv_memcache_port($1)
-')
-
-########################################
-##
-## All of the rules required to
-## administrate an memcached environment.
+## All of the rules required to administrate
+## an memcached environment
##
##
##
@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the memcached domain.
##
##
##
@@ -121,14 +98,17 @@ interface(`memcached_admin',`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
- allow $1 memcached_t:process { ptrace signal_perms };
+ allow $1 memcached_t:process signal_perms;
ps_process_pattern($1, memcached_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 memcached_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
index 29b752160..5000dd91c 100644
--- a/memcached.te
+++ b/memcached.te
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
type memcached_t;
type memcached_exec_t;
init_daemon_domain(memcached_t, memcached_exec_t)
+init_nnp_daemon_domain(memcached_t)
type memcached_initrc_exec_t;
init_script_file(memcached_initrc_exec_t)
@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setuid setgid sys_resource };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
allow memcached_t self:fifo_file rw_fifo_file_perms;
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+allow memcached_t memcached_exec_t:file map;
+
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
index 89409ebbc..67e42f6a9 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db12..562833a81 100644
--- a/milter.if
+++ b/milter.if
@@ -1,47 +1,43 @@
-## Milter mail filters.
+## Milter mail filters
-#######################################
+########################################
##
-## The template to define a milter domain.
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
template(`milter_template',`
+ # attributes common to all milters
gen_require(`
attribute milter_data_type, milter_domains;
')
- ########################################
- #
- # Declarations
- #
-
type $1_milter_t, milter_domains;
type $1_milter_exec_t;
init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
files_pid_file($1_milter_data_t)
- ########################################
- #
- # Policy
- #
+ # Allow communication with MTA over a unix-domain socket
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ # Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- auth_use_nsswitch($1_milter_t)
+ logging_send_syslog_msg($1_milter_t)
')
########################################
##
-## connect to all milter domains using
-## a unix domain stream socket.
+## MTA communication with milter sockets
##
##
##
@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
')
files_search_pids($1)
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
########################################
##
-## Get attributes of all milter sock files.
+## Allow getattr of milter sockets
##
##
##
@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
########################################
##
-## Create, read, write, and delete
-## spamassissin milter data content.
+## Allow setattr of milter dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_setattr_all_dirs',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+##
+## Manage spamassassin milter state
##
##
##
@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+##
+## Delete dkim-milter PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
index 4dc99f464..48e3f3813 100644
--- a/milter.te
+++ b/milter.te
@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
# Declarations
#
+# attributes common to all milters
attribute milter_domains;
attribute milter_data_type;
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+type dkim_milter_tmp_t;
+files_tmp_file(dkim_milter_tmp_t)
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+
#######################################
#
-# Common local policy
+# milter domains local policy
#
+# Allow communication with MTA over a unix-domain socket
+# Note: usage with TCP sockets requires additional policy
+
allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
+allow milter_domains self:process signull;
+
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
kernel_dontaudit_read_system_state(milter_domains)
-corenet_all_recvfrom_unlabeled(milter_domains)
-corenet_all_recvfrom_netlabel(milter_domains)
-corenet_tcp_sendrecv_generic_if(milter_domains)
-corenet_tcp_sendrecv_generic_node(milter_domains)
corenet_tcp_bind_generic_node(milter_domains)
-
corenet_tcp_bind_milter_port(milter_domains)
-corenet_tcp_sendrecv_all_ports(milter_domains)
-miscfiles_read_localization(milter_domains)
+dev_read_rand(milter_domains)
+dev_read_urand(milter_domains)
+
+mta_read_config(milter_domains)
+
+sysnet_read_config(greylist_milter_t)
+
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+corenet_udp_bind_all_ports(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
########################################
#
-# greylist local policy
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
-allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
+# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
kernel_read_kernel_sysctls(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
-
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
-corenet_tcp_bind_kismet_port(greylist_milter_t)
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-
corecmd_exec_bin(greylist_milter_t)
corecmd_exec_shell(greylist_milter_t)
-dev_read_rand(greylist_milter_t)
-dev_read_urand(greylist_milter_t)
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
-files_read_usr_files(greylist_milter_t)
+# perl getgroups() reads a bunch of files in /etc
+# Allow the milter to read a GeoIP database in /usr/share
+# The milter runs from /var/lib/milter-greylist and maintains files there
files_search_var_lib(greylist_milter_t)
-mta_read_config(greylist_milter_t)
-
-miscfiles_read_localization(greylist_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
optional_policy(`
mysql_stream_connect(greylist_milter_t)
@@ -79,30 +123,45 @@ optional_policy(`
########################################
#
-# regex local policy
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
-allow regex_milter_t self:capability { setuid setgid dac_override };
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override };
+# The milter's socket directory lives under /var/spool
files_search_spool(regex_milter_t)
-mta_read_config(regex_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
########################################
#
-# spamass local policy
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
+# The milter runs from /var/lib/spamass-milter
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
kernel_read_system_state(spamass_milter_t)
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
-files_search_var_lib(spamass_milter_t)
+auth_use_nsswitch(spamass_milter_t)
mta_send_mail(spamass_milter_t)
+# The main job of the milter is to pipe spam through spamc and act on the result
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/minissdpd.if b/minissdpd.if
index b3301610f..54509375e 100644
--- a/minissdpd.if
+++ b/minissdpd.if
@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
interface(`minissdpd_admin',`
gen_require(`
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
- type minissdpd_var_run_t
+ type minissdpd_var_run_t;
')
- allow $1 minissdpd_t:process { ptrace signal_perms };
+ allow $1 minissdpd_t:process { signal_perms };
ps_process_pattern($1, minissdpd_t)
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 000000000..767bbad7b
--- /dev/null
+++ b/mip6d.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0)
+
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
index 000000000..861b486dc
--- /dev/null
+++ b/mip6d.if
@@ -0,0 +1,80 @@
+
+## Mobile IPv6 and NEMO Basic Support implementation
+
+########################################
+##
+## Execute TEMPLATE in the mip6d domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mip6d_domtrans',`
+ gen_require(`
+ type mip6d_t, mip6d_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mip6d_exec_t, mip6d_t)
+')
+########################################
+##
+## Execute mip6d server in the mip6d domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mip6d_systemctl',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mip6d_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an mip6d environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mip6d_admin',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ allow $1 mip6d_t:process { signal_perms };
+ ps_process_pattern($1, mip6d_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mip6d_t:process ptrace;
+ ')
+
+ mip6d_systemctl($1)
+ admin_pattern($1, mip6d_unit_file_t)
+ allow $1 mip6d_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mip6d.te b/mip6d.te
new file mode 100644
index 000000000..0f290e9d4
--- /dev/null
+++ b/mip6d.te
@@ -0,0 +1,33 @@
+policy_module(mip6d, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mip6d_t;
+type mip6d_exec_t;
+init_daemon_domain(mip6d_t, mip6d_exec_t)
+
+type mip6d_unit_file_t;
+systemd_unit_file(mip6d_unit_file_t)
+
+########################################
+#
+# mip6d local policy
+#
+allow mip6d_t self:capability { net_admin net_raw };
+allow mip6d_t self:process { setpgid fork signal };
+allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
+allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow mip6d_t self:rawip_socket create_socket_perms;
+allow mip6d_t self:udp_socket create_socket_perms;
+allow mip6d_t self:fifo_file rw_fifo_file_perms;
+allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_rw_net_sysctls(mip6d_t)
+kernel_read_network_state(mip6d_t)
+kernel_request_load_module(mip6d_t)
+
+logging_send_syslog_msg(mip6d_t)
+
diff --git a/mirrormanager.fc b/mirrormanager.fc
new file mode 100644
index 000000000..abd53a4c7
--- /dev/null
+++ b/mirrormanager.fc
@@ -0,0 +1,7 @@
+/usr/share/mirrormanager/server/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_exec_t,s0)
+
+/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
+
+/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0)
+
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
index 000000000..86467cffb
--- /dev/null
+++ b/mirrormanager.if
@@ -0,0 +1,256 @@
+
+## policy for mirrormanager
+
+########################################
+##
+## Execute mirrormanager in the mirrormanager domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mirrormanager_domtrans',`
+ gen_require(`
+ type mirrormanager_t, mirrormanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
+')
+
+########################################
+##
+## Read mirrormanager's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mirrormanager_read_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+##
+## Append to mirrormanager log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_append_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+##
+## Manage mirrormanager log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_manage_log',`
+ gen_require(`
+ type mirrormanager_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+##
+## Search mirrormanager lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_search_lib',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read mirrormanager lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_read_lib_files',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+##
+## Manage mirrormanager lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_manage_lib_files',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+##
+## Manage mirrormanager lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_manage_lib_dirs',`
+ gen_require(`
+ type mirrormanager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+##
+## Read mirrormanager PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_read_pid_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+##
+## Manage mirrormanager PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_manage_pid_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+##
+## Manage mirrormanager PID sock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_manage_pid_sock_files',`
+ gen_require(`
+ type mirrormanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mirrormanager environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mirrormanager_admin',`
+ gen_require(`
+ type mirrormanager_t;
+ type mirrormanager_log_t;
+ type mirrormanager_var_lib_t;
+ type mirrormanager_var_run_t;
+ ')
+
+ allow $1 mirrormanager_t:process { signal_perms };
+ ps_process_pattern($1, mirrormanager_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mirrormanager_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, mirrormanager_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, mirrormanager_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, mirrormanager_var_run_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mirrormanager.te b/mirrormanager.te
new file mode 100644
index 000000000..2e3289ed3
--- /dev/null
+++ b/mirrormanager.te
@@ -0,0 +1,46 @@
+policy_module(mirrormanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mirrormanager_t;
+type mirrormanager_exec_t;
+application_domain(mirrormanager_t, mirrormanager_exec_t)
+
+type mirrormanager_log_t;
+logging_log_file(mirrormanager_log_t)
+
+type mirrormanager_var_lib_t;
+files_type(mirrormanager_var_lib_t)
+
+type mirrormanager_var_run_t;
+files_pid_file(mirrormanager_var_run_t)
+
+########################################
+#
+# mirrormanager local policy
+#
+
+allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
+allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
+
+optional_policy(`
+ cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
+')
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 000000000..394bc4658
--- /dev/null
+++ b/mock.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/usr/libexec/mock/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
index 000000000..f5b98e6de
--- /dev/null
+++ b/mock.if
@@ -0,0 +1,311 @@
+## policy for mock
+
+########################################
+##
+## Execute a domain transition to run mock.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+##
+## Search mock lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Getattr on mock lib file,dir,sock_file ...
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_getattr_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+##
+## Manage mock lib symlinks.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_symlinks',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_dontaudit_write_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ dontaudit $1 mock_var_lib_t:chr_file write;
+')
+
+#######################################
+##
+## Dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mock_dontaudit_leaks',`
+ gen_require(`
+ type mock_tmp_t;
+ ')
+
+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the mock domain.
+##
+##
+##
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ type mock_build_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
+
+ mount_run(mock_t, $2)
+')
+
+########################################
+##
+## Role access for mock
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+##
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
+
+ optional_policy(`
+ mock_read_lib_files($2)
+ ')
+')
+
+#######################################
+##
+## Send a generic signal to mock.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_signal',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ allow $1 mock_t:process signal;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mock environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
+ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
+ allow $1 mock_t:process signal_perms;
+ ps_process_pattern($1, mock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mock_t:process ptrace;
+ allow $1 mock_build_t:process ptrace;
+ ')
+
+ allow $1 mock_build_t:process signal_perms;
+ ps_process_pattern($1, mock_build_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, mock_tmp_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mock_etc_t)
+')
diff --git a/mock.te b/mock.te
new file mode 100644
index 000000000..f647022cb
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,288 @@
+policy_module(mock,1.0.0)
+
+##
+##
+## Allow mock to read files in home directories.
+##
+##
+gen_tunable(mock_enable_homedirs, false)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+type mock_build_t;
+type mock_build_exec_t;
+application_domain(mock_build_t, mock_build_exec_t)
+role system_r types mock_build_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+type mock_var_run_t;
+files_pid_file(mock_var_run_t)
+
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
+
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
+# we run mount in mock_t
+kernel_mount_proc(mock_t)
+kernel_unmount_proc(mock_t)
+
+fs_mount_tmpfs(mock_t)
+fs_unmount_tmpfs(mock_t)
+fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
+dev_mount_sysfs_fs(mock_t)
+dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
+files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
+fs_manage_cgroup_dirs(mock_t)
+fs_search_all(mock_t)
+fs_setattr_tmpfs_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
+term_use_generic_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
+term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
+libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+lvm_manage_lock(mock_t)
+lvm_read_config(mock_t)
+lvm_read_metadata(mock_t)
+lvm_getattr_exec_files(mock_t)
+
+miscfiles_dontaudit_write_generic_cert_files(mock_t)
+
+userdom_use_user_ptys(mock_t)
+userdom_use_user_ttys(mock_t)
+
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_manage_user_home_content_dirs(mock_t)
+ userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
+ rpc_search_nfs_state_data(mock_t)
+ fs_list_auto_mountpoints(mock_t)
+ fs_manage_nfs_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mock_t)
+ fs_read_cifs_files(mock_t)
+ fs_manage_cifs_files(mock_t)
+')
+
+optional_policy(`
+ abrt_read_spool_retrace(mock_t)
+ abrt_read_cache_retrace(mock_t)
+ abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_cache(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_manage_tmp_files(mock_t)
+ rpm_read_log(mock_t)
+')
+
+optional_policy(`
+ mount_exec(mock_t)
+ mount_rw_pid_files(mock_t)
+')
+
+
+########################################
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+# Needed because mock can run java and mono withing build environment
+allow mock_build_t self:process { execmem execstack };
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
+allow mock_build_t self:dir list_dir_perms;
+allow mock_build_t self:dir read_file_perms;
+
+ps_process_pattern(mock_t, mock_build_t)
+allow mock_t mock_build_t:process signal_perms;
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_tmp_t)
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_var_lib_t)
+
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
+can_exec(mock_build_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
+can_exec(mock_build_t, mock_var_lib_t)
+allow mock_build_t mock_var_lib_t:dir mounton;
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_build_t)
+kernel_read_irq_sysctls(mock_build_t)
+kernel_read_system_state(mock_build_t)
+kernel_read_network_state(mock_build_t)
+kernel_read_kernel_sysctls(mock_build_t)
+kernel_request_load_module(mock_build_t)
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
+
+corecmd_exec_bin(mock_build_t)
+corecmd_exec_shell(mock_build_t)
+corecmd_dontaudit_exec_all_executables(mock_build_t)
+
+dev_getattr_all_chr_files(mock_build_t)
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
+dev_dontaudit_getattr_all(mock_build_t)
+fs_getattr_all_dirs(mock_build_t)
+dev_read_sysfs(mock_build_t)
+
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
+files_dontaudit_list_boot(mock_build_t)
+
+fs_getattr_all_fs(mock_build_t)
+fs_manage_cgroup_dirs(mock_build_t)
+
+selinux_get_enforce_mode(mock_build_t)
+
+auth_use_nsswitch(mock_build_t)
+
+init_exec(mock_build_t)
+init_dontaudit_stream_connect(mock_build_t)
+
+libs_exec_ldconfig(mock_build_t)
+
+term_use_all_inherited_terms(mock_build_t)
+userdom_use_inherited_user_ptys(mock_build_t)
+term_dontaudit_manage_pty_dirs(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
index a83894c6e..481dca3ff 100644
--- a/modemmanager.fc
+++ b/modemmanager.fc
@@ -1 +1,4 @@
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5d8..24782b35f 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -19,6 +19,31 @@ interface(`modemmanager_domtrans',`
domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
')
+########################################
+##
+## Execute modemmanager server in the modemmanager domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modemmanager_systemctl',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, modemmanager_t)
+')
+
########################################
##
## Send and receive messages from
@@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an modemmanager environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`modemmanager_admin',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ allow $1 modemmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, modemmanager_t)
+
+ modemmanager_systemctl($1)
+ admin_pattern($1, modemmanager_unit_file_t)
+ allow $1 modemmanager_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b64..5a177cd5a 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
########################################
#
# Local policy
@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
allow modemmanager_t self:process { getsched signal };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_system_state(modemmanager_t)
+corecmd_exec_bin(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
-
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
-miscfiles_read_localization(modemmanager_t)
+xserver_read_state_xdm(modemmanager_t)
logging_send_syslog_msg(modemmanager_t)
@@ -50,6 +55,11 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(modemmanager_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind(modemmanager_t)
+ systemd_write_inhibit_pipes(modemmanager_t)
+ ')
')
optional_policy(`
diff --git a/mojomojo.fc b/mojomojo.fc
index 7b827ca7f..5ee8a0f2b 100644
--- a/mojomojo.fc
+++ b/mojomojo.fc
@@ -1,5 +1,5 @@
-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0)
-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4c9..b19a6ee2d 100644
--- a/mojomojo.if
+++ b/mojomojo.if
@@ -15,7 +15,6 @@
## Role allowed access.
##
##
-##
#
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
index b94102efd..25d1d33a1 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0)
# Declarations
#
-apache_content_template(mojomojo)
+type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
+files_tmp_file(mojomojo_tmp_t)
########################################
#
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+ apache_content_template(mojomojo)
+ apache_content_alias_template(mojomojo, mojomojo)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
-files_search_var_lib(httpd_mojomojo_script_t)
+ corenet_tcp_connect_postgresql_port(mojomojo_script_t)
+ corenet_tcp_connect_mysqld_port(mojomojo_script_t)
+ corenet_tcp_connect_smtp_port(mojomojo_script_t)
+ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
+ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
+ corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+ files_search_var_lib(mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
+ sysnet_dns_name_resolve(mojomojo_script_t)
+
+ mta_send_mail(mojomojo_script_t)
+
+ optional_policy(`
+ mysql_stream_connect(mojomojo_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(mojomojo_script_t)
+ ')
+')
diff --git a/mon_statd.fc b/mon_statd.fc
new file mode 100644
index 000000000..60c11c060
--- /dev/null
+++ b/mon_statd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/mon_statd -- gen_context(system_u:object_r:mon_statd_initrc_exec_t,s0)
+
+/usr/sbin/mon_fsstatd -- gen_context(system_u:object_r:mon_statd_exec_t,s0)
+/usr/sbin/mon_procd -- gen_context(system_u:object_r:mon_procd_exec_t,s0)
+
+/var/run/procd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
+/var/run/fstatd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
diff --git a/mon_statd.if b/mon_statd.if
new file mode 100644
index 000000000..1ce3e4428
--- /dev/null
+++ b/mon_statd.if
@@ -0,0 +1,39 @@
+## policy for mon_statd
+
+########################################
+##
+## Execute mon_statd in the mon_statd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mon_statd_domtrans',`
+ gen_require(`
+ type mon_statd_t, mon_statd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mon_statd_exec_t, mon_statd_t)
+')
+
+########################################
+##
+## Execute mon_procd in the mon_procd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mon_procd_domtrans',`
+ gen_require(`
+ type mon_procd_t, mon_procd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mon_procd_exec_t, mon_procd_t)
+')
diff --git a/mon_statd.te b/mon_statd.te
new file mode 100644
index 000000000..e7220a5a8
--- /dev/null
+++ b/mon_statd.te
@@ -0,0 +1,76 @@
+policy_module(mon_statd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mon_statd_domain;
+
+type mon_statd_t, mon_statd_domain;
+type mon_statd_exec_t;
+init_daemon_domain(mon_statd_t, mon_statd_exec_t)
+
+type mon_procd_t, mon_statd_domain;
+type mon_procd_exec_t;
+init_daemon_domain(mon_procd_t, mon_procd_exec_t)
+
+type mon_statd_initrc_exec_t;
+init_script_file(mon_statd_initrc_exec_t)
+
+type mon_statd_var_run_t;
+files_pid_file(mon_statd_var_run_t)
+
+########################################
+#
+# mon_statd domain policy
+#
+
+manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t)
+files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file)
+
+domain_read_all_domains_state(mon_statd_domain)
+
+dev_rw_monitor_dev(mon_statd_domain)
+
+########################################
+#
+# mon_fstatd local policy
+#
+allow mon_statd_t self:process { fork signal };
+allow mon_statd_t self:fifo_file rw_fifo_file_perms;
+
+allow mon_statd_t self:unix_stream_socket create_stream_socket_perms;
+allow mon_statd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(mon_statd_t)
+kernel_read_fs_sysctls(mon_statd_t)
+
+fs_getattr_all_fs(mon_statd_t)
+fs_getattr_all_dirs(mon_statd_t)
+
+fs_search_cgroup_dirs(mon_statd_t)
+
+logging_send_syslog_msg(mon_statd_t)
+
+optional_policy(`
+ rpc_read_nfs_state_data(mon_statd_t)
+')
+
+########################################
+#
+# mon_procd local policy
+#
+allow mon_procd_t self:capability sys_ptrace;
+
+allow mon_procd_t self:unix_dgram_socket { create connect };
+
+auth_read_passwd(mon_procd_t)
+
+kernel_dgram_send(mon_procd_t)
+kernel_read_system_state(mon_procd_t)
+
+init_read_utmp(mon_procd_t)
+
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31b4..e9e6bc51c 100644
--- a/mongodb.fc
+++ b/mongodb.fc
@@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
-/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
-/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
index 169f236e8..bc47602c8 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
type mongod_log_t;
logging_log_file(mongod_log_t)
@@ -21,41 +24,73 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
########################################
#
# Local policy
#
-allow mongod_t self:process signal;
+
+allow mongod_t self:process { setsched signal execmem };
allow mongod_t self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+allow mongod_t self:tcp_socket { accept listen };
+
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+allow mongod_t mongod_var_lib_t:file map;
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
kernel_read_system_state(mongod_t)
+kernel_read_vm_sysctls(mongod_t)
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
dev_read_sysfs(mongod_t)
dev_read_urand(mongod_t)
-files_read_etc_files(mongod_t)
-
fs_getattr_all_fs(mongod_t)
-miscfiles_read_localization(mongod_t)
+auth_use_nsswitch(mongod_t)
+
+logging_send_syslog_msg(mongod_t)
+
+optional_policy(`
+ mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
+')
+
diff --git a/mono.te b/mono.te
index a6a86439f..c0f6cf503 100644
--- a/mono.te
+++ b/mono.te
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
# local policy
#
-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(mono_t)
init_dbus_chat_script(mono_t)
diff --git a/monop.if b/monop.if
index 8fdaecea2..544075765 100644
--- a/monop.if
+++ b/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ logging_search_logs($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
diff --git a/monop.te b/monop.te
index 5f9376384..8596763e7 100644
--- a/monop.te
+++ b/monop.te
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_all_recvfrom_unlabeled(monopd_t)
corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_generic_node(monopd_t)
@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
domain_use_interactive_fds(monopd_t)
-files_read_etc_files(monopd_t)
-
fs_getattr_all_fs(monopd_t)
fs_search_auto_mountpoints(monopd_t)
logging_send_syslog_msg(monopd_t)
-miscfiles_read_localization(monopd_t)
-
sysnet_dns_name_resolve(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/motion.fc b/motion.fc
new file mode 100644
index 000000000..74151069b
--- /dev/null
+++ b/motion.fc
@@ -0,0 +1,9 @@
+/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0)
+
+/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0)
+
+/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0)
+
+/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0)
+
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
index 000000000..edfd26777
--- /dev/null
+++ b/motion.if
@@ -0,0 +1,198 @@
+
+## Detect motion using a video4linux device
+
+########################################
+##
+## Execute motion in the motion domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_domtrans',`
+ gen_require(`
+ type motion_t, motion_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, motion_exec_t, motion_t)
+')
+########################################
+##
+## Read motion's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`motion_read_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Append to motion log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_append_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Manage motion log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, motion_log_t, motion_log_t)
+ manage_files_pattern($1, motion_log_t, motion_log_t)
+ manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Manage motion pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_pid',`
+ gen_require(`
+ type motion_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
+ manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
+')
+
+########################################
+##
+## Manage motion data files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_data',`
+ gen_require(`
+ type motion_data_t;
+ ')
+
+ manage_dirs_pattern($1, motion_data_t, motion_data_t)
+ manage_files_pattern($1, motion_data_t, motion_data_t)
+')
+
+########################################
+##
+## Execute motion server in the motion domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_systemctl',`
+ gen_require(`
+ type motion_t;
+ type motion_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, motion_t)
+')
+
+########################################
+##
+## Manage all motion files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_manage_all_files',`
+
+ motion_manage_log($1)
+ motion_manage_pid($1)
+ motion_manage_data($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an motion environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`motion_admin',`
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
+ type motion_unit_file_t;
+ ')
+
+ allow $1 motion_t:process { signal_perms };
+ ps_process_pattern($1, motion_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 motion_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
+ motion_systemctl($1)
+ admin_pattern($1, motion_unit_file_t)
+ allow $1 motion_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/motion.te b/motion.te
new file mode 100644
index 000000000..c7f4eb583
--- /dev/null
+++ b/motion.te
@@ -0,0 +1,65 @@
+policy_module(motion, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type motion_t;
+type motion_exec_t;
+init_daemon_domain(motion_t, motion_exec_t)
+
+type motion_log_t;
+logging_log_file(motion_log_t)
+
+type motion_unit_file_t;
+systemd_unit_file(motion_unit_file_t)
+
+type motion_var_run_t;
+files_pid_file(motion_var_run_t)
+
+type motion_data_t;
+files_type(motion_data_t)
+
+########################################
+#
+# motion local policy
+#
+allow motion_t self:udp_socket { create connect getattr };
+allow motion_t self:tcp_socket create_stream_socket_perms;
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
+manage_files_pattern(motion_t, motion_log_t, motion_log_t)
+logging_log_filetrans(motion_t, motion_log_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
+manage_files_pattern(motion_t, motion_data_t, motion_data_t)
+files_var_filetrans(motion_t, motion_data_t, { dir file })
+
+corenet_tcp_bind_http_cache_port(motion_t)
+corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_bind_us_cli_port(motion_t)
+corenet_tcp_connect_http_port(motion_t)
+corenet_tcp_bind_generic_node(motion_t)
+
+dev_read_video_dev(motion_t)
+dev_write_video_dev(motion_t)
+
+domain_use_interactive_fds(motion_t)
+
+logging_send_syslog_msg(motion_t)
+
+sysnet_read_config(motion_t)
+
+userdom_home_manager(motion_t)
+
+optional_policy(`
+ zoneminder_domtrans(motion_t)
+ zoneminder_manage_lib_files(motion_t)
+')
+
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2e4..e863bad61 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,73 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-
-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-
-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/mozilla\.pdf -- gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+')
+
+ifdef(`distro_debian',`
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
+
+#
+# /lib
+#
+
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+/usr/libexec/WebKitPluginProcess -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b806b..ded39ae5c 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
-## Policy for Mozilla and related web browsers.
+## Policy for Mozilla and related web browsers
########################################
##
-## Role access for mozilla.
+## Role access for mozilla
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
attribute_role mozilla_roles;
')
- ########################################
- #
- # Declarations
- #
-
roleattribute $1 mozilla_roles;
- ########################################
- #
- # Policy
- #
-
- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ # Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
-
- allow mozilla_t $2:process signull;
- allow mozilla_t $2:unix_stream_socket connectto;
+ allow $2 mozilla_t:process signal_perms;
allow $2 mozilla_t:fd use;
- allow $2 mozilla_t:shm rw_shm_perms;
-
- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
-
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, mozilla_t)
optional_policy(`
- mozilla_dbus_chat($2)
+ nsplugin_role($1, mozilla_t)
')
-')
-########################################
-##
-## Role access for mozilla plugin.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-interface(`mozilla_role_plugin',`
- gen_require(`
- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
- type mozilla_home_t;
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
')
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
-
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
+ mozilla_filetrans_home_content($2)
- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
- allow $2 mozilla_plugin_t:fd use;
-
- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
- allow mozilla_plugin_t $2:process signull;
- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
- allow mozilla_plugin_t $2:sem create_sem_perms;
-
- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
')
########################################
##
-## Read mozilla home directory content.
+## Read mozilla home directory content
##
##
##
@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Write mozilla home directory files.
+## Write mozilla home directory content
##
##
##
@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Do not audit attempts to read and
-## write mozilla home directory files.
+## Dontaudit attempts to read/write mozilla home directory content
##
##
##
@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
- dontaudit $1 mozilla_home_t:file rw_file_perms;
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
')
########################################
##
-## Do not audit attempt to Create,
-## read, write, and delete mozilla
-## home directory content.
+## Dontaudit attempts to write mozilla home directory content
##
##
##
@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
dontaudit $1 mozilla_home_t:file manage_file_perms;
- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
')
########################################
##
-## Execute mozilla home directory files. (Deprecated)
+## Execute mozilla home directory content.
##
##
##
@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
##
#
interface(`mozilla_exec_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
- mozilla_exec_user_plugin_home_files($1)
-')
-
-########################################
-##
-## Execute mozilla plugin home directory files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mozilla_exec_user_plugin_home_files',`
gen_require(`
- type mozilla_home_t, mozilla_plugin_home_t;
+ type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+ can_exec($1, mozilla_home_t)
')
########################################
##
-## Mozilla home directory file
-## text relocation. (Deprecated)
+## Execmod mozilla home directory content.
##
##
##
@@ -265,140 +173,157 @@ interface(`mozilla_exec_user_plugin_home_files',`
##
#
interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
')
########################################
##
-## Mozilla plugin home directory file
-## text relocation.
+## Run mozilla in the mozilla domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mozilla_execmod_user_plugin_home_files',`
+interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_t, mozilla_exec_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
##
-## Run mozilla in the mozilla domain.
+## Execute a mozilla_exec_t in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
+##
+##
+## The type of the new process.
+##
+##
#
-interface(`mozilla_domtrans',`
+interface(`mozilla_domtrans_spec',`
gen_require(`
- type mozilla_t, mozilla_exec_t;
+ type mozilla_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ domain_entry_file($2, mozilla_exec_t)
+ domtrans_pattern($1, mozilla_exec_t, $2)
')
########################################
##
-## Execute a domain transition to
-## run mozilla plugin.
+## Execute a domain transition to run mozilla_plugin.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ type mozilla_plugin_rw_t;
+ class dbus send_msg;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
+ dontaudit mozilla_plugin_t $1:process signal;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+ allow $1 mozilla_plugin_t:sem rw_sem_perms;
+ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+ allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ ps_process_pattern(mozilla_plugin_t, $1)
+ allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
+
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+
+ allow mozilla_plugin_t $1:process signull;
')
########################################
##
-## Execute mozilla plugin in the
-## mozilla plugin domain, and allow
-## the specified role the mozilla
-## plugin domain.
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access
##
##
##
##
-## Role allowed access.
+## The role to be allowed the mozilla_plugin domain.
##
##
#
interface(`mozilla_run_plugin',`
gen_require(`
- attribute_role mozilla_plugin_roles;
+ type mozilla_plugin_t;
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
')
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
-')
+ roleattribute $2 mozilla_plugin_config_roles;
-########################################
-##
-## Execute a domain transition to
-## run mozilla plugin config.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`mozilla_domtrans_plugin_config',`
- gen_require(`
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mozilla_plugin_t:process ptrace;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ optional_policy(`
+ lpd_run_lpr(mozilla_plugin_t, $2)
+ ')
')
-########################################
+#######################################
##
-## Execute mozilla plugin config in
-## the mozilla plugin config domain,
-## and allow the specified role the
-## mozilla plugin config domain.
+## Execute qemu unconfined programs in the role.
##
-##
-##
-## Domain allowed to transition.
-##
-##
##
-##
-## Role allowed access.
-##
+##
+## The role to allow the mozilla_plugin domain.
+##
##
+##
#
-interface(`mozilla_run_plugin_config',`
- gen_require(`
- attribute_role mozilla_plugin_config_roles;
- ')
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
+ ')
- mozilla_domtrans_plugin_config($1)
- roleattribute $2 mozilla_plugin_config_roles;
+ roleattribute $1 mozilla_plugin_roles;
+ roleattribute $1 mozilla_plugin_config_roles;
')
########################################
@@ -424,8 +349,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
-## Send and receive messages from
-## mozilla plugin over dbus.
+## read/write mozilla per user tcp_socket
##
##
##
@@ -433,57 +357,162 @@ interface(`mozilla_dbus_chat',`
##
##
#
-interface(`mozilla_dbus_chat_plugin',`
+interface(`mozilla_rw_tcp_sockets',`
gen_require(`
- type mozilla_plugin_t;
- class dbus send_msg;
+ type mozilla_t;
')
- allow $1 mozilla_plugin_t:dbus send_msg;
- allow mozilla_plugin_t $1:dbus send_msg;
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+#######################################
+##
+## Read mozilla_plugin tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read/Write mozilla_plugin tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`mozilla_plugin_rw_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
')
########################################
##
-## Read and write mozilla TCP sockets.
+## Delete mozilla_plugin tmpfs files
##
##
##
-## Domain allowed access.
+## Domain allowed access
##
##
#
-interface(`mozilla_rw_tcp_sockets',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
gen_require(`
- type mozilla_t;
+ type mozilla_plugin_tmpfs_t;
')
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+#######################################
+##
+## Dontaudit generict ipc read/write to a mozilla_plugin
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_plugin_dontaudit_rw_sem',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
+')
+
+#######################################
+##
+## Allow generict ipc read/write to a mozilla_plugin
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_plugin_rw_sem',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
')
########################################
##
-## Create, read, write, and delete
-## mozilla plugin rw files.
+## Dontaudit read/write to a mozilla_plugin leaks
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`mozilla_manage_plugin_rw_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
gen_require(`
- type mozilla_plugin_rw_t;
+ type mozilla_plugin_t;
')
- libs_search_lib($1)
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
+#######################################
+##
+## Dontaudit read/write to a mozilla_plugin tmp files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type mozilla_plugin_tmp_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
+')
+
+#######################################
+##
+## Allow read/write to a mozilla_plugin tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_plugin_rw_tmp_files',`
+ gen_require(`
+ type mozilla_plugin_tmp_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
')
########################################
##
-## Read mozilla_plugin tmpfs files.
+## Create, read, write, and delete
+## mozilla_plugin rw files.
##
##
##
@@ -491,18 +520,18 @@ interface(`mozilla_manage_plugin_rw_files',`
##
##
#
-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_manage_rw_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
########################################
##
-## Delete mozilla_plugin tmpfs files.
+## read mozilla_plugin rw files.
##
##
##
@@ -510,19 +539,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_read_rw_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
')
########################################
##
-## Create, read, write, and delete
-## generic mozilla plugin home content.
+## Create mozilla content in the user home directory
+## with an correct label.
##
##
##
@@ -530,45 +558,59 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
-interface(`mozilla_manage_generic_plugin_home_content',`
+interface(`mozilla_filetrans_home_content',`
+
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_home_t, mozilla_plugin_rw_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
- allow $1 mozilla_plugin_home_t:file manage_file_perms;
- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+ files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "mozilla.pdf")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
+ ')
')
########################################
##
-## Create objects in user home
-## directories with the generic mozilla
-## plugin home type.
+## Allow the domain to read mozilla_plugin state files in /proc.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`mozilla_home_filetrans_plugin_home',`
+interface(`mozilla_plugin_read_state',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_plugin_t;
')
- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+ kernel_search_proc($1)
+ ps_process_pattern($1, mozilla_plugin_t)
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4fc..e2a8b27f6 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
#
##
-##
-## Determine whether mozilla can
-## make its stack executable.
-##
+##
+## Allow mozilla plugin domain to connect to the network using TCP.
+##
##
-gen_tunable(mozilla_execstack, false)
+gen_tunable(mozilla_plugin_can_network_connect, false)
+
+##
+##
+## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
+##
+##
+
+gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
+
+##
+##
+## Allow mozilla plugin to support spice protocols.
+##
+##
+gen_tunable(mozilla_plugin_use_spice, false)
+
+##
+##
+## Allow mozilla plugin to support GPS.
+##
+##
+gen_tunable(mozilla_plugin_use_gps, false)
+
+##
+##
+## Allow mozilla plugin to use Bluejeans.
+##
+##
+gen_tunable(mozilla_plugin_use_bluejeans, false)
+
+##
+##
+## Allow confined web browsers to read home directory content
+##
+##
+gen_tunable(mozilla_read_content, false)
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
attribute_role mozilla_plugin_config_roles;
+roleattribute system_r mozilla_roles;
+roleattribute system_r mozilla_plugin_roles;
+roleattribute system_r mozilla_plugin_config_roles;
+
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role mozilla_plugin_roles types mozilla_plugin_t;
-type mozilla_plugin_home_t;
-userdom_user_home_content(mozilla_plugin_home_t)
-
type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
userdom_user_tmp_file(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
-')
-
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_roles types mozilla_plugin_config_t;
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_tmpfs_t)
-')
-
########################################
#
# Local policy
@@ -75,104 +109,101 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_t self:shm create_shm_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
allow mozilla_t self:sem create_sem_perms;
allow mozilla_t self:socket create_socket_perms;
-allow mozilla_t self:unix_stream_socket { accept listen };
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
-allow mozilla_t mozilla_plugin_t:fd use;
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+# mozilla will manage user_tmp_t, so it will transition to it.
+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+allow mozilla_plugin_t mozilla_tmpfs_t:file map;
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t)
+# Look for plugins
corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
-corenet_all_recvfrom_unlabeled(mozilla_t)
+# Browse the web, connect to printer
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
corenet_tcp_sendrecv_generic_node(mozilla_t)
-
-corenet_sendrecv_http_client_packets(mozilla_t)
-corenet_tcp_connect_http_port(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_t)
-corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_t)
-corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_t)
-corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_t)
-corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_tcp_connect_speech_port(mozilla_t)
-corenet_tcp_sendrecv_speech_port(mozilla_t)
-dev_getattr_sysfs_dirs(mozilla_t)
-dev_read_sound(mozilla_t)
-dev_read_rand(mozilla_t)
dev_read_urand(mozilla_t)
-dev_rw_dri(mozilla_t)
+dev_read_rand(mozilla_t)
dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
-files_read_usr_files(mozilla_t)
-files_read_var_files(mozilla_t)
+# /var/lib
files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)
-fs_getattr_all_fs(mozilla_t)
+fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
-fs_rw_tmpfs_files(mozilla_t)
+fs_rw_inherited_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_t)
- fs_read_dos_files(mozilla_t)
-
- fs_search_removable(mozilla_t)
- fs_read_removable_files(mozilla_t)
- fs_read_removable_symlinks(mozilla_t)
-
- fs_read_iso9660_files(mozilla_t)
+tunable_policy(`selinuxuser_execstack',`
+ allow mozilla_t self:process execstack;
')
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
allow mozilla_t self:process execmem;
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_t self:process { execmem execstack };
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
')
optional_policy(`
@@ -244,19 +292,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_t)
dbus_system_bus_client(mozilla_t)
-
- optional_policy(`
- cups_dbus_chat(mozilla_t)
- ')
-
- optional_policy(`
- mozilla_dbus_chat_plugin(mozilla_t)
- ')
+ dbus_session_bus_client(mozilla_t)
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
@@ -265,33 +306,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
- gnome_manage_generic_gconf_home_content(mozilla_t)
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
- gnome_manage_generic_home_content(mozilla_t)
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
+ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
')
optional_policy(`
@@ -300,259 +340,261 @@ optional_policy(`
########################################
#
-# Plugin local policy
+# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
-allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
-
-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
-
-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-
-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
+allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map;
-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_read_network_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
+kernel_dontaudit_list_all_proc(mozilla_plugin_t)
+kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
+corecmd_getattr_all_executables(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
corenet_tcp_connect_squid_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_whois_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-dev_read_generic_usb_dev(mozilla_plugin_t)
+dev_dontaudit_append_rand(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
-dev_read_realtime_clock(mozilla_plugin_t)
-dev_read_sound(mozilla_plugin_t)
-dev_read_sysfs(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
+dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
-dev_write_sound(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
-dev_rw_dri(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
+dev_map_video_dev(mozilla_plugin_t)
+xserver_dri_domain(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-files_exec_usr_files(mozilla_plugin_t)
-files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
-files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
+files_dontaudit_all_access_check(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+init_read_all_script_files(mozilla_plugin_t)
+
libs_exec_ld_so(mozilla_plugin_t)
libs_exec_lib_files(mozilla_plugin_t)
+libs_legacy_use_shared_libs(mozilla_plugin_t)
logging_send_syslog_msg(mozilla_plugin_t)
-miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
+systemd_read_logind_sessions_files(mozilla_plugin_t)
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
+term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+userdom_map_user_home_files(mozilla_plugin_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
- fs_search_removable(mozilla_plugin_t)
- fs_read_removable_files(mozilla_plugin_t)
- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
- fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
+optional_policy(`
+ abrt_stream_connect(mozilla_plugin_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_rw_config(mozilla_plugin_config_t)
+ alsa_read_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ apache_list_modules(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ bluetooth_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
- alsa_read_home_files(mozilla_plugin_t)
+ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
+ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_disk(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
- gnome_manage_generic_home_content(mozilla_plugin_t)
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
optional_policy(`
java_exec(mozilla_plugin_t)
- java_manage_generic_home_content(mozilla_plugin_t)
- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
')
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_dirs(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
')
optional_policy(`
@@ -560,7 +602,11 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ policykit_dbus_chat(mozilla_plugin_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
@@ -568,108 +614,144 @@ optional_policy(`
')
optional_policy(`
- xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
')
########################################
#
-# Plugin config local policy
+# mozilla_plugin_config local policy
#
allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
-dev_read_urand(mozilla_plugin_config_t)
-dev_rw_dri(mozilla_plugin_config_t)
-dev_search_sysfs(mozilla_plugin_config_t)
-dev_dontaudit_read_rand(mozilla_plugin_config_t)
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
domain_use_interactive_fds(mozilla_plugin_config_t)
-files_list_tmp(mozilla_plugin_config_t)
-files_read_usr_files(mozilla_plugin_config_t)
files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
+
+term_dontaudit_use_ptmx(mozilla_plugin_config_t)
auth_use_nsswitch(mozilla_plugin_config_t)
-miscfiles_read_localization(mozilla_plugin_config_t)
miscfiles_read_fonts(mozilla_plugin_config_t)
+userdom_search_user_home_content(mozilla_plugin_config_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
-userdom_use_user_ptys(mozilla_plugin_config_t)
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
+')
-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_config_t self:process execmem;
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
+
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
+#')
+
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
- fs_manage_cifs_files(mozilla_plugin_config_t)
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
')
-optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
+ corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t)
+ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
-optional_policy(`
- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce521c..ae93e07eb 100644
--- a/mpd.fc
+++ b/mpd.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
+
/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
@@ -9,3 +11,5 @@
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
+
+/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
index 5fa77c7e6..2e01c7d0a 100644
--- a/mpd.if
+++ b/mpd.if
@@ -320,6 +320,25 @@ interface(`mpd_manage_lib_dirs',`
manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
')
+########################################
+##
+## Connect to mpd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_stream_connect',`
+ gen_require(`
+ type mpd_t, mpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
+')
+
########################################
##
## All of the rules required to
@@ -344,9 +363,13 @@ interface(`mpd_admin',`
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
- allow $1 mpd_t:process { ptrace signal_perms };
+ allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mpd_t:process ptrace;
+ ')
+
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
index fe7252355..062ad640a 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
+type mpd_home_t;
+userdom_user_home_content(mpd_home_t)
+
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
########################################
#
# Local policy
#
-allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid };
allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+
kernel_getattr_proc(mpd_t)
kernel_read_system_state(mpd_t)
kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
-corenet_all_recvfrom_unlabeled(mpd_t)
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-files_read_usr_files(mpd_t)
fs_getattr_all_fs(mpd_t)
+fs_getattr_all_dirs(mpd_t)
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
+ userdom_stream_connect(mpd_t)
+ userdom_read_home_audio_files(mpd_t)
+ userdom_list_user_tmp(mpd_t)
+ userdom_read_user_tmp_files(mpd_t)
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`mpd_enable_homedirs',`
+ pulseaudio_read_home_files(mpd_t)
+ ')
')
tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(mpd_t)
fs_read_nfs_symlinks(mpd_t)
+
')
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
@@ -191,13 +218,23 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_domtrans(mpd_t)
+ pulseaudio_exec(mpd_t)
')
optional_policy(`
rpc_search_nfs_state_data(mpd_t)
')
+optional_policy(`
+ #needed by pulseaudio
+ systemd_read_logind_sessions_files(mpd_t)
+ systemd_login_read_pid_files(mpd_t)
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
optional_policy(`
udev_read_db(mpd_t)
')
diff --git a/mplayer.if b/mplayer.if
index 861d5e974..1c3d5a538 100644
--- a/mplayer.if
+++ b/mplayer.if
@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',`
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
')
+
+########################################
+##
+## Create specified objects in user home
+## directories with the generic mplayer
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mplayer_filetrans_home_content',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
index 0f03cd937..e3ed3933d 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
## its stack executable.
##
##
-gen_tunable(allow_mplayer_execstack, false)
+gen_tunable(mplayer_execstack, false)
attribute_role mencoder_roles;
attribute_role mplayer_roles;
@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
dev_rwx_zero(mencoder_t)
dev_read_video_dev(mencoder_t)
-files_read_usr_files(mencoder_t)
fs_search_auto_mountpoints(mencoder_t)
@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
userdom_manage_user_home_content_dirs(mencoder_t)
userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_filetrans_home_content(mencoder_t)
ifndef(`enable_mls',`
fs_list_dos(mencoder_t)
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mencoder_t)
')
-tunable_policy(`allow_execmem',`
- allow mencoder_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mencoder_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mencoder_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mencoder_t self:process { execmem execstack };
')
@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
files_read_non_security_files(mplayer_t)
files_list_home(mplayer_t)
files_read_etc_runtime_files(mplayer_t)
-files_read_usr_files(mplayer_t)
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_filetrans_home_content(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
-tunable_policy(`allow_execmem',`
- allow mplayer_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mplayer_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t self:process { execmem execstack };
')
@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t mplayer_tmpfs_t:file execute;
')
diff --git a/mrtg.if b/mrtg.if
index c595094a6..23464583b 100644
--- a/mrtg.if
+++ b/mrtg.if
@@ -1,5 +1,24 @@
## Network traffic graphing.
+########################################
+##
+## Read mrtg lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mrtg_read_lib_files',`
+ gen_require(`
+ type mrtg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
+')
+
########################################
##
## Create and append mrtg log files.
diff --git a/mrtg.te b/mrtg.te
index 65a246a52..fa8632064 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
files_read_etc_runtime_files(mrtg_t)
-files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
-miscfiles_read_localization(mrtg_t)
-
selinux_dontaudit_getattr_dir(mrtg_t)
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
index f42896cbf..fce39c1ce 100644
--- a/mta.fc
+++ b/mta.fc
@@ -1,34 +1,39 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-
-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index ed81cac5a..806055cba 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
-## Common e-mail transfer agent policy.
+## Policy common to all email tranfer agents.
########################################
##
@@ -18,23 +18,37 @@ interface(`mta_stub',`
#######################################
##
-## The template to define a mail domain.
+## Basic mail transfer agent domain template.
##
+##
+##
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+##
+##
+## This is the basic types and rules, common
+## to the system agent and user agents.
+##
+##
##
##
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
##
##
+##
#
template(`mta_base_mail_template',`
+
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
- ########################################
+ ##############################
#
- # Declarations
+ # $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
- ########################################
- #
- # Declarations
- #
-
manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+ kernel_read_system_state($1_mail_t)
+
+ corenet_all_recvfrom_netlabel($1_mail_t)
+
auth_use_nsswitch($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
+
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
########################################
##
-## Role access for mta.
+## Role access for mta
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`mta_role',`
gen_require(`
attribute mta_user_agent;
- attribute_role user_mail_roles;
- type user_mail_t, sendmail_exec_t, mail_home_t;
- type user_mail_tmp_t, mail_home_rw_t;
+ type user_mail_t, sendmail_exec_t;
')
- roleattribute $1 user_mail_roles;
-
- # this is something i need to fix
- # i dont know if and why it is needed
- # will role attribute work?
- role $1 types mta_user_agent;
+ role $1 types { user_mail_t mta_user_agent };
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
- ps_process_pattern($2, { user_mail_t mta_user_agent })
-
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
optional_policy(`
exim_run($2, $1)
')
optional_policy(`
- mailman_run($2, $1)
+ mailman_run(mta_user_agent, $1)
')
')
@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
-#######################################
-##
-## Read mta mail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_read_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file read_file_perms;
-')
-
-#######################################
-##
-## Create, read, write, and delete
-## mta mail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_manage_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file manage_file_perms;
-')
-
-########################################
+######################################
##
-## Create specified objects in user home
-## directories with the generic mail
-## home type.
+## Dontaudit read and write an leaked file descriptors
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`mta_home_filetrans_mail_home',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
-')
-
-#######################################
-##
-## Create, read, write, and delete
-## mta mail home rw content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_manage_mail_home_rw_content',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-')
-
-########################################
-##
-## Create specified objects in user home
-## directories with the generic mail
-## home rw type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`mta_home_filetrans_mail_home_rw',`
+interface(`mta_dontaudit_leaks_system_mail',`
gen_require(`
- type mail_home_rw_t;
+ type system_mail_t;
')
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
')
########################################
@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
')
init_system_domain($1, sendmail_exec_t)
-
typeattribute $1 mailserver_domain;
')
@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
+
+ userdom_home_manager($1)
+
+ optional_policy(`
+ mta_rw_delivery_tcp_sockets($1)
+ ')
+
+ userdom_filetrans_home_content($1)
+
')
#######################################
@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
+
+ optional_policy(`
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
+ ')
')
########################################
@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
+ attribute mta_user_agent;
type system_mail_t;
attribute mta_exec_type;
')
- corecmd_search_bin($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
domtrans_pattern($1, mta_exec_type, system_mail_t)
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
########################################
@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
- type sendmail_exec_t;
+ attribute mta_exec_type;
+ attribute mta_user_agent;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+ files_search_usr($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Send signals to system mail.
+## Send system mail client a signal
##
##
##
@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
-#
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
@@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',`
########################################
##
-## Send kill signals to system mail.
+## Allow role to access system_mail_t.
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`mta_role_access_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ role $1 types system_mail_t;
+')
+
+########################################
+##
+## Send all user mail client a signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_signal_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process signal;
+')
+
+########################################
+##
+## Send all user mail client a kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_kill_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process sigkill;
+')
+
+########################################
+##
+## Send system mail client a kill signal
##
##
##
@@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, sendmail_exec_t)
')
########################################
##
-## Read mail server configuration content.
+## Check whether sendmail executable
+## files are executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_sendmail_access_check',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+##
+## Read mail server configuration.
##
##
##
@@ -528,13 +518,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file read_file_perms;
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Write mail server configuration files.
+## write mail server configuration.
##
##
##
@@ -548,33 +538,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
- files_search_etc($1)
write_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Read mail address alias files.
+## Manage mail server configuration.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`mta_read_aliases',`
+interface(`mta_manage_config',`
gen_require(`
- type etc_aliases_t;
+ type etc_mail_t;
')
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Create, read, write, and delete
-## mail address alias content.
+## Read mail address aliases.
##
##
##
@@ -582,84 +570,64 @@ interface(`mta_read_aliases',`
##
##
#
-interface(`mta_manage_aliases',`
+interface(`mta_read_aliases',`
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Create specified object in generic
-## etc directories with the mail address
-## alias type.
+## Create, read, write, and delete mail address aliases.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`mta_etc_filetrans_aliases',`
+interface(`mta_manage_aliases',`
gen_require(`
type etc_aliases_t;
')
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ mta_filetrans_named_content($1)
')
########################################
##
-## Create specified objects in specified
-## directories with a type transition to
-## the mail address alias type.
+## Type transition files created in /etc
+## to the mail address aliases type.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Directory to transition on.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
##
##
## The name of the object being created.
##
##
#
-interface(`mta_spec_filetrans_aliases',`
+interface(`mta_etc_filetrans_aliases',`
gen_require(`
type etc_aliases_t;
')
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
')
########################################
##
-## Read and write mail alias files.
+## Read and write mail aliases.
##
##
##
@@ -674,14 +642,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file rw_file_perms;
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
##
-## Do not audit attempts to read
-## and write TCP sockets of mail
-## delivery domains.
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
##
##
##
@@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
+######################################
+##
+## Allow attempts to read and write TCP
+## sockets of mail delivery domains.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ allow $1 mailserver_delivery:tcp_socket { read write };
+')
+
#######################################
##
## Connect to all mail servers over TCP. (Deprecated)
@@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
##
-## Do not audit attempts to read
-## mail spool symlinks.
+## Do not audit attempts to read a symlink
+## in the mail spool.
##
##
##
@@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
##
-## Get attributes of mail spool content.
+## Get the attributes of mail spool files.
##
##
##
@@ -753,8 +739,8 @@ interface(`mta_getattr_spool',`
########################################
##
-## Do not audit attempts to get
-## attributes of mail spool files.
+## Do not audit attempts to get the attributes
+## of mail spool files.
##
##
##
@@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
##
-## Create specified objects in the
-## mail spool directory with a
-## private type.
+## Create private objects in the
+## mail spool directory.
##
##
##
@@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',`
#######################################
##
-## Read mail spool files.
+## Read the mail spool.
##
##
##
@@ -819,10 +804,10 @@ interface(`mta_spool_filetrans',`
##
##
#
-interface(`mta_read_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
+interface(`mta_read_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -830,7 +815,7 @@ interface(`mta_read_spool_files',`
########################################
##
-## Read and write mail spool files.
+## Read and write the mail spool.
##
##
##
@@ -845,13 +830,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file rw_file_perms;
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
##
-## Create, read, and write mail spool files.
+## Create, read, and write the mail spool.
##
##
##
@@ -866,13 +852,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
##
-## Delete mail spool files.
+## Delete from the mail spool.
##
##
##
@@ -891,8 +878,7 @@ interface(`mta_delete_spool',`
########################################
##
-## Create, read, write, and delete
-## mail spool content.
+## Create, read, write, and delete mail spool files.
##
##
##
@@ -909,47 +895,12 @@ interface(`mta_manage_spool',`
manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
manage_files_pattern($1, mail_spool_t, mail_spool_t)
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
-')
-
-#######################################
-##
-## Create specified objects in the
-## mail queue spool directory with a
-## private type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to be created.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`mta_queue_filetrans',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+ allow $1 mail_spool_t:file map;
')
########################################
##
-## Search mail queue directories.
+## Search mail queue dirs.
##
##
##
@@ -968,7 +919,7 @@ interface(`mta_search_queue',`
#######################################
##
-## List mail queue directories.
+## List the mail queue.
##
##
##
@@ -981,13 +932,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
')
#######################################
##
-## Read mail queue files.
+## Read the mail queue.
##
##
##
@@ -1000,14 +951,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ files_search_spool($1)
')
#######################################
##
## Do not audit attempts to read and
-## write mail queue content.
+## write the mail queue.
##
##
##
@@ -1027,7 +978,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
##
## Create, read, write, and delete
-## mail queue content.
+## mail queue files.
##
##
##
@@ -1045,6 +996,41 @@ interface(`mta_manage_queue',`
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
+#######################################
+##
+## Create private objects in the
+## mqueue spool directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`mta_spool_filetrans_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+')
+
#######################################
##
## Read sendmail binary.
@@ -1055,6 +1041,7 @@ interface(`mta_manage_queue',`
##
##
#
+# cjp: added for postfix
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
@@ -1065,8 +1052,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
##
-## Read and write unix domain stream
-## sockets of all base mail domains.
+## Read and write unix domain stream sockets
+## of user mail domains.
##
##
##
@@ -1081,3 +1068,227 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+##
+## Type transition files created in calling dir
+## to the mail address aliases type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Directory to transition on.
+##
+##
+#
+interface(`mta_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+##
+## ALlow domain to append mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_append_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ append_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+######################################
+##
+## ALlow domain to read mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+##
+## ALlow domain to mmap mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_mmap_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ allow $1 mail_home_rw_t:file map;
+')
+
+####################################
+##
+## ALlow domain to read mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+##
+## Allow domain to manage mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_manage_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_search_admin_dir($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ ')
+')
+
+########################################
+##
+## create mail content in the in the /root directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+##
+## Transition to mta named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+##
+## Transition to mta named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_named_content',`
+ gen_require(`
+ type etc_aliases_t;
+ type etc_mail_t;
+ ')
+
+ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ mta_etc_filetrans_aliases($1, "__db.aliases.db")
+ mta_etc_filetrans_aliases($1, "virtusertable.db")
+ mta_etc_filetrans_aliases($1, "access.db")
+ mta_etc_filetrans_aliases($1, "domaintable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db")
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c6a..630956deb 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
attribute user_mail_domain;
-attribute_role user_mail_roles;
-
type etc_aliases_t;
files_type(etc_aliases_t)
@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
type mail_spool_t;
files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -43,11 +43,9 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+userdom_user_application_type(user_mail_t)
userdom_user_tmp_file(user_mail_tmp_t)
########################################
@@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms;
allow user_mail_domain mta_exec_type:file entrypoint;
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
@@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
kernel_read_kernel_sysctls(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)
-corenet_all_recvfrom_netlabel(user_mail_domain)
corenet_tcp_sendrecv_generic_if(user_mail_domain)
corenet_tcp_sendrecv_generic_node(user_mail_domain)
@@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain)
init_dontaudit_rw_utmp(user_mail_domain)
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(user_mail_domain)
fs_manage_cifs_files(user_mail_domain)
@@ -123,6 +113,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_symlinks(user_mail_domain)
')
+optional_policy(`
+ antivirus_stream_connect(user_mail_domain)
+ antivirus_stream_connect(mta_user_agent)
+')
+
optional_policy(`
courier_manage_spool_dirs(user_mail_domain)
courier_manage_spool_files(user_mail_domain)
@@ -149,6 +144,11 @@ optional_policy(`
')
')
+optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
+ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
optional_policy(`
procmail_exec(user_mail_domain)
')
@@ -166,57 +166,79 @@ optional_policy(`
uucp_manage_spool(user_mail_domain)
')
+mta_filetrans_admin_home_content(user_mail_domain)
+mta_filetrans_home_content(user_mail_domain)
+
########################################
#
# System local policy
#
-allow system_mail_t self:capability { dac_override fowner };
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_read_search dac_override fowner };
+dontaudit system_mail_t self:capability net_admin;
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
+kernel_search_network_sysctl(system_mail_t)
corecmd_exec_shell(system_mail_t)
-dev_read_rand(system_mail_t)
dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
fs_rw_anon_inodefs_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
-
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+userdom_dontaudit_list_user_tmp(system_mail_t)
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ apache_dontaudit_rw_fifo_file(user_mail_domain)
+ apache_dontaudit_rw_fifo_file(mta_user_agent)
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+ apache_append_log(mta_user_agent)
')
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+
')
optional_policy(`
@@ -225,17 +247,21 @@ optional_policy(`
')
optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
+ courier_stream_connect_authdaemon(system_mail_t)
')
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_inherited_spool_files(system_mail_t)
+ cron_rw_inherited_user_spool_files(system_mail_t)
')
optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
courier_stream_connect_authdaemon(system_mail_t)
')
@@ -244,9 +270,10 @@ optional_policy(`
')
optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
+ fail2ban_append_log(user_mail_domain)
+ fail2ban_dontaudit_leaks(user_mail_domain)
+ fail2ban_rw_inherited_tmp_files(mta_user_agent)
+ fail2ban_rw_inherited_tmp_files(user_mail_domain)
')
optional_policy(`
@@ -258,10 +285,17 @@ optional_policy(`
')
optional_policy(`
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
milter_getattr_all_sockets(system_mail_t)
')
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+ munin_manage_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
+ nagios_append_spool(system_mail_t)
nagios_read_tmp_files(system_mail_t)
')
@@ -272,12 +306,29 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(system_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
+ qmail_rw_spool_pipes(system_mail_t)
')
optional_policy(`
sxid_read_log(system_mail_t)
')
+optional_policy(`
+ systemd_write_inhibit_pipes(system_mail_t)
+')
+
optional_policy(`
userdom_dontaudit_use_user_ptys(system_mail_t)
@@ -287,42 +338,36 @@ optional_policy(`
')
optional_policy(`
- spamassassin_stream_connect_spamd(system_mail_t)
+ spamd_stream_connect(system_mail_t)
')
optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
- apache_append_log(mta_user_agent)
-')
+# should break this up among sections:
optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(user_mail_domain)
+ domain_dontaudit_leaks(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
#
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_read_cifs_symlinks(mailserver_delivery)
+optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_read_nfs_symlinks(mailserver_delivery)
+optional_policy(`
+ logwatch_search_cache_dir(mailserver_delivery)
')
optional_policy(`
- arpwatch_search_data(mailserver_delivery)
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+ mailman_domtrans(mailserver_delivery)
+ mailman_read_data_symlinks(mailserver_delivery)
')
optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
+ mailman_manage_data_files(mailserver_domain)
+ mailman_domtrans(mailserver_domain)
+ mailman_append_log(mailserver_domain)
+ mailman_read_log(mailserver_domain)
')
optional_policy(`
- files_search_var_lib(mailserver_delivery)
+ mta_filetrans_home_content(mailserver_domain)
+ mta_filetrans_admin_home_content(mailserver_domain)
+ mta_read_home(mailserver_domain)
+ mta_append_home(mailserver_domain)
+')
- mailman_domtrans(mailserver_delivery)
- mailman_read_data_symlinks(mailserver_delivery)
+optional_policy(`
+ pcp_read_lib_files(mailserver_delivery)
')
optional_policy(`
@@ -381,24 +430,49 @@ optional_policy(`
########################################
#
-# User local policy
+# User send mail local policy
#
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_inherited_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_inherited_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_filetrans_home_content(user_mail_t)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
dev_read_sysfs(user_mail_t)
-userdom_use_user_terminals(user_mail_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
optional_policy(`
- allow user_mail_t self:capability dac_override;
+ allow user_mail_t self:capability {dac_read_search dac_override };
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
+
+
diff --git a/munin.fc b/munin.fc
index eb4b72a92..4ea6ce7e2 100644
--- a/munin.fc
+++ b/munin.fc
@@ -1,77 +1,78 @@
-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
-
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+# label all plugins as unconfined_munin_plugin_exec_t
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# selinux plugins
/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
+# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
-
-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
-
-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
-
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index b744fe35e..cb0e2af61 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
-## Munin network-wide load graphing.
+## Munin network-wide load graphing (formerly LRRD)
-#######################################
+########################################
##
-## The template to define a munin plugin domain.
+## Create a set of derived types for various
+## munin plugins,
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
gen_require(`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t;
- ')
- ########################################
- #
- # Declarations
- #
+ ')
type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
files_tmp_file($1_munin_plugin_tmp_t)
########################################
- #
- # Policy
- #
+ #
+ # Policy
+ #
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ kernel_read_system_state($1_munin_plugin_t)
+
+ corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
+ corenet_all_recvfrom_netlabel($1_munin_plugin_t)
')
########################################
@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
#######################################
##
-## Read munin configuration content.
+## Read munin configuration files.
##
##
##
@@ -80,15 +84,92 @@ interface(`munin_read_config',`
type munin_etc_t;
')
- files_search_etc($1)
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+
+#######################################
+##
+## Read munin library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_read_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+#######################################
+##
+## Manage munin library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_manage_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+')
+
+#######################################
+##
+## Append munin library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_append_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+######################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
')
#######################################
##
-## Append munin log files.
+## Append to the munin log.
##
##
##
@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
##
-## All of the rules required to
-## administrate an munin environment.
+## All of the rules required to administrate
+## an munin environment
##
##
##
@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the munin domain.
##
##
##
@@ -167,11 +248,15 @@ interface(`munin_admin',`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { munin_plugin_domain munin_t })
+ allow $1 munin_t:process signal_perms;
+ ps_process_pattern($1, munin_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 munin_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
@@ -193,5 +278,5 @@ interface(`munin_admin',`
files_list_pids($1)
admin_pattern($1, munin_var_run_t)
- admin_pattern($1, httpd_munin_content_t)
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
index b70870816..7d87f0a80 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
+type munin_script_tmp_t alias httpd_munin_script_tmp_t;
+files_tmp_file(munin_script_tmp_t)
+
################################
#
# Common munin plugin local policy
#
-allow munin_plugin_domain self:process signal;
+allow munin_plugin_domain self:process signal_perms;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
+
allow munin_plugin_domain munin_exec_t:file read_file_perms;
allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
-kernel_read_system_state(munin_plugin_domain)
-
-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
-corenet_all_recvfrom_netlabel(munin_plugin_domain)
corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
corecmd_exec_bin(munin_plugin_domain)
corecmd_exec_shell(munin_plugin_domain)
-files_read_etc_files(munin_plugin_domain)
-files_read_usr_files(munin_plugin_domain)
files_search_var_lib(munin_plugin_domain)
fs_getattr_all_fs(munin_plugin_domain)
-miscfiles_read_localization(munin_plugin_domain)
+auth_read_passwd(munin_plugin_domain)
optional_policy(`
nscd_use(munin_plugin_domain)
@@ -89,7 +88,7 @@ optional_policy(`
# Local policy
#
-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
+allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { accept connectto listen };
@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
-corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
-files_read_usr_files(munin_t)
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
-miscfiles_read_localization(munin_t)
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
-optional_policy(`
- apache_content_template(munin)
-
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-')
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
@@ -217,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
- postfix_getattr_all_spool_files(munin_t)
')
optional_policy(`
@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+kernel_read_fs_sysctls(disk_munin_plugin_t)
+
corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
-dev_getattr_all_blk_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
+dev_read_all_blk_files(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
@@ -272,34 +262,50 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
+optional_policy(`
+ rpc_search_nfs_state_data(disk_munin_plugin_t)
+')
+
####################################
#
# Mail local policy
#
-allow mail_munin_plugin_t self:capability dac_override;
+allow mail_munin_plugin_t self:capability { dac_read_search dac_override };
+
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mail_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+kernel_read_net_sysctls(mail_munin_plugin_t)
+
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
+sysnet_read_config(mail_munin_plugin_t)
+
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
+
optional_policy(`
- mta_list_queue(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
- mta_read_queue(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
')
optional_policy(`
- nscd_use(mail_munin_plugin_t)
+ nscd_socket_use(mail_munin_plugin_t)
')
optional_policy(`
- postfix_getattr_all_spool_files(mail_munin_plugin_t)
postfix_read_config(mail_munin_plugin_t)
postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
')
optional_policy(`
@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
- bind_read_config(munin_services_plugin_t)
+ bind_read_config(services_munin_plugin_t)
')
optional_policy(`
@@ -347,6 +353,10 @@ optional_policy(`
cups_stream_connect(services_munin_plugin_t)
')
+optional_policy(`
+ fail2ban_domtrans_client(services_munin_plugin_t)
+')
+
optional_policy(`
lpd_exec_lpr(services_munin_plugin_t)
')
@@ -361,7 +371,11 @@ optional_policy(`
')
optional_policy(`
- nscd_use(services_munin_plugin_t)
+ nscd_socket_use(services_munin_plugin_t)
+')
+
+optional_policy(`
+ ntp_exec(services_munin_plugin_t)
')
optional_policy(`
@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
+kernel_read_fs_sysctls(system_munin_plugin_t)
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -421,3 +436,33 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
+
+
+#######################################
+#
+# Munin CGI script local policy
+#
+
+apache_content_template(munin)
+apache_content_alias_template(munin, munin)
+
+manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
+manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+
+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file })
+
+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
+list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
+manage_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(munin_script_t)
+
+auth_read_passwd(munin_script_t)
+
+optional_policy(`
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666df..3932ae105 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
-
+# mysql database server
+
+#
+# /HOME
+#
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+#
+# /var
+#
+/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
index 687af38bb..5381f1b39 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
-## Open source database.
-
-########################################
-##
-## Role access for mysql.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-interface(`mysql_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
+## Policy for MySQL
######################################
##
@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
type mysqld_t, mysqld_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
-########################################
+######################################
##
-## Execute mysqld in the mysqld domain, and
-## allow the specified role the mysqld domain.
+## Execute MySQL in the caller domain.
##
##
##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
+## Domain allowed access.
##
##
#
-interface(`mysql_run_mysqld',`
+interface(`mysql_exec',`
gen_require(`
- attribute_role mysqld_roles;
+ type mysqld_exec_t;
')
- mysql_domtrans($1)
- roleattribute $2 mysqld_roles;
+ can_exec($1, mysqld_exec_t)
')
########################################
##
-## Send generic signals to mysqld.
+## Send a generic signal to MySQL.
##
##
##
@@ -81,9 +54,27 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
+#######################################
+##
+## Send a null signal to mysql.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_signull',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signull;
+')
+
########################################
##
-## Connect to mysqld with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
##
@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
########################################
##
-## Connect to mysqld with a unix
-# domain stream socket.
+## Connect to MySQL using a unix domain stream socket.
##
##
##
@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
')
files_search_pids($1)
- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
########################################
##
-## Read mysqld configuration content.
+## Read MySQL configuration files.
##
##
##
@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
type mysqld_etc_t;
')
- files_search_etc($1)
allow $1 mysqld_etc_t:dir list_dir_perms;
allow $1 mysqld_etc_t:file read_file_perms;
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
########################################
##
-## Search mysqld db directories.
+## Search the directories that contain MySQL
+## database storage.
##
##
##
@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
##
##
#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
interface(`mysql_search_db',`
gen_require(`
type mysqld_db_t;
@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
########################################
##
-## Read and write mysqld database directories.
+## List the directories that contain MySQL
+## database storage.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_list_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read and write to the MySQL database directory.
##
##
##
@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
########################################
##
-## Create, read, write, and delete
-## mysqld database directories.
+## Create, read, write, and delete MySQL database directories.
##
##
##
@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
#######################################
##
-## Append mysqld database files.
+## Append to the MySQL database directory.
##
##
##
@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
files_search_var_lib($1)
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
')
+#######################################
+##
+## Read and write to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_read_db_lnk_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
#######################################
##
-## Read and write mysqld database files.
+## Read and write to the MySQL database directory.
##
##
##
@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
#######################################
##
-## Create, read, write, and delete
-## mysqld database files.
+## Create, read, write, and delete MySQL database files.
##
##
##
@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
########################################
##
-## Read and write mysqld database sockets.
+## Read and write to the MySQL database
## named socket.
##
##
@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
##
#
interface(`mysql_rw_db_sockets',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## mysqld home files.
+## Write to the MySQL log.
##
##
##
@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
##
##
#
-interface(`mysql_manage_mysqld_home_files',`
+interface(`mysql_write_log',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_log_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file manage_file_perms;
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
-########################################
+######################################
##
-## Relabel mysqld home files.
+## Execute MySQL safe script in the mysql safe domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mysql_relabel_mysqld_home_files',`
+interface(`mysql_domtrans_mysql_safe',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_safe_t, mysqld_safe_exec_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file relabel_file_perms;
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
-########################################
+######################################
##
-## Create objects in user home
-## directories with the mysqld home type.
+## Execute MySQL_safe in the caller domain.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
+ type mysqld_safe_exec_t;
+ ')
+
+ can_exec($1, mysqld_safe_exec_t)
+')
+
+#####################################
+##
+## Read MySQL PID files.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`mysql_home_filetrans_mysqld_home',`
+interface(`mysql_read_pid_files',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_var_run_t;
')
- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-########################################
+#####################################
##
-## Write mysqld log files.
+## Search MySQL PID files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`mysql_write_log',`
+interface(`mysql_search_pid_files',`
gen_require(`
- type mysqld_log_t;
+ type mysqld_var_run_t;
')
- logging_search_logs($1)
- allow $1 mysqld_log_t:file write_file_perms;
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-######################################
+########################################
##
-## Execute mysqld safe in the
-## mysqld safe domain.
+## Execute mysqld server in the mysqld domain.
##
##
##
@@ -374,18 +414,23 @@ interface(`mysql_write_log',`
##
##
#
-interface(`mysql_domtrans_mysql_safe',`
+interface(`mysql_systemctl',`
gen_require(`
- type mysqld_safe_t, mysqld_safe_exec_t;
+ type mysqld_unit_file_t;
+ type mysqld_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mysqld_t)
')
-#####################################
+########################################
##
-## Read mysqld pid files.
+## read mysqld homedir content (.k5login)
##
##
##
@@ -393,39 +438,37 @@ interface(`mysql_domtrans_mysql_safe',`
##
##
#
-interface(`mysql_read_pid_files',`
+interface(`mysql_read_home_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
')
-#####################################
+########################################
##
-## Search mysqld pid files.
+## Transition to mysqld named content
##
##
##
-## Domain allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`mysql_search_pid_files',`
+interface(`mysql_filetrans_named_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
')
########################################
##
-## All of the rules required to
-## administrate an mysqld environment.
+## All of the rules required to administrate an mysql environment
##
##
##
@@ -434,41 +477,52 @@ interface(`mysql_search_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the mysql domain.
##
##
##
#
interface(`mysql_admin',`
gen_require(`
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+ type mysqld_etc_t;
+ type mysqld_home_t;
+ type mysqld_unit_file_t;
')
- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+ allow $1 mysqld_t:process signal_perms;
+ ps_process_pattern($1, mysqld_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mysqld_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
- files_search_var_lib($1)
admin_pattern($1, mysqld_db_t)
- files_search_etc($1)
- admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
- mysql_run_mysqld($1, $2)
+ userdom_search_user_home_dirs($1)
+ files_list_root($1)
+ admin_pattern($1, mysqld_home_t)
+
+ mysql_systemctl($1)
+ admin_pattern($1, mysqld_unit_file_t)
+ allow $1 mysqld_unit_file_t:service all_service_perms;
+
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 7584bbe7c..b02e50d45 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
#
##
-##
-## Determine whether mysqld can
-## connect to all TCP ports.
-##
+##
+## Allow mysqld to connect to all ports
+##
##
gen_tunable(mysql_connect_any, false)
-attribute_role mysqld_roles;
-
type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
-application_domain(mysqld_t, mysqld_exec_t)
-role mysqld_roles types mysqld_t;
type mysqld_safe_t;
type mysqld_safe_exec_t;
@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
type mysqld_home_t;
userdom_user_home_content(mysqld_home_t)
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
@@ -62,89 +59,108 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_nice sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
-allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+allow mysqld_t mysqld_db_t:file map;
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+allow mysqld_t mysqld_etc_t:file read_file_perms;
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+manage_fifo_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+allow mysqld_t mysqld_tmp_t:file map;
manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(mysqld_t)
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_generic_node(mysqld_t)
-
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_tcp_bind_tram_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
+corenet_tcp_connect_tram_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
+can_exec(mysqld_t, mysqld_exec_t)
dev_read_sysfs(mysqld_t)
dev_read_urand(mysqld_t)
-domain_use_interactive_fds(mysqld_t)
-
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
+domain_use_interactive_fds(mysqld_t)
+domain_read_all_domains_state(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
-files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+files_search_pids(mysqld_t)
+files_getattr_all_sockets(mysqld_t)
-auth_use_nsswitch(mysqld_t)
+auth_use_pam(mysqld_t)
logging_send_syslog_msg(mysqld_t)
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
+sysnet_exec_ifconfig(mysqld_t)
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ifdef(`distro_redhat',`
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
tunable_policy(`mysql_connect_any',`
- corenet_sendrecv_all_client_packets(mysqld_t)
corenet_tcp_connect_all_ports(mysqld_t)
- corenet_tcp_sendrecv_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
')
optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
+optional_policy(`
+ openshift_search_lib(mysqld_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
@@ -155,21 +171,20 @@ optional_policy(`
#######################################
#
-# Safe local policy
+# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_read_search dac_override setgid setuid fowner kill sys_nice sys_resource };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
@@ -177,31 +192,39 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
-
-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
+can_exec(mysqld_safe_t, mysqld_safe_exec_t)
+
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
+dev_read_urand(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
-files_read_etc_files(mysqld_safe_t)
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_write_root_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
-miscfiles_read_localization(mysqld_safe_t)
+auth_use_nsswitch(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-userdom_search_user_home_dirs(mysqld_safe_t)
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
optional_policy(`
hostname_exec(mysqld_safe_t)
@@ -209,20 +232,21 @@ optional_policy(`
########################################
#
-# Manager local policy
+# MySQL Manager Policy
#
-allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill };
allow mysqlmanagerd_t self:process signal;
allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
-allow mysqlmanagerd_t mysqld_t:process signal;
-
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -230,31 +254,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
-
kernel_read_system_state(mysqlmanagerd_t)
corecmd_exec_shell(mysqlmanagerd_t)
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
corenet_tcp_bind_generic_node(mysqlmanagerd_t)
-
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
dev_read_urand(mysqlmanagerd_t)
-files_read_etc_files(mysqlmanagerd_t)
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 000000000..d62cf886e
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 000000000..e2403dd50
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,152 @@
+
+## policy for mythtv_script
+
+########################################
+##
+## Execute TEMPLATE in the mythtv_script domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mythtv_script_domtrans',`
+ gen_require(`
+ type mythtv_script_t, mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+')
+
+#######################################
+##
+## read mythtv libs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_read_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## mythtv lib content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_manage_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+##
+## read mythtv logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_read_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Append mythtv log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_append_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## mythtv log content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_manage_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an mythtv environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mythtv_admin',`
+ gen_require(`
+ type mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
+ allow $1 mythtv_script_t:process signal_perms;
+ ps_process_pattern($1, mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, mythtv_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 000000000..0e585e3c5
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,47 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+apache_content_alias_template(mythtv, mythtv)
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# mythtv_script local policy
+#
+#============= httpd_mythtv_script_t ==============
+allow httpd_mythtv_script_t self:process setpgid;
+dev_list_sysfs(httpd_mythtv_script_t)
+
+manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(mythtv_script_t)
+
+files_read_etc_files(mythtv_script_t)
+
+fs_read_nfs_files(mythtv_script_t)
+
+auth_read_passwd(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+ mysql_read_config(mythtv_script_t)
+ mysql_stream_connect(mythtv_script_t)
+ mysql_tcp_connect(mythtv_script_t)
+')
diff --git a/naemon.fc b/naemon.fc
new file mode 100644
index 000000000..85407d337
--- /dev/null
+++ b/naemon.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/naemon -- gen_context(system_u:object_r:naemon_initrc_exec_t,s0)
+
+/usr/bin/naemon -- gen_context(system_u:object_r:naemon_exec_t,s0)
+
+/var/cache/naemon(/.*)? gen_context(system_u:object_r:naemon_cache_t,s0)
+
+/var/lib/naemon(/.*)? gen_context(system_u:object_r:naemon_var_lib_t,s0)
+
+/var/log/naemon(/.*)? gen_context(system_u:object_r:naemon_log_t,s0)
+
+/var/run/naemon(/.*)? gen_context(system_u:object_r:naemon_var_run_t,s0)
diff --git a/naemon.if b/naemon.if
new file mode 100644
index 000000000..e904df027
--- /dev/null
+++ b/naemon.if
@@ -0,0 +1,305 @@
+
+## New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network.
+
+########################################
+##
+## Execute naemon in the naemon domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`naemon_domtrans',`
+ gen_require(`
+ type naemon_t, naemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, naemon_exec_t, naemon_t)
+')
+
+########################################
+##
+## Execute naemon server in the naemon domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_initrc_domtrans',`
+ gen_require(`
+ type naemon_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, naemon_initrc_exec_t)
+')
+
+########################################
+##
+## Search naemon cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_search_cache',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ allow $1 naemon_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read naemon cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_read_cache_files',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## naemon cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_manage_cache_files',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+##
+## Manage naemon cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_manage_cache_dirs',`
+ gen_require(`
+ type naemon_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+##
+## Read naemon's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`naemon_read_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+##
+## Append to naemon log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_append_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+##
+## Manage naemon log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_manage_log',`
+ gen_require(`
+ type naemon_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, naemon_log_t, naemon_log_t)
+ manage_files_pattern($1, naemon_log_t, naemon_log_t)
+ manage_lnk_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+##
+## Search naemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_search_lib',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ allow $1 naemon_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read naemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_read_lib_files',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+##
+## Manage naemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_manage_lib_files',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+##
+## Manage naemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`naemon_manage_lib_dirs',`
+ gen_require(`
+ type naemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an naemon environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`naemon_admin',`
+ gen_require(`
+ type naemon_t;
+ type naemon_initrc_exec_t;
+ type naemon_cache_t;
+ type naemon_log_t;
+ type naemon_var_lib_t;
+ ')
+
+ allow $1 naemon_t:process { signal_perms };
+ ps_process_pattern($1, naemon_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 naemon_t:process ptrace;
+ ')
+
+ naemon_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 naemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var($1)
+ admin_pattern($1, naemon_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, naemon_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, naemon_var_lib_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/naemon.te b/naemon.te
new file mode 100644
index 000000000..79f1250eb
--- /dev/null
+++ b/naemon.te
@@ -0,0 +1,59 @@
+policy_module(naemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type naemon_t;
+type naemon_exec_t;
+init_daemon_domain(naemon_t, naemon_exec_t)
+
+type naemon_initrc_exec_t;
+init_script_file(naemon_initrc_exec_t)
+
+type naemon_cache_t;
+files_type(naemon_cache_t)
+
+type naemon_log_t;
+logging_log_file(naemon_log_t)
+
+type naemon_var_lib_t;
+files_type(naemon_var_lib_t)
+
+type naemon_var_run_t;
+files_pid_file(naemon_var_run_t)
+
+########################################
+#
+# naemon local policy
+#
+allow naemon_t self:process { fork setpgid setrlimit signal_perms };
+allow naemon_t self:fifo_file rw_fifo_file_perms;
+allow naemon_t self:unix_stream_socket create_stream_socket_perms;
+allow naemon_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_sock_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+files_var_filetrans(naemon_t, naemon_cache_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_log_t, naemon_log_t)
+manage_files_pattern(naemon_t, naemon_log_t, naemon_log_t)
+logging_log_filetrans(naemon_t, naemon_log_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_sock_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_fifo_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+files_var_lib_filetrans(naemon_t, naemon_var_lib_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+manage_files_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+files_pid_filetrans(naemon_t, naemon_var_run_t, { dir })
+
+kernel_read_system_state(naemon_t)
+
+auth_read_passwd(naemon_t)
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
index d78dfc38d..c781b72bb 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,113 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+
+# admin plugins
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+# check disk plugins
+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
-
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# openshift plugins
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+
+# label all nagios plugin as unconfined by default
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
diff --git a/nagios.if b/nagios.if
index 0641e970f..d012e9b04 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
-## Network monitoring server.
+## Net Saint / NAGIOS - network monitoring server
-#######################################
+########################################
##
-## The template to define a nagios plugin domain.
+## Create a set of derived types for various
+## nagios plugins,
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
@@ -16,38 +17,51 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t;
')
- ########################################
- #
- # Declarations
- #
-
type nagios_$1_plugin_t, nagios_plugin_domain;
type nagios_$1_plugin_exec_t;
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
role system_r types nagios_$1_plugin_t;
- ########################################
- #
- # Policy
- #
-
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ # needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ kernel_read_system_state(nagios_$1_plugin_t)
+
+')
+
+########################################
+##
+## Execute the nagios unconfined plugins with
+## a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_domtrans_unconfined_plugins',`
+ gen_require(`
+ type nagios_unconfined_plugin_t;
+ type nagios_unconfined_plugin_exec_t;
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
')
########################################
##
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
##
##
##
## Domain to not audit.
##
##
-##
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
@@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',`
########################################
##
-## Read nagios configuration content.
+## Allow the specified domain to read
+## nagios configuration files.
##
##
##
@@ -73,15 +88,33 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
- files_search_etc($1)
allow $1 nagios_etc_t:dir list_dir_perms;
allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+######################################
+##
+## Read nagios lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_lib',`
+ gen_require(`
+ type nagios_var_lib_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
')
######################################
##
-## Read nagios log files.
+## Read nagios logs.
##
##
##
@@ -100,8 +133,7 @@ interface(`nagios_read_log',`
########################################
##
-## Do not audit attempts to read or
-## write nagios log files.
+## Do not audit attempts to read or write nagios logs.
##
##
##
@@ -132,13 +164,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Append nagios spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_append_spool',`
+ gen_require(`
+ type nagios_spool_t;
+ ')
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
')
########################################
##
-## Read nagios temporary files.
+## Allow the specified domain to read
+## nagios temporary files.
##
##
##
@@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## nagios temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
########################################
##
-## Execute nrpe with a domain transition.
+## Execute the nagios NRPE with
+## a domain transition.
##
##
##
@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
+######################################
+##
+## Do not audit attempts to write nrpe daemon unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_dontaudit_write_pipes_nrpe',`
+ gen_require(`
+ type nrpe_t;
+ ')
+
+ dontaudit $1 nrpe_t:fifo_file write;
+')
+
########################################
##
-## All of the rules required to
-## administrate an nagios environment.
+## All of the rules required to administrate
+## an nagios environment
##
##
##
@@ -186,44 +276,61 @@ interface(`nagios_domtrans_nrpe',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the nagios domain.
##
##
##
#
interface(`nagios_admin',`
gen_require(`
- attribute nagios_plugin_domain;
type nagios_t, nrpe_t, nagios_initrc_exec_t;
- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
- type nagios_eventhandler_plugin_tmp_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
+ allow $1 nagios_t:process signal_perms;
+ ps_process_pattern($1, nagios_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nagios_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nagios_initrc_exec_t system_r;
allow $2 system_r;
- files_search_tmp($1)
- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, nagios_log_t)
- files_search_etc($1)
- admin_pattern($1, { nrpe_etc_t nagios_etc_t })
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, nagios_spool_t)
- files_search_pids($1)
- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
+
+ admin_pattern($1, nrpe_etc_t)
+')
+
+########################################
+##
+## Send a null signal to nagios_unconfined_plugin.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_unconfined_signull',`
+ gen_require(`
+ type nagios_unconfined_plugin_t;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, nagios_var_lib_t)
+ allow $1 nagios_unconfined_plugin_t:process signull;
')
diff --git a/nagios.te b/nagios.te
index 7b3e682e6..a5e1cfda8 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0)
# Declarations
#
+##
+##
+## Allow nagios/nrpe to call sudo from NRPE utils scripts.
+##
+##
+gen_tunable(nagios_run_sudo, false)
+
+##
+##
+## Allow nagios run in conjunction with PNP4Nagios.
+##
+##
+gen_tunable(nagios_run_pnp4nagios, false)
+
+##
+##
+## Determine whether Nagios, NRPE can
+## access nfs file systems.
+##
+##
+gen_tunable(nagios_use_nfs, false)
+
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+')
+
attribute nagios_plugin_domain;
type nagios_t;
@@ -27,7 +54,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
type nagios_var_lib_t;
files_type(nagios_var_lib_t)
@@ -39,6 +66,7 @@ nagios_plugin_template(services)
nagios_plugin_template(system)
nagios_plugin_template(unconfined)
nagios_plugin_template(eventhandler)
+nagios_plugin_template(openshift)
type nagios_eventhandler_plugin_tmp_t;
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
@@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
type nagios_system_plugin_tmp_t;
files_tmp_file(nagios_system_plugin_tmp_t)
+type nagios_openshift_plugin_tmp_t;
+files_tmp_file(nagios_openshift_plugin_tmp_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -63,44 +94,50 @@ files_pid_file(nrpe_var_run_t)
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
+
+allow nagios_t nagios_plugin_domain:process signal_perms;
+allow nagios_plugin_domain nagios_t:process signal_perms;
+
+# cjp: leaked file descriptor
dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
dontaudit nagios_plugin_domain nagios_log_t:file { read write };
-kernel_read_system_state(nagios_plugin_domain)
-
dev_read_urand(nagios_plugin_domain)
dev_read_rand(nagios_plugin_domain)
+dev_read_sysfs(nagios_plugin_domain)
-files_read_usr_files(nagios_plugin_domain)
-
-miscfiles_read_localization(nagios_plugin_domain)
-
-userdom_use_user_terminals(nagios_plugin_domain)
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
########################################
#
# Nagios local policy
#
-allow nagios_t self:capability { dac_override setgid setuid };
+allow nagios_t self:capability { dac_read_search dac_override setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_fifo_file_perms;
allow nagios_t self:tcp_socket { accept listen };
+allow nagios_t self:unix_stream_socket { connectto };
allow nagios_t nagios_plugin_domain:process signal_perms;
allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
allow nagios_t nagios_etc_t:dir list_dir_perms;
-allow nagios_t nagios_etc_t:file read_file_perms;
+allow nagios_t nagios_etc_t:file { read_file_perms map };
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
-allow nagios_t nagios_log_t:dir setattr_dir_perms;
-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-logging_log_filetrans(nagios_t, nagios_log_t, file)
+#allow nagios_t nagios_log_t:dir setattr_dir_perms;
+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
+allow nagios_t nagios_log_t:file map;
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
@@ -110,11 +147,15 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
+allow nagios_t nagios_spool_t:file map;
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })
+manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -123,7 +164,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
@@ -143,18 +183,16 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
-files_read_usr_files(nagios_t)
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
+fs_search_cgroup_dirs(nagios_t)
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-miscfiles_read_localization(nagios_t)
-
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
@@ -162,6 +200,47 @@ mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
+systemd_exec_systemctl(nagios_t)
+
+tunable_policy(`nagios_run_sudo',`
+ allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nagios_t self:process { setrlimit setsched };
+
+ allow nagios_t self:key write;
+
+ allow nagios_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nagios_t)
+ auth_rw_faillog(nagios_t)
+
+ auth_domtrans_chkpwd(nagios_t)
+
+ selinux_compute_access_vector(nagios_t)
+
+ logging_send_audit_msgs(nagios_t)
+')
+
+optional_policy(`
+ apache_systemctl(nagios_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nagios_t)
+ sudo_manage_db(nagios_t)
+ ')
+')
+
+tunable_policy(`nagios_run_pnp4nagios',`
+ allow nagios_t nagios_log_t:file execute;
+')
+
+tunable_policy(`nagios_use_nfs',`
+ fs_manage_nfs_files(nagios_t)
+ fs_manage_nfs_dirs(nagios_t)
+ fs_manage_nfs_symlinks(nagios_t)
+')
+
optional_policy(`
netutils_kill_ping(nagios_t)
')
@@ -178,35 +257,40 @@ optional_policy(`
#
# CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
- typealias httpd_nagios_script_t alias nagios_cgi_t;
- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+ apache_content_alias_template(nagios, nagios)
+ typealias nagios_script_t alias nagios_cgi_t;
+ typealias nagios_script_exec_t alias nagios_cgi_exec_t;
- allow httpd_nagios_script_t self:process signal_perms;
+ allow nagios_script_t self:process signal_perms;
- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+ read_files_pattern(nagios_script_t, nagios_t, nagios_t)
+ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+ allow nagios_script_t nagios_etc_t:dir list_dir_perms;
+ allow nagios_script_t nagios_etc_t:file { map read_file_perms };
+ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
- files_search_spool(httpd_nagios_script_t)
- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+ files_search_spool(nagios_script_t)
+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+ read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+ allow nagios_script_t nagios_spool_t:file map;
- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+ allow nagios_script_t nagios_log_t:dir list_dir_perms;
+ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+ allow nagios_script_t nagios_log_t:file map;
- kernel_read_system_state(httpd_nagios_script_t)
+ kernel_read_system_state(nagios_script_t)
- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+ domain_dontaudit_read_all_domains_state(nagios_script_t)
- files_read_etc_runtime_files(httpd_nagios_script_t)
- files_read_kernel_symbol_table(httpd_nagios_script_t)
+ files_read_etc_runtime_files(nagios_script_t)
+ files_read_kernel_symbol_table(nagios_script_t)
- logging_send_syslog_msg(httpd_nagios_script_t)
+ logging_send_syslog_msg(nagios_script_t)
')
########################################
@@ -214,7 +298,7 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { setuid setgid kill };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -229,9 +313,11 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
+
+can_exec(nagios_t, nagios_exec_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
@@ -252,8 +338,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
+files_list_var(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
-files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -262,10 +348,40 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
-miscfiles_read_localization(nrpe_t)
-
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+tunable_policy(`nagios_run_sudo',`
+ allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nrpe_t self:process { setrlimit setsched };
+
+ allow nrpe_t self:key write;
+
+ allow nrpe_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nrpe_t)
+ auth_rw_faillog(nrpe_t)
+
+ auth_domtrans_chkpwd(nrpe_t)
+
+ selinux_compute_access_vector(nrpe_t)
+
+ logging_send_audit_msgs(nrpe_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nrpe_t)
+ sudo_manage_db(nrpe_t)
+ ')
+')
+
+
+tunable_policy(`nagios_use_nfs',`
+ fs_manage_nfs_files(nrpe_t)
+ fs_manage_nfs_dirs(nrpe_t)
+ fs_manage_nfs_symlinks(nrpe_t)
+')
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -309,16 +425,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# Mail local policy
#
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
-files_read_etc_files(nagios_mail_plugin_t)
-
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
@@ -345,9 +461,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+corecmd_exec_bin(nagios_checkdisk_plugin_t)
+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+fs_read_configfs_files(nagios_checkdisk_plugin_t)
+fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -357,9 +478,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
-allow nagios_services_plugin_t self:capability net_raw;
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-allow nagios_services_plugin_t self:tcp_socket { accept listen };
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
corecmd_exec_bin(nagios_services_plugin_t)
@@ -391,6 +514,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
+ mysql_read_config(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nagios_services_plugin_t)
')
optional_policy(`
@@ -402,32 +530,40 @@ optional_policy(`
# System local policy
#
-allow nagios_system_plugin_t self:capability dac_override;
+allow nagios_system_plugin_t self:capability { dac_read_search dac_override };
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
+allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms;
+allow nagios_system_plugin_t nagios_exec_t:file read_file_perms;
manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
+corecmd_getattr_all_executables(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
-files_read_etc_files(nagios_system_plugin_t)
-
fs_getattr_all_fs(nagios_system_plugin_t)
+auth_read_passwd(nagios_system_plugin_t)
+
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
+optional_policy(`
+ mrtg_read_lib_files(nagios_system_plugin_t)
+')
+
#######################################
#
# Event local policy
@@ -442,9 +578,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
+
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
+
+optional_policy(`
+ unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
########################################
#
-# Unconfined plugin policy
+# nagios openshift plugin policy
+#
+
+allow nagios_openshift_plugin_t self:capability sys_ptrace;
+
+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
+
+corecmd_exec_bin(nagios_openshift_plugin_t)
+corecmd_exec_shell(nagios_openshift_plugin_t)
+
+domain_read_all_domains_state(nagios_openshift_plugin_t)
+
+fs_getattr_all_fs(nagios_openshift_plugin_t)
+
+optional_policy(`
+ apache_read_config(nagios_openshift_plugin_t)
+')
+
+######################################
+#
+# nagios plugin domain policy
#
optional_policy(`
diff --git a/namespace.fc b/namespace.fc
new file mode 100644
index 000000000..ce51c8d4f
--- /dev/null
+++ b/namespace.fc
@@ -0,0 +1,3 @@
+
+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
+
diff --git a/namespace.if b/namespace.if
new file mode 100644
index 000000000..8d7c75157
--- /dev/null
+++ b/namespace.if
@@ -0,0 +1,48 @@
+
+## policy for namespace
+
+########################################
+##
+## Execute a domain transition to run namespace_init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`namespace_init_domtrans',`
+ gen_require(`
+ type namespace_init_t, namespace_init_exec_t;
+ ')
+
+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
+')
+
+
+########################################
+##
+## Execute namespace_init in the namespace_init domain, and
+## allow the specified role the namespace_init domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the namespace_init domain.
+##
+##
+#
+interface(`namespace_init_run',`
+ gen_require(`
+ type namespace_init_t;
+ ')
+
+ namespace_init_domtrans($1)
+ role $2 types namespace_init_t;
+
+ seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
index 000000000..814e62e4f
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,41 @@
+policy_module(namespace,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type namespace_init_t;
+type namespace_init_exec_t;
+init_system_domain(namespace_init_t, namespace_init_exec_t)
+role system_r types namespace_init_t;
+
+########################################
+#
+# namespace_init local policy
+#
+
+allow namespace_init_t self:capability { dac_read_search dac_override};
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(namespace_init_t)
+
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
+domain_obj_id_change_exemption(namespace_init_t)
+
+files_polyinstantiate_all(namespace_init_t)
+
+fs_getattr_xattr_fs(namespace_init_t)
+
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
+
+userdom_manage_user_home_content(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_filetrans_home_content(namespace_init_t)
diff --git a/ncftool.if b/ncftool.if
index db9578f4e..4309e3da5 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
+ type ncftool_t;
attribute_role ncftool_roles;
')
ncftool_domtrans($1)
roleattribute $2 ncftool_roles;
')
+
diff --git a/ncftool.te b/ncftool.te
index 71f30ba60..d61686078 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(ncftool_t)
-kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_usermodehelper_state(ncftool_t)
kernel_read_network_state(ncftool_t)
kernel_read_system_state(ncftool_t)
kernel_request_load_module(ncftool_t)
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
-files_read_etc_files(ncftool_t)
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
-files_read_usr_files(ncftool_t)
-miscfiles_read_localization(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_run_dhcpc(ncftool_t, ncftool_roles)
@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
@@ -73,11 +76,14 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
+ iptables_systemctl(ncftool_t)
')
optional_policy(`
+ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
modutils_run_insmod(ncftool_t, ncftool_roles)
+
')
optional_policy(`
diff --git a/nessus.te b/nessus.te
index fe1068ba5..98166ee0b 100644
--- a/nessus.te
+++ b/nessus.te
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
-corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
domain_use_interactive_fds(nessusd_t)
files_list_var_lib(nessusd_t)
-files_read_etc_files(nessusd_t)
files_read_etc_runtime_files(nessusd_t)
fs_getattr_all_fs(nessusd_t)
@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
logging_send_syslog_msg(nessusd_t)
-miscfiles_read_localization(nessusd_t)
-
sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
index 94b973407..448a7e836 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -1,44 +1,46 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 86dc29dfa..690cb88a8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
########################################
##
-## Read and write networkmanager udp sockets.
+## Read and write NetworkManager UDP sockets.
##
##
##
@@ -10,6 +10,7 @@
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_udp_sockets',`
gen_require(`
type NetworkManager_t;
@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
########################################
##
-## Read and write networkmanager packet sockets.
+## Read and write NetworkManager packet sockets.
##
##
##
@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_packet_sockets',`
gen_require(`
type NetworkManager_t;
@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
#######################################
##
-## Relabel networkmanager tun socket.
+## Allow caller to relabel tun_socket
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`networkmanager_attach_tun_iface',`
@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
########################################
##
-## Read and write networkmanager netlink
+## Read and write NetworkManager netlink
## routing sockets.
##
##
@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_routing_sockets',`
gen_require(`
type NetworkManager_t;
@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
########################################
##
-## Execute networkmanager with a domain transition.
+## Execute NetworkManager with a domain transition.
##
##
##
@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
')
+#######################################
+##
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
########################################
##
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
+## Execute NetworkManager server in the NetworkManager domain.
##
##
##
@@ -104,18 +124,24 @@ interface(`networkmanager_domtrans',`
##
##
#
-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
')
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
')
########################################
##
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
##
##
##
@@ -155,7 +181,29 @@ interface(`networkmanager_read_state',`
########################################
##
-## Send generic signals to networkmanager.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send a generic signal to NetworkManager
##
##
##
@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
')
########################################
@@ -209,11 +258,31 @@ interface(`networkmanager_read_lib_files',`
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+')
+
+#######################################
+##
+## Read NetworkManager conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_read_conf',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
+
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
')
########################################
##
-## Append networkmanager log files.
+## Read NetworkManager PID files.
##
##
##
@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_read_pid_files',`
gen_require(`
- type NetworkManager_log_t;
+ type NetworkManager_var_run_t;
')
- logging_search_logs($1)
- allow $1 NetworkManager_log_t:dir list_dir_perms;
- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ files_search_pids($1)
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
##
-## Read networkmanager pid files.
+## Manage NetworkManager PID files.
##
##
##
@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',`
##
##
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+##
+## Manage NetworkManager PID sock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_manage_pid_sock_files',`
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+##
+## Create objects in /etc with a private
+## type using a type_transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Object classes to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`networkmanager_pid_filetrans',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
')
####################################
@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',`
########################################
##
-## All of the rules required to
-## administrate an networkmanager environment.
+## Delete NetworkManager PID files.
##
##
##
## Domain allowed access.
##
##
+#
+interface(`networkmanager_delete_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+##
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
##
##
## Role allowed access.
@@ -287,33 +427,194 @@ interface(`networkmanager_stream_connect',`
##
##
#
-interface(`networkmanager_admin',`
+interface(`networkmanager_run',`
gen_require(`
- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+ type NetworkManager_t, NetworkManager_exec_t;
')
- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
-
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
- logging_search_etc($1)
- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+########################################
+##
+## Allow the specified domain to append
+## to Network Manager log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_append_log',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
logging_search_logs($1)
- admin_pattern($1, NetworkManager_log_t)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ allow $1 NetworkManager_var_lib_t:file map;
- files_search_var_lib($1)
- admin_pattern($1, NetworkManager_var_lib_t)
+')
+
+#######################################
+##
+## Allow the specified domain to manage
+## to Network Manager lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_manage_lib',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+
+')
+
+#######################################
+##
+## Read the process state (/proc/pid) of NetworkManager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`NetworkManager_read_state',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:dir search_dir_perms;
+ allow $1 NetworkManager_t:file read_file_perms;
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+##
+## Send to NetworkManager with a unix dgram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_dgram_send',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_var_run_t;
+ ')
files_search_pids($1)
- admin_pattern($1, NetworkManager_var_run_t)
+ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
+########################################
+##
+## Send sigchld to networkmanager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`networkmanager_sigchld',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process sigchld;
+')
+
+########################################
+##
+## Send signull to networkmanager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`networkmanager_signull',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signull;
+')
+
+########################################
+##
+## Send sigkill to networkmanager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`networkmanager_sigkill',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process sigkill;
+')
+
+########################################
+##
+## Transition to networkmanager named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ type NetworkManager_var_lib_t;
+ ')
- files_search_tmp($1)
- admin_pattern($1, NetworkManager_tmp_t)
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f20095e..b717dd886 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
type NetworkManager_etc_t;
files_config_file(NetworkManager_etc_t)
type NetworkManager_etc_rw_t;
files_config_file(NetworkManager_etc_rw_t)
-type NetworkManager_initrc_exec_t;
-init_script_file(NetworkManager_initrc_exec_t)
-
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
@@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
+
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+
+allow NetworkManager_t self:process setfscreate;
+selinux_validate_context(NetworkManager_t)
+
+tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
+')
+
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
@@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -81,17 +116,17 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
-
-kernel_read_crypto_sysctls(NetworkManager_t)
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
+kernel_dontaudit_setsched(NetworkManager_t)
+kernel_signull(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_ib_manage_subnet_unlabeled_endports(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
@@ -102,36 +137,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
-
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_udp_bind_isakmp_port(NetworkManager_t)
-
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_udp_bind_dhcpc_port(NetworkManager_t)
-
-corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_tcp_connect_all_ports(NetworkManager_t)
-
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
-corecmd_exec_shell(NetworkManager_t)
-corecmd_exec_bin(NetworkManager_t)
-
+dev_access_check_sysfs(NetworkManager_t)
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
+dev_write_sysfs_dirs(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
-domain_use_interactive_fds(NetworkManager_t)
-domain_read_all_domains_state(NetworkManager_t)
-
-files_read_etc_runtime_files(NetworkManager_t)
-files_read_usr_files(NetworkManager_t)
-files_read_usr_src_files(NetworkManager_t)
-
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -140,18 +163,35 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
+
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
+
storage_getattr_fixed_disk_dev(NetworkManager_t)
+term_open_unallocated_ttys(NetworkManager_t)
+
init_read_utmp(NetworkManager_t)
init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+init_signull_script(NetworkManager_t)
+init_signal_script(NetworkManager_t)
+init_sigkill_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
+libs_exec_ldconfig(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
-miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_filetrans_named_content(NetworkManager_t)
+sysnet_filetrans_net_conf(NetworkManager_t)
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
+
+term_use_unallocated_ttys(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(NetworkManager_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(NetworkManager_t)
+')
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
avahi_signull(NetworkManager_t)
+ avahi_dbus_chat(NetworkManager_t)
')
optional_policy(`
@@ -195,10 +251,6 @@ optional_policy(`
bluetooth_dontaudit_read_helper_state(NetworkManager_t)
')
-optional_policy(`
- consolekit_read_pid_files(NetworkManager_t)
-')
-
optional_policy(`
consoletype_exec(NetworkManager_t)
')
@@ -210,31 +262,36 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
- optional_policy(`
- avahi_dbus_chat(NetworkManager_t)
- ')
+ init_dbus_chat(NetworkManager_t)
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_read_pid_files(NetworkManager_t)
')
+')
- optional_policy(`
- policykit_dbus_chat(NetworkManager_t)
- ')
+optional_policy(`
+ dnssec_trigger_domtrans(NetworkManager_t)
')
optional_policy(`
dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_dbus_chat(NetworkManager_t)
dnsmasq_delete_pid_files(NetworkManager_t)
dnsmasq_domtrans(NetworkManager_t)
dnsmasq_initrc_domtrans(NetworkManager_t)
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
+ dnssec_trigger_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
optional_policy(`
@@ -245,11 +302,27 @@ optional_policy(`
howl_signal(NetworkManager_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
+ iscsid_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ iodined_domtrans(NetworkManager_t)
+')
+
optional_policy(`
ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
+ ipsec_domtrans(NetworkManager_t)
+ ipsec_kill(NetworkManager_t)
+ ipsec_signal(NetworkManager_t)
+ ipsec_signull(NetworkManager_t)
')
optional_policy(`
@@ -257,15 +330,19 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
+ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ lldpad_dgram_send(NetworkManager_t)
')
optional_policy(`
netutils_exec_ping(NetworkManager_t)
+ netutils_exec(NetworkManager_t)
')
optional_policy(`
@@ -274,10 +351,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
+ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
+ # Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
@@ -286,9 +370,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
+ openvpn_stream_connect(NetworkManager_t)
+ openvpn_noatsecure(NetworkManager_t)
')
optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +383,7 @@ optional_policy(`
')
optional_policy(`
- polipo_initrc_domtrans(NetworkManager_t)
+ polipo_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -307,6 +394,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
+ ppp_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -320,14 +408,21 @@ optional_policy(`
')
optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
- udev_read_pid_files(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
+ systemd_dbus_chat_hostnamed(NetworkManager_t)
+ systemd_hostnamed_manage_config(NetworkManager_t)
')
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
+ ssh_exec(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+ udev_read_pid_files(NetworkManager_t)
')
optional_policy(`
@@ -338,12 +433,16 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
+optional_policy(`
+ openvswitch_stream_connect(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
#
-allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:capability { dac_read_search dac_override };
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
diff --git a/ninfod.fc b/ninfod.fc
new file mode 100644
index 000000000..cc31b9f27
--- /dev/null
+++ b/ninfod.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0)
+
+/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0)
+
+/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0)
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
index 000000000..409de8c3e
--- /dev/null
+++ b/ninfod.if
@@ -0,0 +1,80 @@
+
+## Respond to IPv6 Node Information Queries
+
+########################################
+##
+## Execute ninfod in the ninfod domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ninfod_domtrans',`
+ gen_require(`
+ type ninfod_t, ninfod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ninfod_exec_t, ninfod_t)
+')
+########################################
+##
+## Execute ninfod server in the ninfod domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ninfod_systemctl',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ninfod_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an ninfod environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ninfod_admin',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ allow $1 ninfod_t:process { signal_perms };
+ ps_process_pattern($1, ninfod_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ninfod_t:process ptrace;
+ ')
+
+ ninfod_systemctl($1)
+ admin_pattern($1, ninfod_unit_file_t)
+ allow $1 ninfod_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ninfod.te b/ninfod.te
new file mode 100644
index 000000000..b3aa3ce13
--- /dev/null
+++ b/ninfod.te
@@ -0,0 +1,36 @@
+policy_module(ninfod, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ninfod_t;
+type ninfod_exec_t;
+init_daemon_domain(ninfod_t, ninfod_exec_t)
+
+type ninfod_run_t;
+files_pid_file(ninfod_run_t)
+
+type ninfod_unit_file_t;
+systemd_unit_file(ninfod_unit_file_t)
+
+########################################
+#
+# ninfod local policy
+#
+allow ninfod_t self:capability { net_raw setuid };
+allow ninfod_t self:process setcap;
+allow ninfod_t self:fifo_file rw_fifo_file_perms;
+allow ninfod_t self:rawip_socket { create setopt };
+allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
+allow ninfod_t self:rawip_socket read;
+
+manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
+files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
+
+auth_use_nsswitch(ninfod_t)
+
+logging_send_syslog_msg(ninfod_t)
+
+sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa28..cd0e015f8 100644
--- a/nis.fc
+++ b/nis.fc
@@ -2,21 +2,26 @@
/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
-
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
index 46e55c3ff..afe399a0e 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
-## Policy for NIS (YP) servers and clients.
+## Policy for NIS (YP) servers and clients
########################################
##
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
')
-
- allow $1 self:capability net_bind_service;
+ dontaudit $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
- allow $1 var_yp_t:file read_file_perms;
allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
- corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
- corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
##
#
interface(`nis_use_ypbind',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
')
')
########################################
##
-## Use nis to authenticate passwords.
+## Use the nis to authenticate passwords
##
##
##
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
##
#
interface(`nis_authenticate',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
##
-## Execute ypbind in the caller domain.
+## Execute ypbind in the caller domain.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed to transition.
+##
##
#
interface(`nis_exec_ypbind',`
- gen_require(`
- type ypbind_exec_t;
- ')
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
- corecmd_search_bin($1)
can_exec($1, ypbind_exec_t)
')
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
- attribute_role ypbind_roles;
+ type ypbind_t;
')
nis_domtrans_ypbind($1)
- roleattribute $2 ypbind_roles;
+ role $2 types ypbind_t;
')
########################################
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
########################################
##
-## List nis data directories.
+## List the contents of the NIS data directory.
##
##
##
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
- type ypbind_var_run_t;
+ type ypbind_t;
')
- allow $1 ypbind_var_run_t:file delete_file_perms;
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
')
########################################
@@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
##
-## All of the rules required to
-## administrate an nis environment.
+## Execute ypbind server in the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
+
+########################################
+##
+## Execute ypbind server in the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_file_t, ypbind_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
+ ps_process_pattern($1, ypserv_t)
+ ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nis environment
##
##
##
@@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
+ type ypserv_tmp_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ type nis_unit_file_t;
+ type ypbind_unit_file_t;
+ ')
+
+ allow $1 ypbind_t:process signal_perms;
+ ps_process_pattern($1, ypbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ypbind_t:process ptrace;
+ allow $1 yppasswdd_t:process ptrace;
+ allow $1 ypserv_t:process ptrace;
+ allow $1 ypxfr_t:process ptrace;
')
- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
+ allow $1 yppasswdd_t:process signal_perms;
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process signal_perms;
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process signal_perms;
+ ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
nis_initrc_domtrans_ypbind($1)
domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
-
files_list_pids($1)
- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
+ admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
+ admin_pattern($1, ypbind_unit_file_t)
+ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ admin_pattern($1, yppasswdd_var_run_t)
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
- files_search_var($1)
- admin_pattern($1, var_yp_t)
+ admin_pattern($1, ypserv_var_run_t)
+
+ admin_pattern($1, ypserv_tmp_t)
- nis_run_ypbind($1, $2)
+ nis_systemctl($1)
+ admin_pattern($1, nis_unit_file_t)
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
index 3a6b0352e..31577d567 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
# Declarations
#
-attribute_role ypbind_roles;
-
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
@@ -16,16 +14,18 @@ files_type(var_yp_t)
type ypbind_t;
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
-role ypbind_roles types ypbind_t;
type ypbind_initrc_exec_t;
init_script_file(ypbind_initrc_exec_t)
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
-type ypbind_var_run_t;
-files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
type yppasswdd_t;
type yppasswdd_exec_t;
@@ -40,7 +40,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
-files_type(ypserv_conf_t)
+files_config_file(ypserv_conf_t)
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
########################################
#
# ypbind local policy
@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
allow ypbind_t self:udp_socket create_socket_perms;
@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_system_state(ypbind_t)
kernel_read_kernel_sysctls(ypbind_t)
-corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_generic_if(ypbind_t)
corenet_udp_sendrecv_generic_if(ypbind_t)
@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
corenet_udp_sendrecv_all_ports(ypbind_t)
corenet_tcp_bind_generic_node(ypbind_t)
corenet_udp_bind_generic_node(ypbind_t)
-
corenet_tcp_bind_generic_port(ypbind_t)
corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
corenet_tcp_bind_all_rpc_ports(ypbind_t)
corenet_udp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
-corenet_sendrecv_all_client_packets(ypbind_t)
-corenet_sendrecv_generic_server_packets(ypbind_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
dev_read_sysfs(ypbind_t)
@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
domain_use_interactive_fds(ypbind_t)
-files_read_etc_files(ypbind_t)
files_list_var(ypbind_t)
-logging_send_syslog_msg(ypbind_t)
+init_search_pid_dirs(ypbind_t)
-miscfiles_read_localization(ypbind_t)
+logging_send_syslog_msg(ypbind_t)
sysnet_read_config(ypbind_t)
@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
optional_policy(`
dbus_system_bus_client(ypbind_t)
dbus_connect_system_bus(ypbind_t)
-
init_dbus_chat_script(ypbind_t)
optional_policy(`
@@ -145,11 +144,12 @@ optional_policy(`
# yppasswdd local policy
#
-allow yppasswdd_t self:capability dac_override;
+allow yppasswdd_t self:capability { dac_read_search dac_override };
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
-allow yppasswdd_t self:unix_stream_socket { accept listen };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
allow yppasswdd_t self:udp_socket create_socket_perms;
@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
-can_exec(yppasswdd_t, yppasswdd_exec_t)
+can_exec(yppasswdd_t,yppasswdd_exec_t)
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_all_recvfrom_unlabeled(yppasswdd_t)
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
-
corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
corenet_udp_bind_all_rpc_ports(yppasswdd_t)
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-
-domain_use_interactive_fds(yppasswdd_t)
-
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-
+dev_read_urand(yppasswdd_t)
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
+auth_manage_passwd(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
logging_send_syslog_msg(yppasswdd_t)
-miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
@@ -218,6 +215,14 @@ optional_policy(`
hostname_exec(yppasswdd_t)
')
+optional_policy(`
+ mta_send_mail(yppasswdd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yppasswdd_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
@@ -234,12 +239,14 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
-allow ypserv_t self:unix_stream_socket { accept listen };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+allow ypserv_t var_yp_t:file map;
allow ypserv_t ypserv_conf_t:file read_file_perms;
@@ -254,7 +261,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_all_recvfrom_unlabeled(ypserv_t)
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
@@ -264,31 +270,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
-
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
corenet_tcp_bind_all_rpc_ports(ypserv_t)
corenet_udp_bind_all_rpc_ports(ypserv_t)
-corenet_sendrecv_generic_server_packets(ypserv_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+corenet_tcp_connect_portmap_port(ypserv_t)
-corecmd_exec_bin(ypserv_t)
+dev_read_sysfs(ypserv_t)
-files_read_etc_files(ypserv_t)
-files_read_var_files(ypserv_t)
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
-dev_read_sysfs(ypserv_t)
+corecmd_exec_bin(ypserv_t)
domain_use_interactive_fds(ypserv_t)
-fs_getattr_all_fs(ypserv_t)
-fs_search_auto_mountpoints(ypserv_t)
+files_read_var_files(ypserv_t)
logging_send_syslog_msg(ypserv_t)
-miscfiles_read_localization(ypserv_t)
nis_domtrans_ypxfr(ypserv_t)
@@ -305,13 +308,17 @@ optional_policy(`
udev_read_db(ypserv_t)
')
+optional_policy(`
+ rpcbind_stream_connect(ypserv_t)
+')
+
########################################
#
# ypxfr local policy
#
-allow ypxfr_t self:unix_stream_socket { accept listen };
-allow ypxfr_t self:unix_dgram_socket { accept listen };
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -326,7 +333,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
-corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
@@ -336,23 +342,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
-
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
-
-files_read_etc_files(ypxfr_t)
files_search_usr(ypxfr_t)
logging_send_syslog_msg(ypxfr_t)
-miscfiles_read_localization(ypxfr_t)
sysnet_read_config(ypxfr_t)
diff --git a/nova.fc b/nova.fc
new file mode 100644
index 000000000..b5fab0e6a
--- /dev/null
+++ b/nova.fc
@@ -0,0 +1,25 @@
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-conductor -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cells -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-novncproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-serialproxy -- gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-nova-* -- gen_context(system_u:object_r:nova_unit_file_t,s0)
+
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
+
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
+
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
index 000000000..e32832705
--- /dev/null
+++ b/nova.if
@@ -0,0 +1,47 @@
+## openstack-nova
+
+######################################
+##
+## Manage nova lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nova_manage_lib_files',`
+ gen_require(`
+ type nova_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
+')
+
+#######################################
+##
+## Creates types and rules for a basic
+## openstack-nova systemd daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`nova_domain_template',`
+ gen_require(`
+ type nova_t;
+ type nova_exec_t;
+ type nova_unit_file_t;
+ type nova_tmp_t;
+
+ ')
+
+ typealias nova_t alias nova_$1_t;
+ typealias nova_exec_t alias nova_$1_exec_t;
+ typealias nova_unit_file_t alias nova_$1_unit_file_t;
+ typealias nova_tmp_t alias nova_$1_tmp_t;
+
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 000000000..2259a5192
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,203 @@
+policy_module(nova, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# nova-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute nova_domain;
+attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
+nova_domain_template(cert)
+nova_domain_template(conductor)
+nova_domain_template(compute)
+nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
+nova_domain_template(scheduler)
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
+typeattribute nova_api_t nova_sudo_domain;
+typeattribute nova_cert_t nova_sudo_domain;
+typeattribute nova_console_t nova_sudo_domain;
+typeattribute nova_network_t nova_sudo_domain;
+typeattribute nova_volume_t nova_sudo_domain;
+
+type nova_t;
+type nova_exec_t;
+init_daemon_domain(nova_t, nova_exec_t)
+typeattribute nova_t nova_domain;
+
+type nova_unit_file_t;
+systemd_unit_file(nova_unit_file_t)
+
+type nova_tmp_t;
+files_tmp_file(nova_tmp_t)
+
+manage_dirs_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_lnk_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+files_tmp_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+fs_tmpfs_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+can_exec(nova_t, nova_tmp_t)
+
+type nova_log_t;
+logging_log_file(nova_log_t)
+
+type nova_var_lib_t;
+files_type(nova_var_lib_t)
+
+type nova_var_run_t;
+files_pid_file(nova_var_run_t)
+
+
+######################################
+#
+# nova general domain local policy
+#
+
+allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service };
+allow nova_domain self:process { getcap setcap signal_perms setfscreate };
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
+allow nova_domain self:udp_socket create_socket_perms;
+allow nova_domain self:key write;
+allow nova_domain self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
+
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+kernel_read_network_state(nova_domain)
+kernel_read_kernel_sysctls(nova_domain)
+
+kernel_read_system_state(nova_t)
+
+logging_send_syslog_msg(nova_t)
+
+miscfiles_read_generic_certs(nova_t)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+
+corenet_tcp_bind_generic_node(nova_domain)
+corenet_udp_bind_generic_node(nova_domain)
+# should be add to booleans
+corenet_tcp_connect_all_ports(nova_domain)
+corenet_tcp_bind_all_unreserved_ports(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_memcache_port(nova_domain)
+corenet_tcp_bind_varnishd_port(nova_domain)
+# should be added to boolean or fixed in the code
+# dnsmasq domtrans does not work since then dnsmasq_t wants
+# to do some stuff with nova_lib, nova_tmp
+# nova-dhcpbridge runs in dnsmasq domain
+corenet_all_recvfrom_netlabel(nova_t)
+corenet_tcp_sendrecv_generic_if(nova_domain)
+corenet_udp_sendrecv_generic_if(nova_domain)
+corenet_raw_sendrecv_generic_if(nova_domain)
+corenet_tcp_sendrecv_generic_node(nova_domain)
+corenet_udp_sendrecv_generic_node(nova_domain)
+corenet_raw_sendrecv_generic_node(nova_domain)
+corenet_tcp_sendrecv_all_ports(nova_domain)
+corenet_udp_sendrecv_all_ports(nova_domain)
+corenet_tcp_bind_dns_port(nova_domain)
+corenet_udp_bind_all_ports(nova_domain)
+corenet_sendrecv_dns_server_packets(nova_domain)
+corenet_sendrecv_dhcpd_server_packets(nova_domain)
+
+auth_use_nsswitch(nova_t)
+auth_read_passwd(nova_domain)
+
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+dev_read_rand(nova_domain)
+
+fs_getattr_all_fs(nova_domain)
+
+init_read_utmp(nova_domain)
+
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
+ apache_search_config(nova_domain)
+')
+
+optional_policy(`
+ mysql_stream_connect(nova_domain)
+ mysql_read_db_lnk_files(nova_domain)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nova_domain)
+')
+
+optional_policy(`
+ sysnet_read_config(nova_domain)
+ sysnet_domtrans_ifconfig(nova_domain)
+')
+
+optional_policy(`
+ iptables_domtrans(nova_domain)
+')
+
+optional_policy(`
+ ssh_exec_keygen(nova_domain)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(nova_domain)
+')
+
+optional_policy(`
+ virt_getattr_exec(nova_domain)
+ virt_stream_connect(nova_domain)
+')
+
+optional_policy(`
+ brctl_domtrans(nova_domain)
+')
+
+optional_policy(`
+ dnsmasq_exec(nova_domain)
+')
+
+optional_policy(`
+ lvm_domtrans(nova_domain)
+')
+
+optional_policy(`
+ lvm_domtrans(nova_domain)
+')
+
+#######################################
+#
+# nova sudo domain local policy
+#
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ sudo_exec(nova_sudo_domain)
+ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
+ allow nova_sudo_domain self:process { setsched setrlimit };
+ logging_send_audit_msgs(nova_sudo_domain)
+ ')
+')
+
diff --git a/nscd.fc b/nscd.fc
index ba6448507..429bd799c 100644
--- a/nscd.fc
+++ b/nscd.fc
@@ -1,13 +1,15 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
index 8f2ab09f5..e05a0c73e 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
-## Name service cache daemon.
+## Name service cache daemon
########################################
##
-## Send generic signals to nscd.
+## Send generic signals to NSCD.
##
##
##
@@ -20,7 +20,7 @@ interface(`nscd_signal',`
########################################
##
-## Send kill signals to nscd.
+## Send NSCD the kill signal.
##
##
##
@@ -38,7 +38,7 @@ interface(`nscd_kill',`
########################################
##
-## Send null signals to nscd.
+## Send signulls to NSCD.
##
##
##
@@ -56,7 +56,7 @@ interface(`nscd_signull',`
########################################
##
-## Execute nscd in the nscd domain.
+## Execute NSCD in the nscd domain.
##
##
##
@@ -71,11 +71,13 @@ interface(`nscd_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, nscd_exec_t, nscd_t)
+ allow $1 nscd_exec_t:file map;
')
########################################
##
-## Execute nscd in the caller domain.
+## Allow the specified domain to execute nscd
+## in the caller domain.
##
##
##
@@ -88,14 +90,14 @@ interface(`nscd_exec',`
type nscd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, nscd_exec_t)
+ allow $1 nscd_exec_t:file map;
')
########################################
##
-## Use nscd services by connecting using
-## a unix domain stream socket.
+## Use NSCD services by connecting using
+## a unix stream socket.
##
##
##
@@ -112,22 +114,19 @@ interface(`nscd_socket_use',`
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
-
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
-
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ allow $1 nscd_t:unix_stream_socket { connectto create_socket_perms };
dontaudit $1 nscd_var_run_t:file read_file_perms;
-
+ allow $1 nscd_var_run_t:file map;
ps_process_pattern(nscd_t, $1)
')
########################################
##
-## Use nscd services by mapping the
-## database from an inherited nscd
-## file descriptor.
+## Use nscd services
##
##
##
@@ -135,28 +134,39 @@ interface(`nscd_socket_use',`
##
##
#
-interface(`nscd_shm_use',`
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+##
+## Do not audit attempts to write nscd sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nscd_dontaudit_write_sock_file',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-
- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- allow $1 nscd_t:fd use;
-
- files_search_pids($1)
- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file read_file_perms;
+ dontaudit $1 nscd_t:sock_file write;
+ dontaudit $1 nscd_var_run_t:sock_file write;
+ dontaudit $1 nscd_t:unix_stream_socket connectto;
- allow $1 nscd_var_run_t:dir list_dir_perms;
- allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
')
########################################
##
-## Use nscd services.
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
##
##
##
@@ -164,18 +174,34 @@ interface(`nscd_shm_use',`
##
##
#
-interface(`nscd_use',`
- tunable_policy(`nscd_use_shm',`
- nscd_shm_use($1)
- ',`
- nscd_socket_use($1)
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp };
')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp};
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
##
-## Do not audit attempts to search
-## nscd pid directories.
+## Do not audit attempts to search the NSCD pid directory.
##
##
##
@@ -193,7 +219,25 @@ interface(`nscd_dontaudit_search_pid',`
########################################
##
-## Read nscd pid files.
+## Do not audit attempts to read the NSCD pid directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nscd_dontaudit_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Read NSCD pid file.
##
##
##
@@ -212,7 +256,7 @@ interface(`nscd_read_pid',`
########################################
##
-## Unconfined access to nscd services.
+## Unconfined access to NSCD services.
##
##
##
@@ -244,20 +288,20 @@ interface(`nscd_unconfined',`
## Role allowed access.
##
##
+##
#
interface(`nscd_run',`
gen_require(`
- attribute_role nscd_roles;
+ type nscd_t;
')
nscd_domtrans($1)
- roleattribute $2 nscd_roles;
+ role $2 types nscd_t;
')
########################################
##
-## Execute the nscd server init
-## script in the initrc domain.
+## Execute the nscd server init script.
##
##
##
@@ -275,8 +319,32 @@ interface(`nscd_initrc_domtrans',`
########################################
##
-## All of the rules required to
-## administrate an nscd environment.
+## Execute nscd server in the nscd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nscd_systemctl',`
+ gen_require(`
+ type nscd_unit_file_t;
+ type nscd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nscd environment
##
##
##
@@ -285,7 +353,7 @@ interface(`nscd_initrc_domtrans',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the nscd domain.
##
##
##
@@ -294,10 +362,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
+ type nscd_unit_file_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
+ allow $1 nscd_t:process signal_perms;
ps_process_pattern($1, nscd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nscd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -310,5 +382,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
- nscd_run($1, $2)
+ nscd_systemctl($1)
+ admin_pattern($1, nscd_unit_file_t)
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
index bcd7d0a7d..1cd3a8b62 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
class nscd all_nscd_perms;
')
-########################################
-#
-# Declarations
-#
-
##
##
-## Determine whether confined applications
-## can use nscd shared memory.
+## Allow confined applications to use nscd shared memory.
##
##
gen_tunable(nscd_use_shm, false)
-attribute_role nscd_roles;
+########################################
+#
+# Declarations
+#
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
-init_daemon_run_dir(nscd_var_run_t, "nscd")
+# nscd is both the client program and the daemon.
type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
-role nscd_roles types nscd_t;
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -40,56 +41,61 @@ logging_log_file(nscd_log_t)
#
allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability2 block_suspend;
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-allow nscd_t self:unix_stream_socket { accept listen };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+allow nscd_t nscd_var_run_t:file map;
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
+corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-kernel_list_proc(nscd_t)
-kernel_read_kernel_sysctls(nscd_t)
kernel_read_network_state(nscd_t)
+kernel_read_kernel_sysctls(nscd_t)
+kernel_search_network_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-
-corecmd_search_bin(nscd_t)
+kernel_read_net_sysctls(nscd_t)
dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)
-domain_search_all_domains_state(nscd_t)
-domain_use_interactive_fds(nscd_t)
-
-files_read_generic_tmp_symlinks(nscd_t)
-files_read_etc_runtime_files(nscd_t)
-
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
fs_list_inotifyfs(nscd_t)
+# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
corenet_tcp_sendrecv_generic_node(nscd_t)
-
-corenet_sendrecv_all_client_packets(nscd_t)
-corenet_tcp_connect_all_ports(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
-
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
@@ -98,16 +104,24 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
+
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
+
+files_map_system_db_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
-miscfiles_read_localization(nscd_t)
-
seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
seutil_sigchld_newrole(nscd_t)
+sysnet_read_config(nscd_t)
+
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,13 +135,11 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(nscd_t)
- samba_dontaudit_use_fds(nscd_t)
- ')
+ kerberos_use(nscd_t)
+')
- samba_read_config(nscd_t)
- samba_read_var_files(nscd_t)
+optional_policy(`
+ nis_authenticate(nscd_t)
')
optional_policy(`
@@ -138,3 +150,20 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+')
+
+optional_policy(`
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b663..0e24b49a9 100644
--- a/nsd.fc
+++ b/nsd.fc
@@ -1,16 +1,19 @@
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+
+/var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff87..ad4f14ad6 100644
--- a/nsd.if
+++ b/nsd.if
@@ -1,8 +1,8 @@
-## Authoritative only name server.
+## Authoritative only name server
########################################
##
-## Send and receive datagrams from NSD. (Deprecated)
+## Read NSD pid file.
##
##
##
@@ -10,13 +10,18 @@
##
##
#
-interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`nsd_read_pid',`
+ gen_require(`
+ type nsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
')
########################################
##
-## Connect to NSD over a TCP socket (Deprecated)
+## Send and receive datagrams from NSD. (Deprecated)
##
##
##
@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
##
##
#
-interface(`nsd_tcp_connect',`
+interface(`nsd_udp_chat',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
##
-## All of the rules required to
-## administrate an nsd environment.
+## Connect to NSD over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`nsd_admin',`
- gen_require(`
- type nsd_t, nsd_conf_t, nsd_var_run_t;
- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
- ')
-
- allow $1 nsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, nsd_t)
-
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, { nsd_conf_t nsd_db_t })
-
- files_search_var_lib($1)
- admin_pattern($1, nsd_zone_t)
-
- files_list_pids($1)
- admin_pattern($1, nsd_var_run_t)
+interface(`nsd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
index 47bb1d204..94070d223 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
type nsd_exec_t;
init_daemon_domain(nsd_t, nsd_exec_t)
-type nsd_initrc_exec_t;
-init_script_file(nsd_initrc_exec_t)
-
+# A type for configuration files of nsd
type nsd_conf_t;
files_type(nsd_conf_t)
@@ -20,40 +18,51 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
-type nsd_db_t;
-files_type(nsd_db_t)
+type nsd_log_t;
+logging_log_file(nsd_log_t)
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
-type nsd_zone_t;
+# A type for zone files
+type nsd_zone_t alias nsd_db_t;
files_type(nsd_zone_t)
+type nsd_tmp_t;
+files_tmp_file(nsd_tmp_t)
+
########################################
#
-# Local policy
+# NSD Local policy
#
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
+allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
allow nsd_t self:fifo_file rw_fifo_file_perms;
-allow nsd_t self:tcp_socket { accept listen };
-allow nsd_t nsd_conf_t:dir list_dir_perms;
-allow nsd_t nsd_conf_t:file read_file_perms;
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
-
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t)
+logging_log_filetrans(nsd_t, nsd_log_t, file)
+
manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+allow nsd_t nsd_zone_t:file { map } ;
+
+manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
+allow nsd_t nsd_tmp_t:file { map } ;
can_exec(nsd_t, nsd_exec_t)
@@ -62,7 +71,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_all_recvfrom_unlabeled(nsd_t)
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
@@ -72,16 +80,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
-
-corenet_sendrecv_dns_server_packets(nsd_t)
corenet_tcp_bind_dns_port(nsd_t)
corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+corenet_tcp_bind_nsd_control_port(nsd_t)
+corenet_sendrecv_nsd_control_server_packets(nsd_t)
+corenet_tcp_connect_nsd_control_port(nsd_t)
dev_read_sysfs(nsd_t)
+dev_read_urand(nsd_t)
domain_use_interactive_fds(nsd_t)
files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
@@ -90,8 +102,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
-
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
@@ -105,23 +115,24 @@ optional_policy(`
########################################
#
-# Cron local policy
+# Zone update cron job local policy
#
-allow nsd_crond_t self:capability { dac_override kill };
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_read_search dac_override kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
-allow nsd_crond_t nsd_t:process signal;
-ps_process_pattern(nsd_crond_t, nsd_t)
-
-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
@@ -133,29 +144,33 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_generic_node(nsd_crond_t)
-
-corenet_sendrecv_all_client_packets(nsd_crond_t)
-corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
auth_use_nsswitch(nsd_crond_t)
logging_send_syslog_msg(nsd_crond_t)
-miscfiles_read_localization(nsd_crond_t)
-
userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
+optional_policy(`
+ nsd_read_pid(nsd_crond_t)
+')
+
optional_policy(`
cron_system_entry(nsd_crond_t, nsd_exec_t)
')
diff --git a/nslcd.fc b/nslcd.fc
index 402100e40..ce913b244 100644
--- a/nslcd.fc
+++ b/nslcd.fc
@@ -1,7 +1,4 @@
-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
-
-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
-
-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
-
-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
index 97df768d9..852d1c6c7 100644
--- a/nslcd.if
+++ b/nslcd.if
@@ -1,4 +1,4 @@
-## Local LDAP name service daemon.
+## nslcd - local LDAP name service daemon.
########################################
##
@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
########################################
##
-## Read nslcd pid files.
+## Read nslcd PID files.
##
##
##
@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
########################################
##
-## Connect to nslcd over an unix
-## domain stream socket.
+## Dontaudit write to nslcd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nslcd_dontaudit_write_ock_file',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_var_run_t:sock_file write;
+')
+
+########################################
+##
+## Connect to nslcd over an unix stream socket.
##
##
##
@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
type nslcd_t, nslcd_var_run_t;
')
- files_search_pids($1)
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+#######################################
+##
+## Do not audit attempts to write nslcd sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nslcd_dontaudit_write_sock_file',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_t:sock_file write;
+ dontaudit $1 nslcd_var_run_t:sock_file write;
')
########################################
##
-## All of the rules required to
-## administrate an nslcd environment.
+## All of the rules required to administrate
+## an nslcd environment
##
##
##
@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
type nslcd_conf_t;
')
- allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nslcd_t:process ptrace;
+ ')
+ # Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, nslcd_conf_t)
- files_search_pids($1)
- admin_pattern($1, nslcd_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
index 421bf1a56..1be3b6b30 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
########################################
#
-# Local policy
+# nslcd local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
+dev_read_sysfs(nslcd_t)
+
corenet_all_recvfrom_unlabeled(nslcd_t)
corenet_all_recvfrom_netlabel(nslcd_t)
-corenet_tcp_sendrecv_generic_if(nslcd_t)
-corenet_tcp_sendrecv_generic_node(nslcd_t)
-
-corenet_sendrecv_ldap_client_packets(nslcd_t)
corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
dev_read_sysfs(nslcd_t)
+dev_read_urand(nslcd_t)
+
+corecmd_exec_bin(nslcd_t)
files_read_usr_symlinks(nslcd_t)
files_list_tmp(nslcd_t)
@@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
-miscfiles_read_localization(nslcd_t)
-
userdom_read_user_tmp_files(nslcd_t)
+optional_policy(`
+ dirsrv_stream_connect(nslcd_t)
+')
+
optional_policy(`
ldap_stream_connect(nslcd_t)
')
+
diff --git a/nsplugin.fc b/nsplugin.fc
new file mode 100644
index 000000000..22e6c963c
--- /dev/null
+++ b/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
index 000000000..bceb5271e
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,474 @@
+
+## policy for nsplugin
+
+########################################
+##
+## Create, read, write, and delete
+## nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Manage nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
+ allow $2 nsplugin_t:process { getattr signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ optional_policy(`
+ gnome_stream_connect(nsplugin_t, $2)
+ ')
+
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmp_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+##
+## Role access for nsplugin
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+##
+## Search nsplugin rw directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+##
+## Read nsplugin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## Exec nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## nsplugin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## manage nnsplugin home dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_home_dirs',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## Allow attempts to read and write to
+## nsplugin named pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write to nsplugin shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+##
+## Allow read and write access to nsplugin semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+##
+## Execute nsplugin_exec_t
+## in the specified domain.
+##
+##
+##
+## Execute a nsplugin_exec_t
+## in the specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`nsplugin_exec_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ ')
+
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+##
+## Send generic signals to user nsplugin processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_signal',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signal;
+')
+
+########################################
+##
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+##
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+#
+interface(`nsplugin_user_home_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
+
+########################################
+##
+## Send signull signal to nsplugin
+## processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_signull',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signull;
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
index 000000000..7d839fe6e
--- /dev/null
+++ b/nsplugin.te
@@ -0,0 +1,318 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow nsplugin code to execmem/execstack
+##
+##
+gen_tunable(nsplugin_execmem, false)
+
+##
+##
+## Allow nsplugin code to connect to unreserved ports
+##
+##
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_ms_streaming_port(nsplugin_t)
+corenet_tcp_connect_rtsp_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_getattr_mouse_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
+dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+userdom_read_home_audio_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+ gnome_read_usr_config(nsplugin_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_exec_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+domain_use_interactive_fds(nsplugin_config_t)
+
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(nsplugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
index 8ec78595b..c696f6765 100644
--- a/ntop.te
+++ b/ntop.te
@@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
# Local Policy
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:netlink_socket create_socket_perms;
allow ntop_t self:tcp_socket { accept listen };
allow ntop_t self:unix_stream_socket { accept listen };
allow ntop_t self:packet_socket create_socket_perms;
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
-corenet_all_recvfrom_unlabeled(ntop_t)
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
-files_read_usr_files(ntop_t)
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
@@ -100,6 +101,10 @@ optional_policy(`
apache_read_sys_content(ntop_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(ntop_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(ntop_t)
')
diff --git a/ntp.fc b/ntp.fc
index af3c91e70..3e5f9cfa6 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -11,9 +11,13 @@
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
index e96a309a5..42453089c 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
-## Network time protocol daemon.
+## Network time protocol daemon
########################################
##
@@ -35,6 +35,25 @@ interface(`ntp_domtrans',`
domtrans_pattern($1, ntpd_exec_t, ntpd_t)
')
+########################################
+##
+## Execute ntp server in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_exec',`
+ gen_require(`
+ type ntpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ntpd_exec_t)
+')
+
########################################
##
## Execute ntp in the ntp domain, and
@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
#
interface(`ntp_run',`
gen_require(`
- attribute_role ntpd_roles;
+ type ntpd_t;
')
ntp_domtrans($1)
- roleattribute $2 ntpd_roles;
+ role $2 types ntpd_t;
')
########################################
@@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
+#####################################
+##
+## Allow domain to read ntpd systemd unit files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute ntpd server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+##
+## Send a generic signal to ntpd
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_signal',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ allow $1 ntpd_t:process signal;
+')
+
########################################
##
## Read ntp drift files.
@@ -141,8 +221,27 @@ interface(`ntp_rw_shm',`
########################################
##
-## All of the rules required to
-## administrate an ntp environment.
+## Allow the domain to read ntpd state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_read_state',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ntp environment
##
##
##
@@ -151,28 +250,32 @@ interface(`ntp_rw_shm',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the ntp domain.
##
##
##
#
interface(`ntp_admin',`
gen_require(`
- type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
- type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ type ntpd_unit_file_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms };
+ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ntpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+ admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
@@ -186,5 +289,53 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
- ntp_run($1, $2)
+ ntp_systemctl($1)
+ admin_pattern($1, ntpd_unit_file_t)
+ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ntp_filetrans_named_content($1)
')
+
+########################################
+##
+## Transition content labels to ntp named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_filetrans_named_content',`
+ gen_require(`
+ type ntp_conf_t;
+ type ntp_drift_t;
+ ')
+
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
+')
+
+########################################
+##
+## Create, read, write, and delete
+## ntp log content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_manage_log',`
+ gen_require(`
+ type ntpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t)
+ manage_files_pattern($1, ntpd_log_t, ntpd_log_t)
+ manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t)
+')
+
diff --git a/ntp.te b/ntp.te
index f81b113c7..bc1e8ce99 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
type ntp_conf_t;
files_config_file(ntp_conf_t)
@@ -44,7 +47,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp")
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
allow ntpd_t ntp_conf_t:file read_file_perms;
@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
@@ -77,27 +80,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
can_exec(ntpd_t, ntpd_exec_t)
+can_exec(ntpd_t, ntpdate_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
-corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
corenet_tcp_sendrecv_generic_node(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
-
-corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
-corenet_udp_sendrecv_ntp_port(ntpd_t)
-
-corenet_sendrecv_ntp_client_packets(ntpd_t)
corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
-files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
+term_use_unallocated_ttys(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -124,11 +125,13 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
-miscfiles_read_localization(ntpd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+optional_policy(`
+ clock_domtrans(ntpd_t)
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
@@ -151,10 +154,19 @@ optional_policy(`
logrotate_exec(ntpd_t)
')
+optional_policy(`
+ ptp4l_rw_shm(ntpd_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
+optional_policy(`
+ timemaster_read_pid_files(ntpd_t)
+ timemaster_rw_shm(ntpd_t)
+')
+
optional_policy(`
udev_read_db(ntpd_t)
')
diff --git a/numad.fc b/numad.fc
index 3488bb0d3..1f9762420 100644
--- a/numad.fc
+++ b/numad.fc
@@ -1,7 +1,7 @@
-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0)
+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0)
+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
index 0d3c270b9..f307835ce 100644
--- a/numad.if
+++ b/numad.if
@@ -1,39 +1,93 @@
-## Non-Uniform Memory Alignment Daemon.
+
+## policy for numad
+
+########################################
+##
+## Transition to numad.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`numad_domtrans',`
+ gen_require(`
+ type numad_t, numad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, numad_exec_t, numad_t)
+')
+########################################
+##
+## Execute numad server in the numad domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`numad_systemctl',`
+ gen_require(`
+ type numad_t;
+ type numad_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 numad_unit_file_t:file read_file_perms;
+ allow $1 numad_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, numad_t)
+')
########################################
##
-## All of the rules required to
-## administrate an numad environment.
+## Send and receive messages from
+## numad over dbus.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`numad_dbus_chat',`
+ gen_require(`
+ type numad_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 numad_t:dbus send_msg;
+ allow numad_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an numad environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`numad_admin',`
gen_require(`
- type numad_t, numad_initrc_exec_t, numad_log_t;
- type numad_var_run_t;
+ type numad_t;
+ type numad_unit_file_t;
')
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, numad_log_t)
-
- files_search_pids($1)
- admin_pattern($1, numad_var_run_t)
+ numad_systemctl($1)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/numad.te b/numad.te
index b0a1be482..303a9279f 100644
--- a/numad.te
+++ b/numad.te
@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
-application_executable_file(numad_exec_t)
-type numad_initrc_exec_t;
-init_script_file(numad_initrc_exec_t)
+type numad_unit_file_t;
+systemd_unit_file(numad_unit_file_t)
-type numad_log_t;
-logging_log_file(numad_log_t)
+type numad_var_log_t;
+logging_log_file(numad_var_log_t)
type numad_var_run_t;
files_pid_file(numad_var_run_t)
########################################
#
-# Local policy
+# numad local policy
#
+allow numad_t self:capability sys_ptrace;
allow numad_t self:fifo_file rw_fifo_file_perms;
-allow numad_t self:msg { send receive };
allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
allow numad_t self:unix_stream_socket create_stream_socket_perms;
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
+logging_log_filetrans(numad_t, numad_var_log_t, file)
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file)
kernel_read_system_state(numad_t)
-dev_read_sysfs(numad_t)
+dev_rw_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
-miscfiles_read_localization(numad_t)
+tunable_policy(`deny_ptrace',`',`
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
index 379af962c..fac7d7bc9 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,16 @@
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161ed..c554eb6e1 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,60 @@
-## Network UPS Tools
+## nut - Network UPS Tools
-########################################
+#######################################
##
-## All of the rules required to
-## administrate an nut environment.
+## Creates types and rules for a basic
+## Network UPS Tools systemd daemon domain.
##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
+##
+##
+## Prefix for the domain.
+##
##
-##
#
-interface(`nut_admin',`
+template(`nut_domain_template',`
gen_require(`
attribute nut_domain;
- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
')
- allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
+ type nut_$1_t, nut_domain;
+ type nut_$1_exec_t;
+ init_daemon_domain(nut_$1_t, nut_$1_exec_t)
+
+ type nut_$1_tmp_t;
+ files_tmp_file(nut_$1_tmp_t)
+
+ manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+ files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+ fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ auth_use_nsswitch(nut_$1_t)
+
+ logging_send_syslog_msg(nut_$1_t)
+
+')
+
+#######################################
+##
+## Execute swift server in the swift domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nut_systemctl',`
+ gen_require(`
+ type nut_t;
+ type nut_unit_file_t;
+ ')
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 5b2cb0d59..35b45d22e 100644
--- a/nut.te
+++ b/nut.te
@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
+nut_domain_template(upsd)
+nut_domain_template(upsmon)
+nut_domain_template(upsdrvctl)
+
type nut_conf_t;
files_config_file(nut_conf_t)
-type nut_upsd_t, nut_domain;
-type nut_upsd_exec_t;
-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
-type nut_upsmon_t, nut_domain;
-type nut_upsmon_exec_t;
-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
-type nut_upsdrvctl_t, nut_domain;
-type nut_upsdrvctl_exec_t;
-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
-
-type nut_initrc_exec_t;
-init_script_file(nut_initrc_exec_t)
-
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
+
+#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { setgid setuid dac_read_search dac_override };
+
allow nut_domain self:process signal_perms;
-allow nut_domain self:fifo_file rw_fifo_file_perms;
-allow nut_domain self:unix_dgram_socket sendto;
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
+allow nut_domain self:fifo_file rw_fifo_file_perms;
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
+# pid file
manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-
-kernel_read_kernel_sysctls(nut_domain)
-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
+manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_domain, nut_var_run_t, dir)
########################################
#
-# Upsd local policy
+# Local policy for upsd
#
-allow nut_upsd_t self:tcp_socket { accept listen };
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
-
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
-
-files_read_usr_files(nut_upsd_t)
-
-auth_use_nsswitch(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
########################################
#
-# Upsmon local policy
+# Local policy for upsmon
#
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
-corenet_all_recvfrom_netlabel(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
-corenet_tcp_bind_generic_node(nut_upsmon_t)
-
-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
corenet_tcp_connect_ups_port(nut_upsmon_t)
-
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
files_search_usr(nut_upsmon_t)
+# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
-auth_use_nsswitch(nut_upsmon_t)
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
mta_send_mail(nut_upsmon_t)
+systemd_start_power_services(nut_upsmon_t)
+
optional_policy(`
shutdown_domtrans(nut_upsmon_t)
')
########################################
#
-# Upsdrvctl local policy
+# Local policy for upsdrvctl
#
+allow nut_upsdrvctl_t self:capability { kill };
allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
-
-auth_use_nsswitch(nut_upsdrvctl_t)
+term_use_usb_ttys(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
#######################################
#
-# Cgi local policy
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
#
optional_policy(`
apache_content_template(nutups_cgi)
+ apache_content_alias_template(nutups_cgi,nutups_cgi)
+
+ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
+ corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+ sysnet_dns_name_resolve(nutups_cgi_script_t)
')
diff --git a/nx.if b/nx.if
index 251d6816a..50ae2a94b 100644
--- a/nx.if
+++ b/nx.if
@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
')
files_search_var_lib($1)
- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
')
+
+########################################
+##
+## Transition to nx named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_filetrans_named_content',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
index 091f87272..62a0b1229 100644
--- a/nx.te
+++ b/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# Local policy
@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_generic_node(nx_server_t)
@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
dev_read_urand(nx_server_t)
-files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
-files_read_usr_files(nx_server_t)
-
-miscfiles_read_localization(nx_server_t)
-
-seutil_dontaudit_search_config(nx_server_t)
sysnet_read_config(nx_server_t)
diff --git a/oav.te b/oav.te
index b09c4c412..995c3f6a6 100644
--- a/oav.te
+++ b/oav.te
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
files_read_etc_runtime_files(scannerdaemon_t)
files_search_var_lib(scannerdaemon_t)
diff --git a/obex.fc b/obex.fc
index 03fa56040..b254dd104 100644
--- a/obex.fc
+++ b/obex.fc
@@ -1 +1,2 @@
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/libexec/bluetooth/obexd -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
index 8635ea205..eec20b413 100644
--- a/obex.if
+++ b/obex.if
@@ -1,15 +1,50 @@
## D-Bus service providing high-level OBEX client and server side functionality.
-#######################################
+########################################
##
-## The role template for obex.
+## Transition to obex.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## obex over dbus.
+##
+##
+##
+## Domain allowed access.
+##
##
+#
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
+')
+
+#######################################
+##
+## Role access for obex domains
+## that executes via dbus-session
+##
##
##
## The role associated with the user domain.
@@ -20,69 +55,34 @@
## The type of the user domain.
##
##
+##
+##
+## User domain prefix to be used.
+##
+##
#
-template(`obex_role_template',`
+template(`obex_role',`
gen_require(`
attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
########################################
- #
+ #
# Declarations
#
- roleattribute $2 obex_roles;
+ roleattribute $1 obex_roles;
########################################
- #
+ #
# Policy
- #
-
- allow $3 obex_t:process { ptrace signal_perms };
- ps_process_pattern($3, obex_t)
+ #
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
-
- obex_dbus_chat($3)
-')
+ allow $2 obex_t:process signal_perms;
+ ps_process_pattern($2, obex_t)
-########################################
-##
-## Execute obex in the obex domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`obex_domtrans',`
- gen_require(`
- type obex_t, obex_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, obex_exec_t, obex_t)
-')
-
-########################################
-##
-## Send and receive messages from
-## obex over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`obex_dbus_chat',`
- gen_require(`
- type obex_t;
- class dbus send_msg;
- ')
+ dbus_session_domain($3, obex_exec_t, obex_t)
- allow $1 obex_t:dbus send_msg;
- allow obex_t $1:dbus send_msg;
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
index cd29ea899..d01d2c8e6 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex,1.0.0)
########################################
#
@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
-# Local policy
+# obex local policy
#
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
-files_read_etc_files(obex_t)
+dev_read_urand(obex_t)
logging_send_syslog_msg(obex_t)
-miscfiles_read_localization(obex_t)
-
userdom_search_user_home_content(obex_t)
-optional_policy(`
- bluetooth_stream_connect(obex_t)
-')
-
optional_policy(`
dbus_system_bus_client(obex_t)
optional_policy(`
+ bluetooth_stream_connect(obex_t)
bluetooth_dbus_chat(obex_t)
')
')
diff --git a/oddjob.fc b/oddjob.fc
index dd1d9ef5a..c48733aa4 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -1,10 +1,12 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjob_request -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
index c87bd2a30..c7bfd1fde 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
-## D-BUS service which runs odd jobs on behalf of client applications.
+##
+## Oddjob provides a mechanism by which unprivileged applications can
+## request that specified privileged operations be performed on their
+## behalf.
+##
########################################
##
@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
type oddjob_t, oddjob_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
+#####################################
+##
+## Do not audit attempts to read and write
+## oddjob fifo file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
##
-## Make the specified program domain
-## accessable from the oddjob.
+## Make the specified program domain accessable
+## from the oddjob.
##
##
##
@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
@@ -64,32 +87,46 @@ interface(`oddjob_dbus_chat',`
allow oddjob_t $1:dbus send_msg;
')
-########################################
+######################################
##
-## Execute a domain transition to
-## run oddjob mkhomedir.
+## Send a SIGCHLD signal to oddjob.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ allow $1 oddjob_t:process sigchld;
+')
+
+########################################
+##
+## Execute a domain transition to run oddjob_mkhomedir.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+ allow $1 oddjob_mkhomedir_exec_t:file map;
')
########################################
##
-## Execute oddjob mkhomedir in the
-## oddjob mkhomedir domain and allow
-## the specified role the oddjob
-## mkhomedir domain.
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
##
##
##
@@ -105,46 +142,114 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
- attribute_role oddjob_mkhomedir_roles;
+ type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
- roleattribute $2 oddjob_mkhomedir_roles;
+ role $2 types oddjob_mkhomedir_t;
')
-#####################################
+########################################
##
-## Do not audit attempts to read and write
-## oddjob fifo files.
+## Execute the oddjob program in the oddjob domain.
##
##
##
-## Domain to not audit.
+## Domain allowed to transition.
##
##
+##
+##
+## Role allowed access.
+##
+##
+##
#
-interface(`oddjob_dontaudit_rw_fifo_files',`
+interface(`oddjob_run',`
gen_require(`
type oddjob_t;
')
- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
+ oddjob_domtrans($1)
+ role $2 types oddjob_t;
')
-######################################
+#######################################
+##
+## Execute oddjob in the oddjob domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oddjob_systemctl',`
+ gen_require(`
+ type oddjob_unit_file_t;
+ type oddjob_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, oddjob_t)
+')
+
+########################################
##
-## Send child terminated signals to oddjob.
+## Create a domain which can be started by init,
+## with a range transition.
##
##
##
-## Domain allowed access.
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+##
+## Range for the domain.
##
##
#
-interface(`oddjob_sigchld',`
+interface(`oddjob_ranged_domain',`
gen_require(`
type oddjob_t;
')
- allow $1 oddjob_t:process sigchld;
+ oddjob_system_entry($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition oddjob_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition oddjob_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+##
+## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`oddjob_mkhomedir_entrypoint',`
+ gen_require(`
+ type oddjob_mkhomedir_exec_t;
+ ')
+ allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
')
diff --git a/oddjob.te b/oddjob.te
index e403097c6..4737529c6 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
# Declarations
#
-attribute_role oddjob_mkhomedir_roles;
-
type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
+type oddjob_unit_file_t;
+systemd_unit_file(oddjob_unit_file_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# oddjob local policy
#
allow oddjob_t self:capability setgid;
@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
-
kernel_read_system_state(oddjob_t)
corecmd_exec_bin(oddjob_t)
@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
+
auth_use_nsswitch(oddjob_t)
-miscfiles_read_localization(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
@@ -66,27 +66,31 @@ optional_policy(`
')
optional_policy(`
- unconfined_domtrans(oddjob_t)
+ apache_dbus_chat(oddjob_t)
')
########################################
#
-# Mkhomedir local policy
+# oddjob_mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oddjob_t oddjob_mkhomedir_exec_t:file map;
kernel_read_system_state(oddjob_mkhomedir_t)
+fs_manage_auto_mountpoints(oddjob_mkhomedir_t)
+
+mls_file_upgrade(oddjob_mkhomedir_t)
+
auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
-miscfiles_read_localization(oddjob_mkhomedir_t)
-
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
selinux_compute_access_vector(oddjob_mkhomedir_t)
@@ -98,8 +102,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
+# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
index 3b6920e31..3e9b17fde 100644
--- a/openct.te
+++ b/openct.te
@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
-can_exec(openct_t, openct_exec_t)
-
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
kernel_read_proc_symlinks(openct_t)
+can_exec(openct_t, openct_exec_t)
+
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
-files_read_etc_files(openct_t)
fs_getattr_all_fs(openct_t)
fs_search_auto_mountpoints(openct_t)
logging_send_syslog_msg(openct_t)
-miscfiles_read_localization(openct_t)
-
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/opendnssec.fc b/opendnssec.fc
new file mode 100644
index 000000000..08d0e793d
--- /dev/null
+++ b/opendnssec.fc
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/ods-enforcerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/lib/systemd/system/ods-signerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/sbin/ods-control -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-enforcerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signer -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
+
+/etc/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_conf_t,s0)
+
+/var/run/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_run_t,s0)
+
+/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644
index 000000000..31d6b7069
--- /dev/null
+++ b/opendnssec.if
@@ -0,0 +1,207 @@
+
+## policy for opendnssec
+
+########################################
+##
+## Execute opendnssec_exec_t in the opendnssec domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opendnssec_domtrans',`
+ gen_require(`
+ type opendnssec_t, opendnssec_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opendnssec_exec_t, opendnssec_t)
+')
+
+######################################
+##
+## Execute opendnssec in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opendnssec_exec',`
+ gen_require(`
+ type opendnssec_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, opendnssec_exec_t)
+')
+
+########################################
+##
+## Read the opendnssec configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`opendnssec_read_config',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 opendnssec_conf_t:file read_file_perms;
+')
+
+########################################
+##
+## Read the opendnssec configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`opendnssec_manage_config',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 opendnssec_conf_t:dir manage_dir_perms;
+ allow $1 opendnssec_conf_t:file manage_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to
+## read and write opendnssec /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opendnssec_manage_var_files',`
+ gen_require(`
+ type opendnssec_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t)
+')
+
+########################################
+##
+## Read opendnssec PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opendnssec_read_pid_files',`
+ gen_require(`
+ type opendnssec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t)
+')
+
+########################################
+##
+## Execute opendnssec server in the opendnssec domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opendnssec_systemctl',`
+ gen_require(`
+ type opendnssec_t;
+ type opendnssec_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opendnssec_unit_file_t:file read_file_perms;
+ allow $1 opendnssec_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, opendnssec_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an opendnssec environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`opendnssec_admin',`
+ gen_require(`
+ type opendnssec_t;
+ type opendnssec_var_run_t;
+ type opendnssec_unit_file_t;
+ ')
+
+ allow $1 opendnssec_t:process { signal_perms };
+ ps_process_pattern($1, opendnssec_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 opendnssec_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, opendnssec_var_run_t)
+
+ opendnssec_systemctl($1)
+ admin_pattern($1, opendnssec_unit_file_t)
+ allow $1 opendnssec_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Transition to quota named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opendnssec_filetrans_etc_content',`
+ gen_require(`
+ type opendnssec_conf_t;
+ ')
+
+ files_etc_filetrans($1, opendnssec_conf_t, file)
+')
diff --git a/opendnssec.te b/opendnssec.te
new file mode 100644
index 000000000..e246d45a5
--- /dev/null
+++ b/opendnssec.te
@@ -0,0 +1,68 @@
+policy_module(opendnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opendnssec_t;
+type opendnssec_exec_t;
+init_daemon_domain(opendnssec_t, opendnssec_exec_t)
+
+type opendnssec_conf_t;
+files_config_file(opendnssec_conf_t)
+
+type opendnssec_var_t;
+files_type(opendnssec_var_t)
+
+type opendnssec_var_run_t;
+files_pid_file(opendnssec_var_run_t)
+
+type opendnssec_tmp_t;
+files_tmp_file(opendnssec_tmp_t)
+
+type opendnssec_unit_file_t;
+systemd_unit_file(opendnssec_unit_file_t)
+
+########################################
+#
+# opendnssec local policy
+#
+allow opendnssec_t self:capability { chown setgid setuid sys_chroot };
+allow opendnssec_t self:process { fork signal_perms };
+allow opendnssec_t self:fifo_file rw_fifo_file_perms;
+allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+files_var_filetrans(opendnssec_t, opendnssec_var_t, dir)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
+
+kernel_read_system_state(opendnssec_t)
+
+auth_use_nsswitch(opendnssec_t)
+
+corecmd_exec_bin(opendnssec_t)
+
+logging_send_syslog_msg(opendnssec_t)
+
+optional_policy(`
+ bind_manage_cache(opendnssec_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(opendnssec_t)
+')
+
diff --git a/openhpi.te b/openhpi.te
index 8de619112..1a01e99f2 100644
--- a/openhpi.te
+++ b/openhpi.te
@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
+kernel_read_system_state(openhpid_t)
+
corenet_all_recvfrom_unlabeled(openhpid_t)
corenet_all_recvfrom_netlabel(openhpid_t)
corenet_tcp_sendrecv_generic_if(openhpid_t)
@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
-files_read_etc_files(openhpid_t)
-
logging_send_syslog_msg(openhpid_t)
miscfiles_read_localization(openhpid_t)
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(openhpid_t)
+')
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 000000000..df219e6ef
--- /dev/null
+++ b/openhpid.fc
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+
+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
+
+/var/log/dynsim[0-9]*\.log -- gen_context(system_u:object_r:openhpid_log_t,s0)
+
+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
diff --git a/openhpid.if b/openhpid.if
new file mode 100644
index 000000000..598789a3b
--- /dev/null
+++ b/openhpid.if
@@ -0,0 +1,159 @@
+
+## policy for openhpid
+
+
+########################################
+##
+## Transition to openhpid.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openhpid_domtrans',`
+ gen_require(`
+ type openhpid_t, openhpid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
+')
+
+
+########################################
+##
+## Execute openhpid server in the openhpid domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_initrc_domtrans',`
+ gen_require(`
+ type openhpid_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+')
+
+
+########################################
+##
+## Search openhpid lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_search_lib',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openhpid lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_read_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+##
+## Manage openhpid lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_manage_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+##
+## Manage openhpid lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_manage_lib_dirs',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openhpid environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openhpid_admin',`
+ gen_require(`
+ type openhpid_t;
+ type openhpid_initrc_exec_t;
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openhpid_t)
+
+ openhpid_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openhpid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, openhpid_var_lib_t)
+
+
+
+')
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
index 000000000..a0e0eafce
--- /dev/null
+++ b/openhpid.te
@@ -0,0 +1,67 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openhpid_t;
+type openhpid_exec_t;
+init_daemon_domain(openhpid_t, openhpid_exec_t)
+
+type openhpid_initrc_exec_t;
+init_script_file(openhpid_initrc_exec_t)
+
+type openhpid_log_t;
+logging_log_file(openhpid_log_t)
+
+type openhpid_var_lib_t;
+files_type(openhpid_var_lib_t)
+
+type openhpid_var_run_t;
+files_pid_file(openhpid_var_run_t)
+
+########################################
+#
+# openhpid local policy
+#
+
+allow openhpid_t self:capability { kill };
+allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
+allow openhpid_t self:udp_socket create_socket_perms;
+
+
+manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t)
+logging_log_filetrans(openhpid_t, openhpid_log_t, file)
+
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
+
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
+
+kernel_read_system_state(openhpid_t)
+
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+corenet_tcp_connect_http_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+dev_rw_watchdog(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
+
+miscfiles_read_generic_certs(openhpid_t)
+
+sysnet_read_config(openhpid_t)
+
+optional_policy(`
+ snmp_manage_var_lib_files(openhpid_t)
+ snmp_manage_var_lib_dirs(openhpid_t)
+')
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 000000000..30ca148ee
--- /dev/null
+++ b/openshift-origin.fc
@@ -0,0 +1 @@
+# Left Blank
diff --git a/openshift-origin.if b/openshift-origin.if
new file mode 100644
index 000000000..3eb6a3057
--- /dev/null
+++ b/openshift-origin.if
@@ -0,0 +1 @@
+##
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
index 000000000..a437f80ca
--- /dev/null
+++ b/openshift-origin.te
@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
+')
+
+########################################
+#
+# openshift origin standard local policy
+#
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
index 000000000..5a2f97ef6
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log.* -- gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/oo-lists-ports -- gen_context(system_u:object_r:openshift_net_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
index 000000000..c20cac397
--- /dev/null
+++ b/openshift.if
@@ -0,0 +1,697 @@
+
+## policy for openshift
+
+########################################
+##
+## Execute openshift server in the openshift domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`openshift_initrc_domtrans',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
+#######################################
+##
+## Execute openshift server in the openshift domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## Role access to this domain.
+##
+##
+#
+interface(`openshift_initrc_run',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role $2 types openshift_initrc_t;
+')
+
+########################################
+##
+## Send a null signal to openshift init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_initrc_signull',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signull;
+')
+
+#######################################
+##
+## Send a signal to openshift init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_initrc_signal',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signal;
+')
+
+########################################
+##
+## Search openshift cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_search_cache',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Read openshift cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_cache_files',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_cache_files',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_cache_dirs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+
+########################################
+##
+## Allow the specified domain to read openshift's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openshift_read_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## openshift log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openshift_append_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Allow domain to manage openshift log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`openshift_manage_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
+ manage_files_pattern($1, openshift_log_t, openshift_log_t)
+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Search openshift lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_search_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Getattr openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_getattr_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Read openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_append_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_lib_dirs',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Manage openshift lib content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
+ manage_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
+########################################
+##
+## Relabel openshift library files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_relabelfrom_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+#######################################
+##
+## Create private objects in the
+## mail lib directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`openshift_lib_filetrans',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Read openshift PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_pid_files',`
+ gen_require(`
+ type openshift_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 openshift_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an openshift environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openshift_admin',`
+ gen_require(`
+ attribute openshift_domain;
+ type openshift_initrc_exec_t;
+ type openshift_log_t;
+ type openshift_var_lib_t;
+ type openshift_var_run_t;
+ ')
+
+ allow $1 openshift_domain:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openshift_domain:process ptrace;
+ ')
+ ps_process_pattern($1, openshift_domain)
+
+ openshift_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, openshift_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, openshift_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, openshift_var_run_t)
+
+')
+
+########################################
+##
+## Make the specified type usable as a openshift domain.
+##
+##
+##
+## The prefix of the domain (e.g., openshift
+## is the prefix for openshift_t).
+##
+##
+#
+template(`openshift_service_domain_template',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ type $1_t;
+ typeattribute $1_t openshift_domain, openshift_user_domain;
+ domain_type($1_t)
+ role system_r types $1_t;
+ mcs_constrained($1_t)
+ domain_user_exemption_target($1_t)
+ auth_use_nsswitch($1_t)
+ domain_subj_id_change_exemption($1_t)
+ domain_obj_id_change_exemption($1_t)
+ domain_dyntrans_type($1_t)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ type $1_app_t;
+ typeattribute $1_app_t openshift_domain;
+ domain_type($1_app_t)
+ role system_r types $1_app_t;
+ mcs_constrained($1_app_t)
+ domain_user_exemption_target($1_app_t)
+ domain_obj_id_change_exemption($1_app_t)
+ domain_dyntrans_type($1_app_t)
+ auth_use_nsswitch($1_app_t)
+
+ kernel_read_system_state($1_app_t)
+
+ logging_send_syslog_msg($1_app_t)
+')
+
+########################################
+##
+## Make the specified type usable as a openshift domain.
+##
+##
+##
+## Type to be used as a openshift domain type.
+##
+##
+#
+interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
+
+ typeattribute $1 openshift_net_domain;
+')
+
+########################################
+##
+## Read and write inherited openshift files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_rw_inherited_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ allow $1 openshift_file_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Manage openshift tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_tmp_files',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+##
+## Manage openshift tmp sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_tmp_sockets',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+##
+## Mounton openshift tmp directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_mounton_tmp',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ allow $1 openshift_tmp_t:dir mounton;
+')
+
+########################################
+##
+## Dontaudit Read and write inherited script fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Allow calling app to transition to an openshift domain
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+#
+interface(`openshift_transition',`
+ gen_require(`
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process transition;
+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
+ allow openshift_user_domain $1:fd use;
+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ allow openshift_user_domain $1:process sigchld;
+ dontaudit $1 openshift_user_domain:socket_class_set { read write };
+')
+
+########################################
+##
+## Allow calling app to transition to an openshift domain
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+#
+interface(`openshift_dyntransition',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process dyntransition;
+ dontaudit openshift_user_domain $1:key view;
+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
+ allow $1 openshift_user_domain:process { rlimitinh signal };
+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
+')
+
+########################################
+##
+## Execute openshift in the openshift domain, and
+## allow the specified role the openshift domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`openshift_run',`
+ gen_require(`
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ openshift_transition($1)
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 000000000..a98990f3a
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,634 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+ role system_r;
+')
+
+##
+##
+## Allow openshift to access nfs file systems without labels
+##
+##
+gen_tunable(openshift_use_nfs, false)
+
+
+########################################
+#
+# Declarations
+#
+
+
+# openshift applications that can use the network.
+attribute openshift_net_domain;
+# Attribute representing all openshift user processes (excludes apache processes)
+attribute openshift_user_domain;
+# Attribute representing all openshift processes
+attribute openshift_domain;
+
+# Attribute for all openshift content
+attribute openshift_file_type;
+
+# Type of openshift init script
+type openshift_initrc_t;
+type openshift_initrc_exec_t;
+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+domain_obj_id_change_exemption(openshift_initrc_t)
+optional_policy(`
+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
+type openshift_tmpfs_t;
+files_tmpfs_file(openshift_tmpfs_t)
+
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
+files_poly(openshift_tmp_t)
+files_poly_parent(openshift_tmp_t)
+
+type openshift_var_run_t;
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
+
+type openshift_rw_file_t, openshift_file_type;
+files_poly(openshift_rw_file_t)
+files_poly_parent(openshift_rw_file_t)
+
+type openshift_log_t;
+logging_log_file(openshift_log_t)
+
+type openshift_port_t;
+corenet_port(openshift_port_t)
+corenet_reserved_port(openshift_port_t)
+
+type openshift_cgroup_read_t;
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
+type openshift_net_read_t;
+type openshift_net_read_exec_t;
+application_domain(openshift_net_read_t, openshift_net_read_exec_t)
+
+type openshift_cgroup_read_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cgroup_read_tmp_t)
+
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
+domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
+role system_r types openshift_cron_t;
+
+optional_policy(`
+ cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
+')
+
+type openshift_cron_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cron_tmp_t)
+
+########################################
+#
+# Template to create openshift_t and openshift_app_t
+#
+
+openshift_service_domain_template(openshift)
+
+########################################
+#
+# openshift initrc local policy
+#
+
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
+virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
+
+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow openshift_domain openshift_initrc_t:fd use;
+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_initrc_t:process sigchld;
+dontaudit openshift_domain openshift_initrc_t:key view;
+dontaudit openshift_domain openshift_initrc_t:process signull;
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
+
+init_domtrans_script(openshift_initrc_t)
+init_initrc_domain(openshift_initrc_t)
+
+optional_policy(`
+ firewalld_dbus_chat(openshift_initrc_t)
+')
+
+#######################################################
+#
+# Policy for all openshift domains
+#
+allow openshift_domain self:process ~ptrace;
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_domain self:process ptrace;
+')
+
+allow openshift_domain self:msg all_msg_perms;
+allow openshift_domain self:msgq create_msgq_perms;
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
+
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
+
+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+allow openshift_domain openshift_file_type:file execmod;
+can_exec(openshift_domain, openshift_file_type)
+allow openshift_domain openshift_file_type:file entrypoint;
+# Allow users to execute files in their home dir
+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
+
+# Dontaudit openshift domains trying to search other openshift domains directories,
+# this happens just when users are probing the system
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
+
+#lsof
+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
+
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
+dontaudit openshift_domain openshift_var_run_t:file append;
+dontaudit openshift_domain openshift_file_type:sock_file execute;
+
+kernel_dontaudit_search_network_state(openshift_domain)
+kernel_dontaudit_list_all_proc(openshift_domain)
+kernel_dontaudit_list_all_sysctls(openshift_domain)
+kernel_dontaudit_request_load_module(openshift_domain)
+kernel_get_sysvipc_info(openshift_domain)
+
+corecmd_shell_entry_type(openshift_domain)
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_read_urand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
+dev_dontaudit_all_access_check(openshift_domain)
+
+domain_use_interactive_fds(openshift_domain)
+domain_dontaudit_read_all_domains_state(openshift_domain)
+
+files_read_var_lib_symlinks(openshift_domain)
+
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
+fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
+fs_dontaudit_list_tmpfs(openshift_domain)
+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
+storage_getattr_fixed_disk_dev(openshift_domain)
+fs_get_xattr_fs_quotas(openshift_domain)
+fs_rw_inherited_tmpfs_files(openshift_domain)
+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
+
+dontaudit openshift_domain file_type:dir read;
+files_dontaudit_list_home(openshift_domain)
+files_dontaudit_search_all_pids(openshift_domain)
+files_dontaudit_getattr_all_dirs(openshift_domain)
+files_dontaudit_getattr_all_files(openshift_domain)
+files_dontaudit_list_mnt(openshift_domain)
+files_dontaudit_list_var(openshift_domain)
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
+files_dontaudit_search_all_mountpoints(openshift_domain)
+files_dontaudit_search_spool(openshift_domain)
+files_dontaudit_search_all_dirs(openshift_domain)
+files_exec_etc_files(openshift_domain)
+files_exec_usr_files(openshift_domain)
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
+files_dontaudit_setattr_non_security_files(openshift_domain)
+files_dontaudit_rw_inherited_locks(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
+logging_inherit_append_all_logs(openshift_domain)
+
+init_dontaudit_read_utmp(openshift_domain)
+
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
+mta_dontaudit_read_spool_symlinks(openshift_domain)
+
+term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
+term_dontaudit_getattr_generic_ptys(openshift_domain)
+term_use_ptmx(openshift_domain)
+
+userdom_use_inherited_user_ptys(openshift_domain)
+userdom_dontaudit_search_admin_dir(openshift_domain)
+
+application_exec(openshift_domain)
+
+optional_policy(`
+ apache_exec_modules(openshift_domain)
+ apache_list_modules(openshift_domain)
+ apache_read_config(openshift_domain)
+ apache_search_config(openshift_domain)
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
+ apache_dontaudit_read_log(openshift_domain)
+')
+
+optional_policy(`
+ #############################################
+ #
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+ apache_content_alias_template(openshift, openshift)
+ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+ optional_policy(`
+ dbus_system_bus_client(openshift_script_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ ')
+ ')
+')
+
+optional_policy(`
+ cron_role(system_r, openshift_domain)
+')
+
+optional_policy(`
+ gear_search_lib(openshift_domain)
+')
+
+optional_policy(`
+ gpg_entry_type(openshift_domain)
+')
+
+optional_policy(`
+ mysql_search_db(openshift_domain)
+')
+
+optional_policy(`
+ screen_exec(openshift_domain)
+')
+
+optional_policy(`
+ ssh_use_ptys(openshift_domain)
+ ssh_getattr_user_home_dir(openshift_domain)
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(openshift_domain)
+')
+
+#######################################################
+#
+# Policy for openshift user domain process
+#
+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_user_domain openshift_domain:process transition;
+allow openshift_domain openshift_user_domain:fd use;
+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_user_domain:process sigchld;
+dontaudit openshift_domain openshift_user_domain:key view;
+dontaudit openshift_domain openshift_user_domain:process signull;
+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
+
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_user_domain openshift_domain:process ptrace;
+')
+
+mta_signal_user_agent(openshift_user_domain)
+
+optional_policy(`
+ ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
+# Rules specific to openshift_net_domains
+#
+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
+allow openshift_net_domain openshift_port_t:udp_socket name_bind;
+
+corenet_tcp_connect_mssql_port(openshift_net_domain)
+corenet_tcp_connect_mysqld_port(openshift_net_domain)
+corenet_tcp_connect_postgresql_port(openshift_net_domain)
+corenet_tcp_connect_git_port(openshift_net_domain)
+corenet_tcp_connect_oracle_port(openshift_net_domain)
+corenet_tcp_connect_flash_port(openshift_net_domain)
+corenet_tcp_connect_http_port(openshift_net_domain)
+corenet_tcp_connect_ftp_port(openshift_net_domain)
+#/* These ports are the ephemeral ports needed for ftp */
+corenet_tcp_connect_virt_migration_port(openshift_net_domain)
+corenet_tcp_connect_ssh_port(openshift_net_domain)
+corenet_tcp_connect_jacorb_port(openshift_net_domain)
+corenet_tcp_connect_jboss_management_port(openshift_net_domain)
+corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_connect_memcache_port(openshift_net_domain)
+corenet_tcp_connect_http_cache_port(openshift_net_domain)
+corenet_tcp_connect_amqp_port(openshift_net_domain)
+corenet_tcp_connect_generic_port(openshift_net_domain)
+corenet_tcp_connect_mongod_port(openshift_net_domain)
+corenet_tcp_connect_munin_port(openshift_net_domain)
+corenet_tcp_connect_pop_port(openshift_net_domain)
+corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
+corenet_tcp_connect_smtp_port(openshift_net_domain)
+corenet_tcp_connect_whois_port(openshift_net_domain)
+corenet_udp_bind_generic_port(openshift_net_domain)
+corenet_tcp_bind_http_cache_port(openshift_domain)
+corenet_tcp_bind_jacorb_port(openshift_net_domain)
+corenet_tcp_bind_jboss_management_port(openshift_net_domain)
+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
+corenet_tcp_bind_mongod_port(openshift_net_domain)
+corenet_tcp_bind_mysqld_port(openshift_domain)
+corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
+corenet_tcp_bind_postgresql_port(openshift_net_domain)
+
+############################################################################
+#
+# Rules specific to openshift and openshift_app_t
+#
+kernel_read_vm_sysctls(openshift_t)
+kernel_read_vm_sysctls(openshift_app_t)
+kernel_search_vm_sysctl(openshift_t)
+kernel_search_vm_sysctl(openshift_app_t)
+netutils_domtrans_ping(openshift_t)
+netutils_kill_ping(openshift_t)
+netutils_signal_ping(openshift_t)
+
+openshift_net_type(openshift_app_t)
+openshift_net_type(openshift_t)
+
+optional_policy(`
+ postfix_rw_public_pipes(openshift_t)
+ postfix_manage_spool_maildrop_files(openshift_t)
+')
+
+########################################
+#
+# openshift_cgroup_read local policy
+#
+
+allow openshift_cgroup_read_t self:process { getattr signal_perms };
+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
+
+kernel_read_system_state(openshift_cgroup_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
+
+auth_read_passwd(openshift_cgroup_read_t)
+
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
+ ssh_use_ptys(openshift_cgroup_read_t)
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
+domain_use_interactive_fds(openshift_cgroup_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
+
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
+
+miscfiles_read_generic_certs(openshift_cgroup_read_t)
+
+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
+role system_r types openshift_cgroup_read_t;
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_net_read local policy
+#
+
+allow openshift_net_read_t self:process { getattr signal_perms };
+allow openshift_net_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_net_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_net_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+kernel_read_network_state(openshift_net_read_t)
+kernel_read_system_state(openshift_net_read_t)
+
+corecmd_exec_bin(openshift_net_read_t)
+corecmd_exec_shell(openshift_net_read_t)
+
+dev_read_urand(openshift_net_read_t)
+
+domain_use_interactive_fds(openshift_net_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_net_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_net_read_t)
+
+auth_read_passwd(openshift_net_read_t)
+
+userdom_use_inherited_user_ptys(openshift_net_read_t)
+
+miscfiles_read_generic_certs(openshift_net_read_t)
+miscfiles_read_localization(openshift_net_read_t)
+
+optional_policy(`
+ ssh_use_ptys(openshift_net_read_t)
+')
+
+domtrans_pattern(openshift_domain, openshift_net_read_exec_t, openshift_net_read_t)
+role system_r types openshift_net_read_t;
+
+allow openshift_domain openshift_net_read_t:process { getattr signal signull sigkill };
+
+allow openshift_net_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_net_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_cron local policy
+#
+allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
+
+openshift_manage_lib_dirs(openshift_cron_t)
+openshift_manage_lib_files(openshift_cron_t)
+
+kernel_search_network_sysctl(openshift_cron_t)
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+files_dontaudit_search_all_mountpoints(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
+dev_read_raw_memory(openshift_cron_t)
+dev_read_urand(openshift_cron_t)
+
+corenet_udp_bind_generic_node(openshift_cron_t)
+corenet_udp_bind_generic_port(openshift_cron_t)
+
+dev_getattr_fs(openshift_cron_t)
+dev_list_sysfs(openshift_cron_t)
+dev_read_sysfs(openshift_cron_t)
+
+files_getattr_home_dir(openshift_cron_t)
+files_manage_etc_files(openshift_cron_t)
+
+fs_getattr_tmpfs_dirs(openshift_cron_t)
+fs_getattr_all_fs(openshift_cron_t)
+fs_list_hugetlbfs(openshift_cron_t)
+fs_search_cgroup_dirs(openshift_cron_t)
+
+seutil_domtrans_setfiles(openshift_cron_t)
+
+term_getattr_pty_fs(openshift_cron_t)
+term_search_ptys(openshift_cron_t)
+
+auth_use_nsswitch(openshift_cron_t)
+
+miscfiles_read_generic_certs(openshift_cron_t)
+miscfiles_read_hwdata(openshift_cron_t)
+
+sysnet_exec_ifconfig(openshift_cron_t)
+sysnet_read_config(openshift_cron_t)
+
+optional_policy(`
+ dmidecode_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ hostname_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ quota_read_db(openshift_cron_t)
+')
+
+optional_policy(`
+ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
+tunable_policy(`openshift_use_nfs',`
+ fs_list_auto_mountpoints(openshift_domain)
+ fs_manage_nfs_dirs(openshift_domain)
+ fs_manage_nfs_files(openshift_domain)
+ fs_manage_nfs_symlinks(openshift_domain)
+ fs_exec_nfs_files(openshift_domain)
+')
diff --git a/opensm.fc b/opensm.fc
new file mode 100644
index 000000000..65511ed7a
--- /dev/null
+++ b/opensm.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0)
+
+/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
index 000000000..45de66477
--- /dev/null
+++ b/opensm.if
@@ -0,0 +1,224 @@
+
+## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB
+
+########################################
+##
+## Execute opensm in the opensm domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opensm_domtrans',`
+ gen_require(`
+ type opensm_t, opensm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+##
+## Search opensm cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_search_cache',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ allow $1 opensm_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read opensm cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_read_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## opensm cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Manage opensm cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_cache_dirs',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Read opensm's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_read_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+##
+## Append to opensm log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_append_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+##
+## Manage opensm log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
+ manage_files_pattern($1, opensm_log_t, opensm_log_t)
+ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+########################################
+##
+## Execute opensm server in the opensm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opensm_systemctl',`
+ gen_require(`
+ type opensm_t;
+ type opensm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, opensm_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an opensm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`opensm_admin',`
+ gen_require(`
+ type opensm_t;
+ type opensm_cache_t;
+ type opensm_log_t;
+ type opensm_unit_file_t;
+ ')
+
+ allow $1 opensm_t:process { signal_perms };
+ ps_process_pattern($1, opensm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 opensm_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, opensm_log_t)
+
+ opensm_systemctl($1)
+ admin_pattern($1, opensm_unit_file_t)
+ allow $1 opensm_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
index 000000000..81c7870cf
--- /dev/null
+++ b/opensm.te
@@ -0,0 +1,49 @@
+policy_module(opensm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+type opensm_unit_file_t;
+systemd_unit_file(opensm_unit_file_t)
+
+########################################
+#
+# opensm local policy
+#
+allow opensm_t self:process { signal fork };
+allow opensm_t self:fifo_file rw_fifo_file_perms;
+allow opensm_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
+
+manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file )
+
+kernel_read_system_state(opensm_t)
+
+auth_use_nsswitch(opensm_t)
+
+corenet_ib_access_unlabeled_pkeys(opensm_t)
+corenet_ib_manage_subnet_unlabeled_endports(opensm_t)
+
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband_dev(opensm_t)
+dev_rw_infiniband_mgmt_dev(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f83..4cdfe097c 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -1,10 +1,13 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
+
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
diff --git a/openvpn.if b/openvpn.if
index 6837e9a2b..8d6e33b00 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -20,6 +20,25 @@ interface(`openvpn_domtrans',`
domtrans_pattern($1, openvpn_exec_t, openvpn_t)
')
+########################################
+##
+## Execute openvpn clients in the
+## caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openvpn_exec',`
+ gen_require(`
+ type openvpn_exec_t;
+ ')
+
+ can_exec($1, openvpn_exec_t)
+')
+
########################################
##
## Execute openvpn clients in the
@@ -123,6 +142,44 @@ interface(`openvpn_read_config',`
allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
')
+####################################
+##
+## Connect to openvpn over
+## a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_stream_connect',`
+ gen_require(`
+ type openvpn_t, openvpn_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
+########################################
+##
+## Read and write to sopenvpn_image devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_noatsecure',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process noatsecure;
+')
+
########################################
##
## All of the rules required to
@@ -147,9 +204,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
- allow $1 openvpn_t:process { ptrace signal_perms };
+ allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openvpn_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
index 63957a362..91dead6e7 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -5,6 +5,13 @@ policy_module(openvpn, 1.12.2)
# Declarations
#
+##
+##
+## Allow openvpn to run unconfined scripts
+##
+##
+gen_tunable(openvpn_run_unconfined, false)
+
##
##
## Determine whether openvpn can
@@ -19,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
## connect to the TCP network.
##
##
-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
attribute_role openvpn_roles;
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
type openvpn_status_t;
logging_log_file(openvpn_status_t)
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
+
type openvpn_tmp_t;
files_tmp_file(openvpn_tmp_t)
@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
@@ -63,6 +73,8 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow openvpn_t self:netlink_route_socket nlmsg_write;
+dontaudit openvpn_t self:capability2 block_suspend ;
+
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
allow openvpn_t openvpn_etc_t:file read_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
allow openvpn_t openvpn_tmp_t:file manage_file_perms;
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir })
can_exec(openvpn_t, openvpn_etc_t)
@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_all_recvfrom_unlabeled(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
+corenet_tcp_connect_squid_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
-
corenet_sendrecv_http_cache_client_packets(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_tcp_sendrecv_http_cache_port(openvpn_t)
+corenet_tcp_connect_tor_port(openvpn_t)
+
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
+fs_list_cgroup_dirs(openvpn_t)
auth_use_pam(openvpn_t)
-miscfiles_read_localization(openvpn_t)
+logging_send_syslog_msg(openvpn_t)
+
miscfiles_read_all_certs(openvpn_t)
+sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
+systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
+userdom_read_inherited_user_tmp_files(openvpn_t)
+userdom_read_inherited_user_home_content_files(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
+ userdom_search_user_home_dirs(openvpn_t)
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -163,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',`
corenet_tcp_sendrecv_all_ports(openvpn_t)
')
+optional_policy(`
+ brctl_domtrans(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
+optional_policy(`
+ networkmanager_stream_connect(openvpn_t)
+ networkmanager_manage_pid_files(openvpn_t)
+ networkmanager_manage_pid_sock_files(openvpn_t)
+')
+
optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -175,3 +213,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+
+type openvpn_unconfined_script_t;
+type openvpn_unconfined_script_exec_t;
+domain_type(openvpn_unconfined_script_t)
+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
+corecmd_shell_entry_type(openvpn_unconfined_script_t)
+role system_r types openvpn_unconfined_script_t;
+
+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
+ unconfined_domain(openvpn_unconfined_script_t)
+')
+
+tunable_policy(`openvpn_run_unconfined',`
+ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
+',`
+ can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
+')
diff --git a/openvswitch.fc b/openvswitch.fc
index 45d7cc508..c5b9607c1 100644
--- a/openvswitch.fc
+++ b/openvswitch.fc
@@ -1,12 +1,16 @@
-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0)
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
index 9b157305b..cb00f200a 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
-## Multilayer virtual switch.
+
+## policy for openvswitch
########################################
##
-## Execute openvswitch in the openvswitch domain.
+## Execute TEMPLATE in the openvswitch domin.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`openvswitch_domtrans',`
@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
')
+########################################
+##
+## Read openvswitch's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openvswitch_read_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+##
+## Append to openvswitch log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_append_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
########################################
##
-## Read openvswitch pid files.
+## Manage openvswitch log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+##
+## Search openvswitch lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_search_lib',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openvswitch lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_read_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Manage openvswitch lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Manage openvswitch lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_lib_dirs',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Read openvswitch PID files.
##
##
##
@@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an openvswitch environment.
+## Allow stream connect to openvswitch.
##
##
##
## Domain allowed access.
##
##
-##
+#
+
+interface(`openvswitch_stream_connect',`
+ gen_require(`
+ type openvswitch_t, openvswitch_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
+')
+
+########################################
+##
+## Execute openvswitch server in the openvswitch domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openvswitch_systemctl',`
+ gen_require(`
+ type openvswitch_t;
+ type openvswitch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openvswitch_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openvswitch environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
interface(`openvswitch_admin',`
gen_require(`
- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
')
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_rw_t)
- files_search_etc($1)
- admin_pattern($1, openvswitch_conf_t)
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_log_t)
files_search_var_lib($1)
admin_pattern($1, openvswitch_var_lib_t)
- logging_search_logs($1)
- admin_pattern($1, openvswitch_log_t)
-
files_search_pids($1)
admin_pattern($1, openvswitch_var_run_t)
+
+ openvswitch_systemctl($1)
+ admin_pattern($1, openvswitch_unit_file_t)
+ allow $1 openvswitch_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99ab..f2c237099 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
type openvswitch_exec_t;
init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-type openvswitch_initrc_exec_t;
-init_script_file(openvswitch_initrc_exec_t)
-
-type openvswitch_conf_t;
-files_config_file(openvswitch_conf_t)
+type openvswitch_rw_t;
+files_config_file(openvswitch_rw_t)
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
@@ -27,20 +24,31 @@ files_tmp_file(openvswitch_tmp_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
+type openvswitch_unit_file_t;
+systemd_unit_file(openvswitch_unit_file_t)
+
########################################
#
-# Local policy
+# openvswitch local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+allow openvswitch_t self:netlink_generic_socket create_socket_perms;
+allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow openvswitch_t self:system { module_load };
+
+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
@@ -48,50 +56,103 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
+manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
+files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file })
manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-
-can_exec(openvswitch_t, openvswitch_exec_t)
+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+kernel_load_module(openvswitch_t)
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
+files_map_kernel_modules(openvswitch_t)
+kernel_read_net_sysctls(openvswitch_t)
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
+corenet_tcp_connect_xodbc_connect_port(openvswitch_t)
+corenet_tcp_connect_ovsdb_port(openvswitch_t)
+corenet_tcp_connect_openflow_port(openvswitch_t)
+corenet_tcp_connect_openvswitch_port(openvswitch_t)
+corenet_tcp_bind_generic_node(openvswitch_t)
+corenet_tcp_bind_openvswitch_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
+dev_rw_sysfs(openvswitch_t)
+dev_rw_vfio_dev(openvswitch_t)
+corenet_rw_tun_tap_dev(openvswitch_t)
+dev_rw_infiniband_dev(openvswitch_t)
+dev_read_cpuid(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
-files_read_etc_files(openvswitch_t)
+files_read_kernel_modules(openvswitch_t)
+files_load_kernel_modules(openvswitch_t)
fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
+fs_manage_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_dirs(openvswitch_t)
+
+auth_use_nsswitch(openvswitch_t)
logging_send_syslog_msg(openvswitch_t)
-miscfiles_read_localization(openvswitch_t)
+init_read_script_state(openvswitch_t)
+
+modutils_exec_insmod(openvswitch_t)
+modutils_list_module_config(openvswitch_t)
+modutils_read_module_config(openvswitch_t)
+modutils_read_module_deps(openvswitch_t)
sysnet_dns_name_resolve(openvswitch_t)
+logging_send_audit_msgs(openvswitch_t)
+
+write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
+
+storage_rw_inherited_fixed_disk_dev(openvswitch_t)
+
+optional_policy(`
+ hostname_exec(openvswitch_t)
+')
+
optional_policy(`
iptables_domtrans(openvswitch_t)
')
+
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
+
+optional_policy(`
+ neutron_read_state(openvswitch_t)
+')
+
+optional_policy(`
+ networkmanager_read_state(openvswitch_t)
+')
+
+optional_policy(`
+ virt_svirt_manage_tmp(openvswitch_t)
+ virt_rw_svirt_image(openvswitch_t)
+ virt_stream_connect_svirt(openvswitch_t)
+ virt_rw_stream_sockets_svirt(openvswitch_t)
+')
+
+optional_policy(`
+ seutil_domtrans_setfiles(openvswitch_t)
+')
diff --git a/openwsman.fc b/openwsman.fc
new file mode 100644
index 000000000..00d0643d9
--- /dev/null
+++ b/openwsman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
index 000000000..747853a1a
--- /dev/null
+++ b/openwsman.if
@@ -0,0 +1,79 @@
+## WS-Management Server
+
+########################################
+##
+## Execute openwsman in the openwsman domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openwsman_domtrans',`
+ gen_require(`
+ type openwsman_t, openwsman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+##
+## Execute openwsman server in the openwsman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openwsman_systemctl',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openwsman environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openwsman_admin',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ allow $1 openwsman_t:process { signal_perms };
+ ps_process_pattern($1, openwsman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openwsman_t:process ptrace;
+ ')
+
+ openwsman_systemctl($1)
+ admin_pattern($1, openwsman_unit_file_t)
+ allow $1 openwsman_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 000000000..3bcd32cdf
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+ sblim_stream_connect_sfcbd(openwsman_t)
+ sblim_rw_semaphores_sfcbd(openwsman_t)
+ sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+ unconfined_domain(openwsman_t)
+')
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 000000000..5655facf0
--- /dev/null
+++ b/oracleasm.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
+/etc/sysconfig/oracleasm(/.*)? gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
diff --git a/oracleasm.if b/oracleasm.if
new file mode 100644
index 000000000..6ae382cb9
--- /dev/null
+++ b/oracleasm.if
@@ -0,0 +1,75 @@
+
+## policy for oracleasm
+
+########################################
+##
+## Transition to oracleasm.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oracleasm_domtrans',`
+ gen_require(`
+ type oracleasm_t, oracleasm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
+')
+
+
+########################################
+##
+## Execute oracleasm server in the oracleasm domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oracleasm_initrc_domtrans',`
+ gen_require(`
+ type oracleasm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an oracleasm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`oracleasm_admin',`
+ gen_require(`
+ type oracleasm_t;
+ type oracleasm_initrc_exec_t;
+ ')
+
+ allow $1 oracleasm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, oracleasm_t)
+
+ oracleasm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 oracleasm_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 000000000..76250e0c6
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,67 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oracleasm_t;
+type oracleasm_exec_t;
+init_daemon_domain(oracleasm_t, oracleasm_exec_t)
+
+type oracleasm_initrc_exec_t;
+init_script_file(oracleasm_initrc_exec_t)
+
+type oracleasm_tmp_t;
+files_tmp_file(oracleasm_tmp_t)
+
+type oracleasm_conf_t;
+files_config_file(oracleasm_conf_t)
+
+########################################
+#
+# oracleasm local policy
+#
+
+allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit oracleasm_t self:capability { sys_admin };
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
+allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir })
+
+kernel_read_system_state(oracleasm_t)
+
+auth_read_passwd(oracleasm_t)
+
+dev_rw_sysfs(oracleasm_t)
+
+domain_use_interactive_fds(oracleasm_t)
+
+corecmd_exec_shell(oracleasm_t)
+corecmd_exec_bin(oracleasm_t)
+
+fs_getattr_xattr_fs(oracleasm_t)
+fs_list_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs_fs(oracleasm_t)
+fs_setattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs_dirs(oracleasm_t)
+fs_manage_oracleasm(oracleasm_t)
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
+storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(oracleasm_t)
+')
diff --git a/osad.fc b/osad.fc
new file mode 100644
index 000000000..cf911d54e
--- /dev/null
+++ b/osad.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/osad -- gen_context(system_u:object_r:osad_initrc_exec_t,s0)
+
+/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0)
+
+/var/log/osad.* -- gen_context(system_u:object_r:osad_log_t,s0)
+
+/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0)
diff --git a/osad.if b/osad.if
new file mode 100644
index 000000000..05648bd2a
--- /dev/null
+++ b/osad.if
@@ -0,0 +1,165 @@
+
+## Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher.
+
+########################################
+##
+## Execute osad in the osad domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`osad_domtrans',`
+ gen_require(`
+ type osad_t, osad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, osad_exec_t, osad_t)
+')
+
+########################################
+##
+## Execute osad server in the osad domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`osad_initrc_domtrans',`
+ gen_require(`
+ type osad_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, osad_initrc_exec_t)
+')
+########################################
+##
+## Read osad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`osad_read_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+##
+## Append to osad log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`osad_append_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+##
+## Manage osad log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`osad_manage_log',`
+ gen_require(`
+ type osad_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, osad_log_t, osad_log_t)
+ manage_files_pattern($1, osad_log_t, osad_log_t)
+ manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
+')
+########################################
+##
+## Read osad PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`osad_read_pid_files',`
+ gen_require(`
+ type osad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, osad_var_run_t, osad_var_run_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an osad environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`osad_admin',`
+ gen_require(`
+ type osad_t;
+ type osad_initrc_exec_t;
+ type osad_log_t;
+ type osad_var_run_t;
+ ')
+
+ allow $1 osad_t:process { signal_perms };
+ ps_process_pattern($1, osad_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 osad_t:process ptrace;
+ ')
+
+ osad_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 osad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, osad_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, osad_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/osad.te b/osad.te
new file mode 100644
index 000000000..6c2f26442
--- /dev/null
+++ b/osad.te
@@ -0,0 +1,56 @@
+policy_module(osad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type osad_t;
+type osad_exec_t;
+init_daemon_domain(osad_t, osad_exec_t)
+
+type osad_initrc_exec_t;
+init_script_file(osad_initrc_exec_t)
+
+type osad_log_t;
+logging_log_file(osad_log_t)
+
+type osad_var_run_t;
+files_pid_file(osad_var_run_t)
+
+########################################
+#
+# osad local policy
+#
+
+allow osad_t self:process setpgid;
+
+manage_files_pattern(osad_t, osad_log_t, osad_log_t)
+logging_log_filetrans(osad_t, osad_log_t, file)
+
+manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
+files_pid_filetrans(osad_t, osad_var_run_t, file)
+
+kernel_read_system_state(osad_t)
+
+corecmd_exec_bin(osad_t)
+
+corenet_tcp_connect_http_port(osad_t)
+corenet_tcp_connect_jabber_client_port(osad_t)
+
+dev_read_urand(osad_t)
+
+auth_use_nsswitch(osad_t)
+
+optional_policy(`
+ gnome_dontaudit_search_config(osad_t)
+')
+
+optional_policy(`
+ rhnsd_manage_config(osad_t)
+')
+
+# execute rhn_check
+optional_policy(`
+ rpm_domtrans(osad_t)
+')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56d6..d4da0b8d0 100644
--- a/pacemaker.fc
+++ b/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
index 9682d9af8..f1f421f9e 100644
--- a/pacemaker.if
+++ b/pacemaker.if
@@ -1,9 +1,167 @@
-## A scalable high-availability cluster resource manager.
+## >A scalable high-availability cluster resource manager.
########################################
##
-## All of the rules required to
-## administrate an pacemaker environment.
+## Transition to pacemaker.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pacemaker_domtrans',`
+ gen_require(`
+ type pacemaker_t, pacemaker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
+')
+
+########################################
+##
+## Execute pacemaker server in the pacemaker domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_initrc_domtrans',`
+ gen_require(`
+ type pacemaker_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+')
+
+########################################
+##
+## Search pacemaker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_search_lib',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read pacemaker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_read_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Manage pacemaker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_manage_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Manage pacemaker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_manage_lib_dirs',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Read pacemaker PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_read_pid_files',`
+ gen_require(`
+ type pacemaker_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pacemaker_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute pacemaker server in the pacemaker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pacemaker_systemctl',`
+ gen_require(`
+ type pacemaker_t;
+ type pacemaker_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pacemaker_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an pacemaker environment
##
##
##
@@ -19,14 +177,17 @@
#
interface(`pacemaker_admin',`
gen_require(`
- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+ type pacemaker_t;
+ type pacemaker_initrc_exec_t;
+ type pacemaker_var_lib_t;
type pacemaker_var_run_t;
+ type pacemaker_unit_file_t;
')
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ pacemaker_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +197,13 @@ interface(`pacemaker_admin',`
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
+
+ pacemaker_systemctl($1)
+ admin_pattern($1, pacemaker_unit_file_t)
+ allow $1 pacemaker_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
index 6e6efb642..d56c04963 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
# Declarations
#
+##
+##
+## Allow pacemaker memcheck-amd64- to use executable memory
+##
+##
+gen_tunable(pacemaker_use_execmem, false)
+
type pacemaker_t;
type pacemaker_exec_t;
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
type pacemaker_initrc_exec_t;
init_script_file(pacemaker_initrc_exec_t)
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
type pacemaker_tmp_t;
files_tmp_file(pacemaker_tmp_t)
type pacemaker_tmpfs_t;
files_tmpfs_file(pacemaker_tmpfs_t)
-type pacemaker_var_lib_t;
-files_type(pacemaker_var_lib_t)
-
-type pacemaker_var_run_t;
-files_pid_file(pacemaker_var_run_t)
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
########################################
#
# Local policy
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid };
+allow pacemaker_t self:capability2 block_suspend;
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
corecmd_exec_bin(pacemaker_t)
corecmd_exec_shell(pacemaker_t)
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
dev_getattr_mtrr_dev(pacemaker_t)
dev_read_rand(pacemaker_t)
dev_read_urand(pacemaker_t)
-domain_read_all_domains_state(pacemaker_t)
-domain_use_interactive_fds(pacemaker_t)
-
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
-miscfiles_read_localization(pacemaker_t)
+sysnet_domtrans_ifconfig(pacemaker_t)
+
+tunable_policy(`pacemaker_use_execmem',`
+ allow pacemaker_t self:process { execmem };
+')
optional_policy(`
corosync_read_log(pacemaker_t)
+ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
+')
+
+optional_policy(`
+ #executes heartbeat lib files
+ rgmanager_execute_lib(pacemaker_t)
')
diff --git a/pads.if b/pads.if
index 6e097c919..503c97a2d 100644
--- a/pads.if
+++ b/pads.if
@@ -17,15 +17,19 @@
##
##
#
-interface(`pads_admin', `
+interface(`pads_admin',`
gen_require(`
type pads_t, pads_config_t, pads_var_run_t;
type pads_initrc_exec_t;
')
- allow $1 pads_t:process { ptrace signal_perms };
+ allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pads_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
index 078adc478..f0c65e5de 100644
--- a/pads.te
+++ b/pads.te
@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t)
# Declarations
#
-allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:capability { dac_read_search dac_override net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
allow pads_t self:packet_socket create_socket_perms;
allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
corecmd_search_bin(pads_t)
-corenet_all_recvfrom_unlabeled(pads_t)
corenet_all_recvfrom_netlabel(pads_t)
corenet_tcp_sendrecv_generic_if(pads_t)
corenet_tcp_sendrecv_generic_node(pads_t)
@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
dev_read_urand(pads_t)
dev_read_sysfs(pads_t)
-files_read_etc_files(pads_t)
files_search_spool(pads_t)
-miscfiles_read_localization(pads_t)
-
logging_send_syslog_msg(pads_t)
sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
index 2c389ea7c..9155bd0dd 100644
--- a/passenger.fc
+++ b/passenger.fc
@@ -1,10 +1,12 @@
-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
index bf59ef731..0e333279c 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,17 @@ interface(`passenger_domtrans',`
type passenger_t, passenger_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, passenger_exec_t, passenger_t)
+ allow passenger_t $1:unix_stream_socket { accept getattr read write };
')
######################################
##
-## Execute passenger in the caller domain.
+## Execute passenger in the current domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
@@ -34,13 +34,30 @@ interface(`passenger_exec',`
type passenger_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, passenger_exec_t)
')
+#######################################
+##
+## Getattr passenger log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_getattr_log_files',`
+ gen_require(`
+ type passenger_log_t;
+ ')
+
+ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
+')
+
########################################
##
-## Read passenger lib files.
+## Read passenger lib files
##
##
##
@@ -53,6 +70,112 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage passenger lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
')
+
+#####################################
+##
+## Manage passenger var_run content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_pid_content',`
+ gen_require(`
+ type passenger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+##
+## Connect to passenger unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_stream_connect',`
+ gen_require(`
+ type passenger_t;
+ type passenger_tmp_t;
+ type passenger_var_run_t;
+ ')
+
+
+
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
+')
+
+#######################################
+##
+## Allow to manage passenger tmp files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_tmp_files',`
+ gen_require(`
+ type passenger_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
+')
+
+########################################
+##
+## Send kill signals to passenger.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_kill',`
+ gen_require(`
+ type passenger_t;
+ ')
+
+ allow $1 passenger_t:process sigkill;
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33bf2..175a4ed46 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.1)
########################################
#
@@ -14,6 +14,9 @@ role system_r types passenger_t;
type passenger_log_t;
logging_log_file(passenger_log_t)
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t)
########################################
#
-# Local policy
+# passanger local policy
#
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket { accept listen };
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-logging_log_filetrans(passenger_t, passenger_log_t, file)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
-can_exec(passenger_t, passenger_exec_t)
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t)
kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
corenet_tcp_sendrecv_generic_if(passenger_t)
corenet_tcp_sendrecv_generic_node(passenger_t)
-
-corenet_sendrecv_http_client_packets(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
-corenet_tcp_sendrecv_http_port(passenger_t)
+corenet_tcp_connect_postgresql_port(passenger_t)
+corenet_tcp_connect_mysqld_port(passenger_t)
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
@@ -68,10 +76,10 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
-files_read_etc_files(passenger_t)
-
auth_use_nsswitch(passenger_t)
+fs_getattr_xattr_fs(passenger_t)
+
logging_send_syslog_msg(passenger_t)
miscfiles_read_localization(passenger_t)
@@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
+ apache_rw_stream_sockets(passenger_t)
')
optional_policy(`
@@ -94,14 +103,21 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
+ mysql_stream_connect(passenger_t)
+ mysql_list_db(passenger_t)
+')
+
+optional_policy(`
+ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
- puppet_create_log_files(passenger_t)
- puppet_read_log_files(passenger_t)
+ puppet_append_log(passenger_t)
+ puppet_create_log(passenger_t)
+ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
')
optional_policy(`
- rpm_exec(passenger_t)
- rpm_read_db(passenger_t)
+ rpm_exec(passenger_t)
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
index 8176e4aa4..2df178919 100644
--- a/pcmcia.te
+++ b/pcmcia.te
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
-miscfiles_read_localization(cardmgr_t)
-
modutils_domtrans_insmod(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
optional_policy(`
- seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
index 000000000..de7c78ca0
--- /dev/null
+++ b/pcp.fc
@@ -0,0 +1,33 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
+
+/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+
+/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+
+/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+
+/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0)
+
+/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
+
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 000000000..abb250dba
--- /dev/null
+++ b/pcp.if
@@ -0,0 +1,160 @@
+## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation
+
+######################################
+##
+## Creates types and rules for a basic
+## pcp daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`pcp_domain_template',`
+ gen_require(`
+ attribute pcp_domain;
+ ')
+
+ type pcp_$1_t, pcp_domain;
+ type pcp_$1_exec_t;
+ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
+
+ type pcp_$1_initrc_exec_t;
+ init_script_file(pcp_$1_initrc_exec_t)
+
+ auth_use_nsswitch(pcp_$1_t)
+
+ optional_policy(`
+ cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
+ ')
+')
+
+######################################
+##
+## Allow domain to read pcp lib files
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+interface(`pcp_read_lib_files',`
+ gen_require(`
+ type pcp_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an pcp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`pcp_admin',`
+ gen_require(`
+ type pcp_pmcd_t;
+ type pcp_pmlogger_t;
+ type pcp_pmproxy_t;
+ type pcp_pmwebd_t;
+ type pcp_pmie_t;
+ type pcp_pmmgr_t;
+ type pcp_var_run_t;
+ ')
+
+ allow $1 pcp_pmcd_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmcd_t)
+
+ allow $1 pcp_pmlogger_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmlogger_t)
+
+ allow $1 pcp_pmproxy_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmproxy_t)
+
+ allow $1 pcp_pmwebd_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmwebd_t)
+
+ allow $1 pcp_pmie_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmie_t)
+
+ allow $1 pcp_pmmgr_t:process signal_perms;
+ ps_process_pattern($1, pcp_pmmgr_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pcp_pmcd_t:process ptrace;
+ allow $1 pcp_pmlogger_t:process ptrace;
+ allow $1 pcp_pmproxy_t:process ptrace;
+ allow $1 pcp_pmwebd_t:process ptrace;
+ allow $1 pcp_pmie_t:process ptrace;
+ allow $1 pcp_pmmgr_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, pcp_var_run_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute pcp_pmie
+## in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pcp_pmie_exec',`
+ gen_require(`
+ type pcp_pmie_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute pcp_pmlogger
+## in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pcp_pmlogger_exec',`
+ gen_require(`
+ type pcp_pmlogger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
+#######################################
+##
+## Transition to pcp named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcp_filetrans_named_content',`
+ gen_require(`
+ type pcp_var_run_t;
+ ')
+ files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
+')
diff --git a/pcp.pp b/pcp.pp
new file mode 100644
index 000000000..fa4cfaa88
Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 000000000..89c3f11d8
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,316 @@
+policy_module(pcp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+
+##
+##
+## Allow pcp to bind to all unreserved_ports
+##
+##
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
+##
+##
+## Allow pcp to read generic logs
+##
+##
+gen_tunable(pcp_read_generic_logs, false)
+
+attribute pcp_domain;
+
+pcp_domain_template(pmcd)
+pcp_domain_template(pmlogger)
+pcp_domain_template(pmproxy)
+pcp_domain_template(pmwebd)
+pcp_domain_template(pmie)
+pcp_domain_template(pmmgr)
+
+type pcp_log_t;
+logging_log_file(pcp_log_t)
+
+type pcp_var_lib_t;
+files_type(pcp_var_lib_t)
+
+type pcp_var_run_t;
+files_pid_file(pcp_var_run_t)
+
+type pcp_tmp_t;
+files_tmp_file(pcp_tmp_t)
+
+type pcp_tmpfs_t;
+files_tmpfs_file(pcp_tmpfs_t)
+
+########################################
+#
+# pcp domain local policy
+#
+
+allow pcp_domain self:capability { setuid setgid dac_read_search dac_override };
+allow pcp_domain self:process signal_perms;
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
+allow pcp_domain self:netlink_route_socket create_socket_perms;
+allow pcp_domain self:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+
+manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
+
+manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
+
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
+
+dev_read_urand(pcp_domain)
+
+files_read_etc_files(pcp_domain)
+
+fs_getattr_all_fs(pcp_domain)
+
+miscfiles_read_generic_certs(pcp_domain)
+
+sysnet_read_config(pcp_domain)
+
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+
+')
+
+
+########################################
+#
+# pcp_pmcd local policy
+#
+
+allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace };
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
+kernel_read_fs_sysctls(pcp_pmcd_t)
+kernel_read_rpc_sysctls(pcp_pmcd_t)
+kernel_search_network_sysctl(pcp_pmcd_t)
+kernel_read_net_sysctls(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
+corenet_tcp_bind_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_http_port(pcp_pmcd_t)
+
+dev_read_sysfs(pcp_pmcd_t)
+dev_rw_lvm_control(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
+
+dev_getattr_all_blk_files(pcp_pmcd_t)
+dev_getattr_all_chr_files(pcp_pmcd_t)
+dev_read_sysfs(pcp_pmcd_t)
+dev_read_urand(pcp_pmcd_t)
+
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
+init_read_utmp(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
+lvm_domtrans(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
+ cron_read_pid_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+ container_manage_lib_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(pcp_pmcd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmcd_t)
+ ')
+')
+
+optional_policy(`
+ postfix_read_config(pcp_pmcd_t)
+ postfix_search_spool(pcp_pmcd_t)
+')
+
+tunable_policy(`pcp_read_generic_logs',`
+ logging_read_generic_logs(pcp_pmcd_t)
+
+')
+
+########################################
+#
+# pcp_pmproxy local policy
+#
+
+allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
+kernel_search_network_sysctl(pcp_pmproxy_t)
+
+logging_send_syslog_msg(pcp_pmproxy_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmproxy_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmproxy_t)
+ ')
+')
+
+########################################
+#
+# pcp_pmwebd local policy
+#
+
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmwebd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmwebd_t)
+ ')
+')
+
+########################################
+#
+# pcp_pmmgr local policy
+#
+
+allow pcp_pmmgr_t self:process { setpgid };
+allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corecmd_exec_bin(pcp_pmmgr_t)
+
+logging_send_syslog_msg(pcp_pmmgr_t)
+
+optional_policy(`
+ pcp_pmie_exec(pcp_pmmgr_t)
+ pcp_pmlogger_exec(pcp_pmmgr_t)
+')
+
+########################################
+#
+# pcp_pmie local policy
+#
+allow pcp_pmie_t self:capability { chown sys_ptrace };
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
+corecmd_getattr_all_executables(pcp_pmie_t)
+
+domain_read_all_domains_state(pcp_pmie_t)
+
+fs_search_cgroup_dirs(pcp_pmie_t)
+
+init_status(pcp_pmie_t)
+
+logging_send_syslog_msg(pcp_pmie_t)
+
+systemd_exec_systemctl(pcp_pmie_t)
+systemd_read_unit_files(pcp_pmie_t)
+systemd_search_unit_dirs(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local policy
+#
+
+allow pcp_pmlogger_t self:capability { kill sys_ptrace chown };
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(pcp_pmlogger_t)
+kernel_read_network_state(pcp_pmlogger_t)
+
+corecmd_exec_bin(pcp_pmlogger_t)
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
+domain_read_all_domains_state(pcp_pmlogger_t)
+
+init_read_utmp(pcp_pmlogger_t)
+init_status(pcp_pmlogger_t)
+
+logging_send_syslog_msg(pcp_pmlogger_t)
+
+systemd_exec_systemctl(pcp_pmlogger_t)
+systemd_getattr_unit_files(pcp_pmlogger_t)
+
+optional_policy(`
+ hostname_exec(pcp_pmlogger_t)
+')
+
+optional_policy(`
+ unconfined_signal(pcp_pmlogger_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_search_log(pcp_pmlogger_t)
+')
diff --git a/pcscd.if b/pcscd.if
index 43d50f95b..6b1544f62 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+ ps_process_pattern(pcscd_t, $1)
')
########################################
@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')
########################################
diff --git a/pcscd.te b/pcscd.te
index 1fb196410..5212cd203 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
#
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
-allow pcscd_t self:process signal;
+allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
kernel_read_system_state(pcscd_t)
-corenet_all_recvfrom_unlabeled(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
corenet_tcp_sendrecv_http_port(pcscd_t)
+domain_read_all_domains_state(pcscd_t)
+
dev_rw_generic_usb_dev(pcscd_t)
dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
dev_read_sysfs(pcscd_t)
-files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
-miscfiles_read_localization(pcscd_t)
-
sysnet_dns_name_resolve(pcscd_t)
+userdom_read_all_users_state(pcscd_t)
+
optional_policy(`
dbus_system_bus_client(pcscd_t)
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ policykit_dbus_chat_auth(pcscd_t)
+ ')
+
+')
+
+optional_policy(`
+ policykit_dbus_chat(pcscd_t)
')
optional_policy(`
@@ -85,3 +96,8 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
+
+optional_policy(`
+ virt_rw_svirt_dev(pcscd_t)
+')
+
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e412..feaa8e174 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,33 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+/etc/Pegasus/cimserver_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677c1..86dce34a2 100644
--- a/pegasus.if
+++ b/pegasus.if
@@ -1,52 +1,60 @@
## The Open Group Pegasus CIM/WBEM Server.
+######################################
+##
+## Creates types and rules for a basic
+## openlmi init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`pegasus_openlmi_domain_template',`
+ gen_require(`
+ attribute pegasus_openlmi_domain;
+ type pegasus_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
+ type pegasus_openlmi_$1_exec_t;
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
+ allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(pegasus_openlmi_$1_t)
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
+
########################################
##
-## All of the rules required to
-## administrate an pegasus environment.
+## Connect to pegasus over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`pegasus_admin',`
+interface(`pegasus_stream_connect',`
gen_require(`
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
- type pegasus_mof_t, pegasus_var_run_t;
+ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
')
- allow $1 pegasus_t:process { ptrace signal_perms };
- ps_process_pattern($1, pegasus_t)
-
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pegasus_conf_t)
-
- files_search_usr($1)
- admin_pattern($1, pegasus_mof_t)
-
- files_search_tmp($1)
- admin_pattern($1, pegasus_tmp_t)
-
- files_search_var($1)
- admin_pattern($1, pegasus_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, pegasus_data_t)
-
files_search_pids($1)
- admin_pattern($1, pegasus_var_run_t)
+ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
+ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454d8..a78b356aa 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
# Declarations
#
+attribute pegasus_openlmi_domain;
+
type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
-type pegasus_initrc_exec_t;
-init_script_file(pegasus_initrc_exec_t)
-
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
+typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
+domain_system_change_exemption(pegasus_openlmi_account_t)
+
+pegasus_openlmi_domain_template(logicalfile)
+pegasus_openlmi_domain_template(services)
+
+pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
+type pegasus_openlmi_storage_var_run_t;
+files_pid_file(pegasus_openlmi_storage_var_run_t)
+
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
+allow pegasus_openlmi_domain self:capability { setuid setgid };
+
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
+
+dev_read_sysfs(pegasus_openlmi_domain)
+
+auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
+optional_policy(`
+ pegasus_stream_connect(pegasus_openlmi_domain)
+')
+
+######################################
+#
+# pegasus openlmi account local policy
+#
+
+allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
+auth_manage_shadow(pegasus_openlmi_account_t)
+auth_relabel_shadow(pegasus_openlmi_account_t)
+auth_read_login_records(pegasus_openlmi_account_t)
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
+
+logging_send_audit_msgs(pegasus_openlmi_account_t)
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+init_rw_utmp(pegasus_openlmi_account_t)
+
+seutil_semanage_policy(pegasus_openlmi_account_t)
+
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+seutil_read_config(pegasus_openlmi_account_t)
+seutil_read_file_contexts(pegasus_openlmi_account_t)
+seutil_read_default_contexts(pegasus_openlmi_account_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
+
+optional_policy(`
+ # run userdel
+ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
+')
+
+######################################
+#
+# pegasus openlmi logicalfile local policy
+#
+
+allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
+
+files_list_all(pegasus_openlmi_logicalfile_t)
+files_read_all_files(pegasus_openlmi_logicalfile_t)
+files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
+files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
+files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
+
+optional_policy(`
+ # it can delete/create empty dirs
+ # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
+
+######################################
+#
+# pegasus openlmi services local policy
+#
+
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+miscfiles_read_certs(pegasus_openlmi_services_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ realmd_dbus_chat(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ sssd_read_public_files(pegasus_openlmi_services_t)
+ sssd_stream_connect(pegasus_openlmi_services_t)
+')
+
+######################################
+#
+# pegasus openlmi system (networking) local policy
+#
+
+allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
+allow pegasus_openlmi_system_t self:process signal_perms;
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_system_t)
+
+auth_use_nsswitch(pegasus_openlmi_system_t)
+
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
+fs_getattr_all_fs(pegasus_openlmi_system_t)
+
+init_read_utmp(pegasus_openlmi_system_t)
+
+systemd_config_power_services(pegasus_openlmi_system_t)
+systemd_dbus_chat_logind(pegasus_openlmi_system_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
+')
+
+######################################
+#
+# pegasus openlmi service local policy
+#
+
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
+init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
+init_status(pegasus_openlmi_admin_t)
+init_reboot(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
+
+ optional_policy(`
+ init_dbus_chat(pegasus_openlmi_admin_t)
+ ')
+')
+
+optional_policy(`
+ sssd_stream_connect(pegasus_openlmi_admin_t)
+')
+
+######################################
+#
+# pegasus openlmi storage local policy
+#
+
+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
+allow pegasus_openlmi_storage_t self:process setrlimit;
+
+allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
+auth_use_nsswitch(pegasus_openlmi_storage_t)
+
+dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
+dev_rw_lvm_control(pegasus_openlmi_storage_t)
+dev_rw_sysfs(pegasus_openlmi_storage_t)
+
+selinux_validate_context(pegasus_openlmi_storage_t)
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
+storage_raw_read_removable_device(pegasus_openlmi_storage_t)
+storage_raw_write_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+files_read_kernel_modules(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
+
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
+init_read_state(pegasus_openlmi_storage_t)
+
+miscfiles_read_hwdata(pegasus_openlmi_storage_t)
+
+optional_policy(`
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ fstools_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ iscsi_manage_lock(pegasus_openlmi_storage_t)
+ iscsi_read_lib_files(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+ lvm_read_metadata(pegasus_openlmi_storage_t)
+ lvm_write_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ mount_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
+ raid_filetrans_named_content(pegasus_openlmi_storage_t)
+ raid_manage_conf_files(pegasus_openlmi_storage_t)
+')
+
+######################################
+#
+# pegasus openlmi unconfined local policy
+#
+
+optional_policy(`
+ unconfined_domain(pegasus_openlmi_unconfined_t)
+')
+
########################################
#
-# Local policy
+# pegasus local policy
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
-dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace };
+dontaudit pegasus_t self:capability { sys_admin sys_tty_config };
+allow pegasus_t self:process { setsched signal };
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
-allow pegasus_t self:tcp_socket { accept listen };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
allow pegasus_t pegasus_mof_t:dir list_dir_perms;
-allow pegasus_t pegasus_mof_t:file read_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
-
-can_exec(pegasus_t, pegasus_exec_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_sysctl(pegasus_t)
kernel_read_fs_sysctls(pegasus_t)
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
@@ -80,43 +397,42 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
-corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
corenet_tcp_bind_generic_node(pegasus_t)
-
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_generic_client_packets(pegasus_t)
corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
dev_rw_sysfs(pegasus_t)
dev_read_urand(pegasus_t)
+dev_rw_lvm_control(pegasus_t)
fs_getattr_all_fs(pegasus_t)
fs_search_auto_mountpoints(pegasus_t)
+fs_mount_tracefs(pegasus_t)
+fs_unmount_tracefs(pegasus_t)
files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
+domain_named_filetrans(pegasus_t)
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +444,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
+mount_domtrans(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
+ dmidecode_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
@@ -151,16 +478,28 @@ optional_policy(`
')
optional_policy(`
- rpm_exec(pegasus_t)
+ lvm_exec(pegasus_t)
')
optional_policy(`
- samba_manage_config(pegasus_t)
+ ricci_stream_connect_modclusterd(pegasus_t)
')
optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
+ realmd_dbus_chat(pegasus_t)
+')
+
+optional_policy(`
+ rpc_read_exports(pegasus_t)
+ rpc_read_nfs_state_data(pegasus_t)
+')
+
+optional_policy(`
+ rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ samba_manage_config(pegasus_t)
')
optional_policy(`
@@ -168,7 +507,7 @@ optional_policy(`
')
optional_policy(`
- sysnet_domtrans_ifconfig(pegasus_t)
+ seutil_sigchld_newrole(pegasus_t)
')
optional_policy(`
@@ -180,11 +519,16 @@ optional_policy(`
')
optional_policy(`
+ virt_getattr_images(pegasus_t)
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
')
+optional_policy(`
+ qemu_getattr_exec(pegasus_t)
+')
+
optional_policy(`
xen_stream_connect(pegasus_t)
xen_stream_connect_xenstore(pegasus_t)
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 000000000..7b54c3926
--- /dev/null
+++ b/pesign.fc
@@ -0,0 +1,6 @@
+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
index 000000000..4d531cb9d
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,99 @@
+
+## pesign utility for signing UEFI binaries as well as other associated tools
+
+########################################
+##
+## Execute TEMPLATE in the pesign domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pesign_domtrans',`
+ gen_require(`
+ type pesign_t, pesign_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+##
+## Read pesign PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pesign_read_pid_files',`
+ gen_require(`
+ type pesign_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+##
+## Execute pesign server in the pesign domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pesign_systemctl',`
+ gen_require(`
+ type pesign_t;
+ type pesign_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an pesign environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`pesign_admin',`
+ gen_require(`
+ type pesign_t;
+ type pesign_var_run_t;
+ type pesign_unit_file_t;
+ ')
+
+ allow $1 pesign_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pesign_t)
+
+ files_search_pids($1)
+ admin_pattern($1, pesign_var_run_t)
+
+ pesign_systemctl($1)
+ admin_pattern($1, pesign_unit_file_t)
+ allow $1 pesign_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/pesign.te b/pesign.te
new file mode 100644
index 000000000..55d7442b0
--- /dev/null
+++ b/pesign.te
@@ -0,0 +1,54 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+type pesign_tmp_t;
+files_tmp_file(pesign_tmp_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { dac_read_search dac_override setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+allow pesign_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+manage_dirs_pattern(pesign_t, pesign_tmp_t, pesign_tmp_t)
+manage_files_pattern(pesign_t, pesign_tmp_t, pesign_tmp_t)
+files_tmp_filetrans(pesign_t, pesign_tmp_t, { file dir })
+
+dev_read_urand(pesign_t)
+dev_read_rand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+fs_getattr_all_fs(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
diff --git a/pingd.if b/pingd.if
index 21a6ecbe7..b99e4cb0b 100644
--- a/pingd.if
+++ b/pingd.if
@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
')
files_search_etc($1)
- allow $1 pingd_etc_t:file manage_file_perms;
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
')
#######################################
@@ -81,9 +82,13 @@ interface(`pingd_admin',`
type pingd_initrc_exec_t;
')
- allow $1 pingd_t:process { ptrace signal_perms };
+ allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pingd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
index ab0106027..778c8eb12 100644
--- a/pingd.te
+++ b/pingd.te
@@ -10,7 +10,7 @@ type pingd_exec_t;
init_daemon_domain(pingd_t, pingd_exec_t)
type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t)
corenet_sendrecv_pingd_server_packets(pingd_t)
corenet_tcp_bind_pingd_port(pingd_t)
+dev_read_urand(pingd_t)
+
auth_use_nsswitch(pingd_t)
files_search_usr(pingd_t)
logging_send_syslog_msg(pingd_t)
-
-miscfiles_read_localization(pingd_t)
diff --git a/piranha.fc b/piranha.fc
new file mode 100644
index 000000000..20ea9f54b
--- /dev/null
+++ b/piranha.fc
@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
index 000000000..cf54103b6
--- /dev/null
+++ b/piranha.if
@@ -0,0 +1,187 @@
+## policy for piranha
+
+#######################################
+##
+## Creates types and rules for a basic
+## cluster init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`piranha_domain_template',`
+ gen_require(`
+ attribute piranha_domain;
+ ')
+
+ ##############################
+ #
+ # piranha_$1_t declarations
+ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # tmpfs files
+ type piranha_$1_tmpfs_t, piranha_tmpfs;
+ files_tmpfs_file(piranha_$1_tmpfs_t)
+
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
+ #
+ # piranha_$1_t local policy
+ #
+
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+
+ kernel_read_system_state(piranha_$1_t)
+
+ auth_use_nsswitch(piranha_$1_t)
+
+ logging_send_syslog_msg(piranha_$1_t)
+')
+
+########################################
+##
+## Execute a domain transition to run fos.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_fos',`
+ gen_require(`
+ type piranha_fos_t, piranha_fos_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+##
+## Execute a domain transition to run lvsd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_lvs',`
+ gen_require(`
+ type piranha_lvs_t, piranha_lvs_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+##
+## Execute a domain transition to run pulse.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_pulse',`
+ gen_require(`
+ type piranha_pulse_t, piranha_pulse_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+##
+## Execute pulse server in the pulse domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_pulse_initrc_domtrans',`
+ gen_require(`
+ type piranha_pulse_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to read piranha's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`piranha_read_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## piranha log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`piranha_append_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+##
+## Allow domain to manage piranha log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`piranha_manage_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
index 000000000..a989aea2e
--- /dev/null
+++ b/piranha.te
@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow piranha-lvs domain to connect to the network using TCP.
+##
+##
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+optional_policy(`
+ consoletype_exec(piranha_fos_t)
+')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull };
+
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_servistaitsm_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_rand(piranha_web_t)
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+
+optional_policy(`
+ consoletype_exec(piranha_web_t)
+')
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+ iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:capability net_admin;
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+kernel_read_kernel_sysctls(piranha_pulse_t)
+kernel_read_rpc_sysctls(piranha_pulse_t)
+kernel_rw_rpc_sysctls(piranha_pulse_t)
+kernel_search_debugfs(piranha_pulse_t)
+kernel_search_network_state(piranha_pulse_t)
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
+optional_policy(`
+ consoletype_exec(piranha_pulse_t)
+')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
+init_initrc_domain(piranha_pulse_t)
+
+logging_send_syslog_msg(piranha_pulse_t)
+
+# various services to failover
+
+optional_policy(`
+ apache_domtrans(piranha_pulse_t)
+ apache_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
+ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
+ hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
+ iptables_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(piranha_pulse_t)
+ mysql_stream_connect(piranha_pulse_t)
+')
+
+optional_policy(`
+ netutils_domtrans(piranha_pulse_t)
+ netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(piranha_pulse_t)
+ postgresql_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
+ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
+ samba_rw_config(piranha_pulse_t)
+ samba_signal_smbd(piranha_pulse_t)
+ samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+optional_policy(`
+ udev_read_db(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:process signal_perms;
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
+
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
index 9a72226e3..b2968942f 100644
--- a/pkcs.fc
+++ b/pkcs.fc
@@ -4,4 +4,8 @@
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
+/var/log/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_log_t,s0)
+
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
+
/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
index 69be2aaf2..2d7b3f656 100644
--- a/pkcs.if
+++ b/pkcs.if
@@ -19,7 +19,7 @@
#
interface(`pkcs_admin_slotd',`
gen_require(`
- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
+ type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
')
@@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',`
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
+ files_search_locks($1)
+ admin_pattern($1, pkcs_slotd_lock_t)
+
files_search_pids($1)
admin_pattern($1, pkcs_slotd_var_run_t)
diff --git a/pkcs.te b/pkcs.te
index 8eb3f7bc1..1b79ed454 100644
--- a/pkcs.te
+++ b/pkcs.te
@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
+typealias pkcs_slotd_t alias pkcsslotd_t;
+typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
type pkcs_slotd_initrc_exec_t;
init_script_file(pkcs_slotd_initrc_exec_t)
type pkcs_slotd_var_lib_t;
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
files_type(pkcs_slotd_var_lib_t)
+type pkcs_slotd_lock_t;
+typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
+files_lock_file(pkcs_slotd_lock_t)
+
+type pkcs_slotd_log_t;
+logging_log_file(pkcs_slotd_log_t)
+
type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
files_pid_file(pkcs_slotd_var_run_t)
type pkcs_slotd_tmp_t;
+typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
files_tmp_file(pkcs_slotd_tmp_t)
type pkcs_slotd_tmpfs_t;
+typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir)
+
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir)
+
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
@@ -51,10 +72,13 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir })
+allow pkcs_slotd_t pkcs_slotd_tmpfs_t:file map;
+
+auth_use_nsswitch(pkcs_slotd_t)
-files_read_etc_files(pkcs_slotd_t)
+files_search_locks(pkcs_slotd_t)
logging_send_syslog_msg(pkcs_slotd_t)
-miscfiles_read_localization(pkcs_slotd_t)
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 000000000..47cd0f8ba
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,57 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat/ca(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
+
+# default labeling for nCipher
+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# old paths (for migration)
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
+
+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 000000000..0a7951358
--- /dev/null
+++ b/pki.if
@@ -0,0 +1,523 @@
+
+## policy for pki
+
+########################################
+##
+## Allow read and write pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_rw_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+##
+## Allow read and write pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
+ manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+##
+## Allow read and write pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_tomcat_etc_rw',`
+ gen_require(`
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+ manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+')
+
+########################################
+##
+## Allow domain to read pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`pki_apache_template',`
+ gen_require(`
+ attribute pki_apache_domain;
+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, pki_apache_domain;
+ type $1_exec_t, pki_apache_executable;
+ domain_type($1_t)
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_script_exec_t, pki_apache_script;
+ init_script_file($1_script_exec_t)
+
+ type $1_etc_rw_t, pki_apache_config;
+ files_type($1_etc_rw_t)
+
+ type $1_var_run_t, pki_apache_var_run;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_lib_t, pki_apache_var_lib;
+ files_type($1_var_lib_t)
+
+ type $1_log_t, pki_apache_var_log;
+ logging_log_file($1_log_t)
+
+ type $1_lock_t;
+ files_lock_file($1_lock_t)
+
+ type $1_tmp_t;
+ files_tmpfs_file($1_tmp_t)
+
+ ########################################
+ #
+ # $1 local policy
+ #
+
+ files_read_etc_files($1_t)
+ allow $1_t $1_etc_rw_t:lnk_file read;
+
+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
+ logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ #talk to lunasa hsm
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+
+ # need to resolve addresses?
+ auth_use_nsswitch($1_t)
+')
+
+#######################################
+##
+## Send a null signal to pki apache domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_apache_domain_signal',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signal;
+')
+
+#######################################
+##
+## Send a null signal to pki apache domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_apache_domain_signull',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signull;
+')
+
+###################################
+##
+## Allow domain to read pki apache subsystem pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_run',`
+ gen_require(`
+ attribute pki_apache_var_run;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
+')
+
+####################################
+##
+## Allow domain to manage pki apache subsystem lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_lib',`
+ gen_require(`
+ attribute pki_apache_var_lib;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+')
+
+##################################
+##
+## Dontaudit domain to write pki log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_search_log_dirs',`
+ gen_require(`
+ type pki_log_t;
+ ')
+
+ search_dirs_pattern($1, pki_log_t, pki_log_t)
+
+')
+
+##################################
+##
+## Dontaudit domain to write pki log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_dontaudit_write_log',`
+ gen_require(`
+ type pki_log_t;
+ ')
+
+ dontaudit $1 pki_log_t:file write;
+')
+
+###################################
+##
+## Allow domain to manage pki apache subsystem log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_log_files',`
+ gen_require(`
+ attribute pki_apache_var_log;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
+')
+
+##################################
+##
+## Allow domain to manage pki apache subsystem config files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_config_files',`
+ gen_require(`
+ attribute pki_apache_config;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
+#################################
+##
+## Allow domain to read pki tomcat lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_tomcat_lib_files',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+
+#################################
+##
+## Allow domain to manage pki tomcat lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_tomcat_lib',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+#################################
+##
+## Allow domain to manage pki tomcat lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_tomcat_log',`
+ gen_require(`
+ type pki_tomcat_log_t;
+ ')
+
+ manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+ manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+')
+
+#################################
+##
+## Allow domain to read pki tomcat lib dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_tomcat_lib_dirs',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+########################################
+##
+## Allow read pki_common_t files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ read_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+##
+## Allow execute pki_common_t files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_exec_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ exec_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+##
+## Allow read pki_common_t files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_common_files',`
+ gen_require(`
+ type pki_common_t;
+ ')
+
+ manage_files_pattern($1, pki_common_t, pki_common_t)
+ manage_dirs_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+##
+## Connect to pki over an unix
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_stream_connect',`
+ gen_require(`
+ type pki_tomcat_t, pki_common_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+')
+
+########################################
+##
+## Execute pki in the pkit_tomcat_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pki_tomcat_systemctl',`
+ gen_require(`
+ type pki_tomcat_t;
+ type pki_tomcat_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pki_tomcat_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## pki tomcat pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_tomcat_pid',`
+ gen_require(`
+ type pki_tomcat_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t)
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 000000000..67e7036fb
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,285 @@
+policy_module(pki,10.0.11)
+
+########################################
+#
+# Declarations
+#
+
+attribute pki_apache_domain;
+attribute pki_apache_config;
+attribute pki_apache_executable;
+attribute pki_apache_var_lib;
+attribute pki_apache_var_log;
+attribute pki_apache_var_run;
+attribute pki_apache_pidfiles;
+attribute pki_apache_script;
+
+type pki_log_t;
+logging_log_file(pki_log_t)
+
+type pki_common_t;
+files_type(pki_common_t)
+
+type pki_common_dev_t;
+files_type(pki_common_dev_t)
+
+type pki_tomcat_etc_rw_t;
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+domain_obj_id_change_exemption(pki_tomcat_t)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
+
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
+# old type aliases for migration
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+
+
+# pki policy types
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_apache_template(pki_tps)
+
+# ra policy types
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_apache_template(pki_ra)
+
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+role system_r types pki_tomcat_script_t;
+
+optional_policy(`
+ unconfined_domain(pki_tomcat_script_t)
+')
+
+########################################
+#
+# pki-tomcat local policy
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid };
+dontaudit pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
+
+# allow writing to the kernel keyring
+allow pki_tomcat_t self:key { write read };
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
+
+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
+systemd_search_unit_dirs(pki_tomcat_t)
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
+auth_use_nsswitch(pki_tomcat_t)
+
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
+libs_exec_ldconfig(pki_tomcat_t)
+
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
+
+# is this really needed?
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
+
+# for crl publishing
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
+# for ECC
+auth_getattr_shadow(pki_tomcat_t)
+
+optional_policy(`
+ consoletype_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ dirsrv_manage_var_lib(pki_tomcat_t)
+')
+
+optional_policy(`
+ hostname_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ ipa_read_lib(pki_tomcat_t)
+')
+
+#######################################
+#
+# tps local policy
+#
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+files_exec_usr_files(pki_tps_t)
+
+######################################
+#
+# ra local policy
+#
+
+# RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
+corenet_tcp_connect_http_port(pki_ra_t)
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
+fs_getattr_xattr_fs(pki_ra_t)
+
+files_search_spool(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+
+optional_policy(`
+ mta_send_mail(pki_ra_t)
+ mta_manage_spool(pki_ra_t)
+ mta_manage_queue(pki_ra_t)
+ mta_read_config(pki_ra_t)
+')
+
+#####################################
+#
+# pki_apache_domain local policy
+#
+
+
+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown};
+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
+
+allow pki_apache_domain self:sem all_sem_perms;
+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+# allow writing to the kernel keyring
+allow pki_apache_domain self:key { write read };
+
+## internal communication is often done using fifo and unix sockets.
+allow pki_apache_domain self:fifo_file rw_file_perms;
+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
+
+# talk to the hsm
+allow pki_apache_domain pki_common_dev_t:sock_file write;
+allow pki_apache_domain pki_common_dev_t:dir search;
+allow pki_apache_domain pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
+can_exec(pki_apache_domain, pki_common_t)
+init_stream_connect_script(pki_apache_domain)
+
+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
+corenet_tcp_bind_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_if(pki_apache_domain)
+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
+corenet_tcp_connect_generic_port(pki_apache_domain)
+
+# Init script handling
+domain_use_interactive_fds(pki_apache_domain)
+
+seutil_exec_setfiles(pki_apache_domain)
+
+init_dontaudit_write_utmp(pki_apache_domain)
+
+libs_use_ld_so(pki_apache_domain)
+libs_use_shared_libs(pki_apache_domain)
+libs_exec_ld_so(pki_apache_domain)
+libs_exec_lib_files(pki_apache_domain)
+
+fs_search_cgroup_dirs(pki_apache_domain)
+
+corecmd_exec_bin(pki_apache_domain)
+corecmd_exec_shell(pki_apache_domain)
+
+dev_read_urand(pki_apache_domain)
+dev_read_rand(pki_apache_domain)
+
+# shutdown script uses ps
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
+
+sysnet_read_config(pki_apache_domain)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
+ term_dontaudit_use_generic_ptys(pki_apache_domain)
+')
+
+optional_policy(`
+ # apache permissions
+ apache_exec_modules(pki_apache_domain)
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
+ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+')
+
+# allow rpm -q in init scripts
+optional_policy(`
+ rpm_exec(pki_apache_domain)
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
index 735500fd1..7f694728c 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
index 30e751f18..61feb3a81 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
-## Plymouth graphical boot.
+## Plymouth graphical boot
########################################
##
@@ -10,18 +10,17 @@
##
##
#
-interface(`plymouthd_domtrans',`
+interface(`plymouthd_domtrans', `
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
##
-## Execute plymouthd in the caller domain.
+## Execute the plymoth daemon in the current domain
##
##
##
@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
##
##
#
-interface(`plymouthd_exec',`
+interface(`plymouthd_exec', `
gen_require(`
type plymouthd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouthd_exec_t)
')
########################################
##
-## Connect to plymouthd using a unix
-## domain stream socket.
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
##
##
##
@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
##
##
#
-interface(`plymouthd_stream_connect',`
+interface(`plymouthd_stream_connect', `
gen_require(`
- type plymouthd_t, plymouthd_spool_t;
+ type plymouthd_t;
')
- files_search_spool($1)
- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+ allow $1 plymouthd_t:unix_stream_socket connectto;
')
########################################
##
-## Execute plymouth in the caller domain.
+## Execute the plymoth command in the current domain
##
##
##
@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
##
##
#
-interface(`plymouthd_exec_plymouth',`
+interface(`plymouthd_exec_plymouth', `
gen_require(`
type plymouth_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouth_exec_t)
')
########################################
##
-## Execute a domain transition to run plymouth.
+## Execute a domain transition to run plymouthd.
##
##
##
@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
##
##
#
-interface(`plymouthd_domtrans_plymouth',`
+interface(`plymouthd_domtrans_plymouth', `
gen_require(`
type plymouth_t, plymouth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
##
##
#
-interface(`plymouthd_search_spool',`
+interface(`plymouthd_search_spool', `
gen_require(`
type plymouthd_spool_t;
')
- files_search_spool($1)
allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
')
########################################
@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
##
##
#
-interface(`plymouthd_manage_spool_files',`
+interface(`plymouthd_manage_spool_files', `
gen_require(`
type plymouthd_spool_t;
')
@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
##
##
#
-interface(`plymouthd_search_lib',`
+interface(`plymouthd_search_lib', `
gen_require(`
type plymouthd_var_lib_t;
')
- files_search_var_lib($1)
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
##
##
#
-interface(`plymouthd_read_lib_files',`
+interface(`plymouthd_read_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
##
##
#
-interface(`plymouthd_manage_lib_files',`
+interface(`plymouthd_manage_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
########################################
##
-## Read plymouthd pid files.
+## Read plymouthd PID files.
##
##
##
@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
##
##
#
-interface(`plymouthd_read_pid_files',`
+interface(`plymouthd_read_pid_files', `
gen_require(`
type plymouthd_var_run_t;
')
@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#####################################
+##
+## Allow the specified domain to create plymouthd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_create_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## to plymouthd log files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#######################################
+##
+## Allow domain to create boot.log
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_filetrans_named_content',`
+
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
- allow $1 plymouthd_t:process { ptrace signal_perms };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
+ allow $1 plymouthd_t:process signal_perms;
+ ps_process_pattern($1, plymouthd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 plymouthd_t:process ptrace;
+ ')
- files_search_spool($1)
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
- files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
index 3078ce905..39e5a88ee 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
########################################
#
-# Daemon local policy
+# Plymouthd private policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
-dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability{ dac_read_search dac_override };
allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -65,24 +64,33 @@ dev_rw_dri(plymouthd_t)
dev_read_sysfs(plymouthd_t)
dev_read_framebuffer(plymouthd_t)
dev_write_framebuffer(plymouthd_t)
+dev_map_framebuffer(plymouthd_t)
domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
+term_use_usb_ttys(plymouthd_t)
+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
+userdom_read_admin_home_files(plymouthd_t)
+
+term_use_unallocated_ttys(plymouthd_t)
+
optional_policy(`
- gnome_read_generic_home_content(plymouthd_t)
+ gnome_read_config(plymouthd_t)
')
optional_policy(`
@@ -90,35 +98,37 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
- xserver_read_xdm_state(plymouthd_t)
+ udev_read_pid_files(plymouthd_t)
+')
+
+optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
')
########################################
#
-# Client local policy
+# Plymouth private policy
#
allow plymouth_t self:process signal;
-allow plymouth_t self:fifo_file rw_fifo_file_perms;
+allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
-
kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
domain_use_interactive_fds(plymouth_t)
-files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
-miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
-ifdef(`hide_broken_symptoms',`
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
index 9123f7152..232e28a75 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
# Local policy
#
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
dev_read_urand(podsleuth_t)
-files_read_etc_files(podsleuth_t)
fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
@@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
fs_rw_removable_blk_files(podsleuth_t)
-miscfiles_read_localization(podsleuth_t)
-
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
userdom_signull_unpriv_users(podsleuth_t)
-userdom_read_user_tmpfs_files(podsleuth_t)
+userdom_read_user_tmp_files(podsleuth_t)
optional_policy(`
dbus_system_bus_client(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c7288..93d09d92f 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policykit.if b/policykit.if
index 032a84d1c..be00a65f1 100644
--- a/policykit.if
+++ b/policykit.if
@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_t, $1)
+
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
########################################
##
## Send and receive messages from
-## policykit auth over dbus.
+## policykit over dbus.
##
##
##
@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_auth_t, $1)
+
allow $1 policykit_auth_t:dbus send_msg;
allow policykit_auth_t $1:dbus send_msg;
')
@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
## Execute a domain transition to run polkit_auth.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_auth',`
@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
type policykit_auth_t, policykit_auth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
')
########################################
##
-## Execute a policy_auth in the policy
-## auth domain, and allow the specified
-## role the policy auth domain.
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
##
##
##
@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
## Role allowed access.
##
##
+##
#
interface(`policykit_run_auth',`
gen_require(`
- attribute_role policykit_auth_roles;
+ type policykit_auth_t;
')
policykit_domtrans_auth($1)
- roleattribute $2 policykit_auth_roles;
+ role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
##
-## Execute a domain transition to run polkit grant.
+## Execute a domain transition to run polkit_grant.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_grant',`
@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
type policykit_grant_t, policykit_grant_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
')
########################################
##
-## Execute a policy_grant in the policy
-## grant domain, and allow the specified
-## role the policy grant domain.
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
##
##
##
@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
#
interface(`policykit_run_grant',`
gen_require(`
- attribute_role policykit_grant_roles;
+ type policykit_grant_t;
')
policykit_domtrans_grant($1)
- roleattribute $2 policykit_grant_roles;
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
')
########################################
##
-## Read policykit reload files.
+## read policykit reload files
##
##
##
@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
########################################
##
-## Read and write policykit reload files.
+## rw policykit reload files
##
##
##
@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
########################################
##
-## Execute a domain transition to run polkit resolve.
+## Execute a domain transition to run polkit_resolve.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_resolve',`
@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
type policykit_resolve_t, policykit_resolve_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
')
########################################
@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
type policykit_var_lib_t;
')
- files_search_var_lib($1)
allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
##
-## Read policykit lib files.
+## read policykit lib files
##
##
##
@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ optional_policy(`
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+ ')
+')
+
+#######################################
+##
+## The per role template for the policykit module.
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+
+########################################
+##
+## Send generic signal to policy_auth
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
index ee91778f7..5e92592f0 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
attribute policykit_domain;
-attribute_role policykit_auth_roles;
-attribute_role policykit_grant_roles;
-
type policykit_t, policykit_domain;
type policykit_exec_t;
init_daemon_domain(policykit_t, policykit_exec_t)
@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
type policykit_auth_t, policykit_domain;
type policykit_auth_exec_t;
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
-role policykit_auth_roles types policykit_auth_t;
type policykit_grant_t, policykit_domain;
type policykit_grant_exec_t;
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
-role policykit_grant_roles types policykit_grant_t;
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
@@ -42,63 +37,74 @@ files_pid_file(policykit_var_run_t)
#######################################
#
-# Common policykit domain local policy
+# policykit_domain local policy
#
allow policykit_domain self:process { execmem getattr };
allow policykit_domain self:fifo_file rw_fifo_file_perms;
-kernel_search_proc(policykit_domain)
-
-corecmd_exec_bin(policykit_domain)
-
dev_read_sysfs(policykit_domain)
-files_read_usr_files(policykit_domain)
-
-logging_send_syslog_msg(policykit_domain)
-
-miscfiles_read_localization(policykit_domain)
-
########################################
#
-# Local policy
+# policykit local policy
#
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
-allow policykit_t self:unix_stream_socket { accept connectto listen };
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
+allow policykit_t policykit_auth_exec_t:file map;
+
+allow policykit_t policykit_auth_t:process signal;
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+dev_read_sysfs(policykit_t)
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+policykit_domtrans_resolve(policykit_t)
+
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
-can_exec(policykit_t, policykit_exec_t)
-
-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
-
-kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+kernel_read_kernel_sysctls(policykit_t)
domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+fs_getattr_all_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_list_cgroup_dirs(policykit_t)
auth_use_nsswitch(policykit_t)
+init_list_pid_dirs(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+systemd_machined_read_pid_files(policykit_t)
+
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
+
+ sysnet_dbus_chat_dhcpc(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
@@ -109,29 +115,43 @@ optional_policy(`
')
optional_policy(`
+ consolekit_list_pid_files(policykit_t)
consolekit_read_pid_files(policykit_t)
')
optional_policy(`
- gnome_read_generic_home_content(policykit_t)
+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+ kerberos_manage_host_rcache(policykit_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_t)
- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
+ gnome_read_config(policykit_t)
+')
+
+optional_policy(`
+ systemd_read_logind_sessions_files(policykit_t)
+ systemd_login_list_pid_dirs(policykit_t)
+ systemd_login_read_pid_files(policykit_t)
')
########################################
#
-# Auth local policy
+# polkit_auth local policy
#
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
dontaudit policykit_auth_t self:capability sys_tty_config;
-allow policykit_auth_t self:process { getsched setsched signal };
-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
-ps_process_pattern(policykit_auth_t, policykit_domain)
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-can_exec(policykit_auth_t, policykit_auth_exec_t)
-
-kernel_read_system_state(policykit_auth_t)
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
files_read_etc_runtime_files(policykit_auth_t)
files_search_home(policykit_auth_t)
+files_dontaudit_access_check_home_dir(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
+fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
+logging_send_syslog_msg(policykit_auth_t)
+
miscfiles_read_fonts(policykit_auth_t)
miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_dontaudit_access_check_user_content(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
- dbus_all_session_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+ dbus_session_bus_client(policykit_auth_t)
optional_policy(`
consolekit_dbus_chat(policykit_auth_t)
')
+')
- optional_policy(`
- policykit_dbus_chat(policykit_auth_t)
- ')
+optional_policy(`
+ gnome_read_config(policykit_auth_t)
+ gnome_access_check_usr_config(policykit_auth_t)
')
optional_policy(`
+ kernel_search_proc(policykit_auth_t)
hal_read_state(policykit_auth_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_auth_t)
- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+ kerberos_manage_host_rcache(policykit_auth_t)
')
optional_policy(`
xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
')
########################################
#
-# Grant local policy
+# polkit_grant local policy
#
allow policykit_grant_t self:capability setuid;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-ps_process_pattern(policykit_grant_t, policykit_domain)
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
-can_exec(policykit_grant_t, policykit_grant_exec_t)
-
-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
auth_domtrans_chk_passwd(policykit_grant_t)
auth_use_nsswitch(policykit_grant_t)
+logging_send_syslog_msg(policykit_grant_t)
+
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
cron_manage_system_job_lib_files(policykit_grant_t)
')
-optional_policy(`
+ optional_policy(`
dbus_system_bus_client(policykit_grant_t)
-
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
@@ -235,26 +267,28 @@ optional_policy(`
########################################
#
-# Resolve local policy
+# polkit_resolve local policy
#
allow policykit_resolve_t self:capability { setuid sys_nice };
-allow policykit_resolve_t self:unix_stream_socket { accept listen };
-ps_process_pattern(policykit_resolve_t, policykit_domain)
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-
-mcs_ptrace_all(policykit_resolve_t)
auth_use_nsswitch(policykit_resolve_t)
+logging_send_syslog_msg(policykit_resolve_t)
+
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
@@ -266,6 +300,6 @@ optional_policy(`
')
optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
diff --git a/polipo.fc b/polipo.fc
index d35614b78..11f77ee32 100644
--- a/polipo.fc
+++ b/polipo.fc
@@ -1,15 +1,16 @@
-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
index ae27bb7fe..10a778780 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
-## Lightweight forwarding and caching proxy server.
+## Caching web proxy.
########################################
##
-## Role access for Polipo session.
+## Role access for polipo session.
##
##
##
@@ -11,14 +11,13 @@
##
##
##
-## User domain for the role.
+## Domain allowed access.
##
##
#
template(`polipo_role',`
gen_require(`
- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
- type polipo_cache_home_t;
+ type polipo_session_t, polipo_exec_t;
')
########################################
@@ -33,15 +32,11 @@ template(`polipo_role',`
# Policy
#
- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
- allow $2 polipo_session_t:process { ptrace signal_perms };
+ allow $2 polipo_session_t:process signal_perms;
ps_process_pattern($2, polipo_session_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 polipo_session_t:process ptrace;
+ ')
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
@@ -52,57 +47,130 @@ template(`polipo_role',`
########################################
##
-## Execute Polipo in the Polipo
-## system domain.
+## Create configuration files in user
+## home directories with a named file
+## type transition.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`polipo_initrc_domtrans',`
+interface(`polipo_named_filetrans_config_home_files',`
gen_require(`
- type polipo_initrc_exec_t;
+ type polipo_config_home_t;
')
- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+##
+## Create cache directories in user
+## home directories with a named file
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polipo_named_filetrans_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
')
########################################
##
-## Create specified objects in generic
-## log directories with the polipo
-## log file type.
+## Create configuration files in admin
+## home directories with a named file
+## type transition.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+ gen_require(`
+ type polipo_config_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+##
+## Create cache directories in admin
+## home directories with a named file
+## type transition.
+##
+##
##
-## Class of the object being created.
+## Domain allowed access.
##
##
-##
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+##
+## Create log files with a named file
+## type transition.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`polipo_log_filetrans_log',`
+interface(`polipo_named_filetrans_log_files',`
gen_require(`
type polipo_log_t;
')
- logging_log_filetrans($1, polipo_log_t, $2, $3)
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
+########################################
+##
+## Execute polipo server in the polipo domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`polipo_systemctl',`
+ gen_require(`
+ type polipo_t;
+ type polipo_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, polipo_t)
')
########################################
##
-## All of the rules required to
-## administrate an polipo environment.
+## Administrate an polipo environment.
##
##
##
@@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',`
#
interface(`polipo_admin',`
gen_require(`
- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
- type polipo_conf_t, polipo_log_t, polipo_var_run_t;
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ type polipo_unit_file_t;
')
- allow $1 polipo_system_t:process { ptrace signal_perms };
- ps_process_pattern($1, polipo_system_t)
+ allow $1 polipo_t:process signal_perms;
+ ps_process_pattern($1, polipo_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 polipo_t:process ptrace;
+ ')
- polipo_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 polipo_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var($1)
- admin_pattern($1, polipo_cache_t)
-
- files_search_etc($1)
- admin_pattern($1, polipo_conf_t)
+ files_list_etc($1)
+ admin_pattern($1, polipo_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, polipo_log_t)
- files_search_pids($1)
- admin_pattern($1, polipo_var_run_t)
+ files_list_var($1)
+ admin_pattern($1, polipo_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
+
+ polipo_systemctl($1)
+ admin_pattern($1, polipo_unit_file_t)
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
index 9764bfef8..8870de713 100644
--- a/polipo.te
+++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
##
##
-## Determine whether Polipo system
-## daemon can access CIFS file systems.
+## Determine whether polipo can
+## access cifs file systems.
##
##
-gen_tunable(polipo_system_use_cifs, false)
+gen_tunable(polipo_use_cifs, false)
##
##
-## Determine whether Polipo system
-## daemon can access NFS file systems.
+## Determine whether Polipo can
+## access nfs file systems.
##
##
-gen_tunable(polipo_system_use_nfs, false)
+gen_tunable(polipo_use_nfs, false)
+
+##
+##
+## Determine whether Polipo session daemon
+## can bind tcp sockets to all unreserved ports.
+##
+##
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
##
##
@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
gen_tunable(polipo_session_users, false)
##
-##
-## Determine whether Polipo session daemon
-## can send syslog messages.
-##
+##
+## Allow polipo to connect to all ports > 1023
+##
##
-gen_tunable(polipo_session_send_syslog_msg, false)
+gen_tunable(polipo_connect_all_unreserved, false)
attribute polipo_daemon;
-type polipo_system_t, polipo_daemon;
+type polipo_t, polipo_daemon;
type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
+init_daemon_domain(polipo_t, polipo_exec_t)
type polipo_initrc_exec_t;
init_script_file(polipo_initrc_exec_t)
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
type polipo_cache_t;
files_type(polipo_cache_t)
@@ -56,116 +63,104 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
-type polipo_var_run_t;
-files_pid_file(polipo_var_run_t)
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
type polipo_cache_home_t;
userdom_user_home_content(polipo_cache_home_t)
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
+type polipo_unit_file_t;
+systemd_unit_file(polipo_unit_file_t)
########################################
#
-# Session local policy
+# Global local policy
#
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
-tunable_policy(`polipo_session_send_syslog_msg',`
- logging_send_syslog_msg(polipo_session_t)
-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
+corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_session_t)
-')
+fs_search_auto_mountpoints(polipo_daemon)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(polipo_session_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_session_t)
-')
########################################
#
-# System local policy
+# Polipo local policy
#
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+files_var_filetrans(polipo_t, polipo_cache_t, dir)
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+logging_log_filetrans(polipo_t, polipo_log_t, file)
-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
+files_pid_filetrans(polipo_t, polipo_pid_t, file)
-auth_use_nsswitch(polipo_system_t)
+auth_use_nsswitch(polipo_t)
-logging_send_syslog_msg(polipo_system_t)
+logging_send_syslog_msg(polipo_t)
optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
+ cron_system_entry(polipo_t, polipo_exec_t)
+')
+
+tunable_policy(`polipo_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
')
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
')
########################################
#
-# Polipo global local policy
+# Polipo session local policy
#
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_unlabeled(polipo_daemon)
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
+auth_use_nsswitch(polipo_session_t)
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
corenet_sendrecv_tor_client_packets(polipo_daemon)
corenet_tcp_sendrecv_tor_port(polipo_daemon)
corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_all_ephemeral_ports(polipo_daemon)
-files_read_usr_files(polipo_daemon)
+logging_send_syslog_msg(polipo_session_t)
-fs_search_auto_mountpoints(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
+')
-miscfiles_read_localization(polipo_daemon)
diff --git a/portage.if b/portage.if
index 67e8c12c4..058c99481 100644
--- a/portage.if
+++ b/portage.if
@@ -67,9 +67,10 @@ interface(`portage_compile_domain',`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
+ type portage_sandbox_t;
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/portage.te b/portage.te
index b410c67c1..f1ec41d39 100644
--- a/portage.te
+++ b/portage.te
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
-files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
@@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
-files_read_usr_files(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
fs_search_auto_mountpoints(portage_fetch_t)
diff --git a/portmap.fc b/portmap.fc
index cd45831ca..69406ee17 100644
--- a/portmap.fc
+++ b/portmap.fc
@@ -4,9 +4,14 @@
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+')
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
index 18b255e7a..e75c4ec24 100644
--- a/portmap.te
+++ b/portmap.te
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
-corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
+auth_use_nsswitch(portmap_t)
+
logging_send_syslog_msg(portmap_t)
-miscfiles_read_localization(portmap_t)
+sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
-corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
logging_send_syslog_msg(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
diff --git a/portreserve.fc b/portreserve.fc
index 1b2b4f908..575b7d69b 100644
--- a/portreserve.fc
+++ b/portreserve.fc
@@ -1,6 +1,6 @@
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/portreserve.if b/portreserve.if
index 5ad529154..7f1ae2a78 100644
--- a/portreserve.if
+++ b/portreserve.if
@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
- allow $1 portreserve_t:process { ptrace signal_perms };
+ allow $1 portreserve_t:process signal_perms;
ps_process_pattern($1, portreserve_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 portreserve_t:process ptrace;
+ ')
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
index 00b01e2ea..10b45127a 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
-corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
@@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
userdom_dontaudit_search_user_home_content(portreserve_t)
+
+auth_use_nsswitch(portreserve_t)
+
diff --git a/portslave.te b/portslave.te
index cbe36c1d0..8ebeb87d2 100644
--- a/portslave.te
+++ b/portslave.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_all_recvfrom_unlabeled(portslave_t)
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
index c0e878537..3070aa066 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,38 +1,38 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-
+# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
@@ -44,14 +44,14 @@
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
index ded95ec3a..137ae2d3d 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
-## Postfix email server.
+## Postfix email server
########################################
##
@@ -16,13 +16,14 @@ interface(`postfix_stub',`
')
')
-#######################################
+########################################
##
-## The template to define a postfix domain.
+## Creates types and rules for a basic
+## postfix process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
attribute postfix_domain;
')
- ########################################
- #
- # Declarations
- #
-
type postfix_$1_t, postfix_domain;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
- ########################################
- #
- # Policy
- #
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
+ kernel_read_system_state(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
')
-#######################################
+########################################
##
-## The template to define a postfix server domain.
+## Creates a postfix server process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix of the domain.
##
##
#
template(`postfix_server_domain_template',`
- gen_require(`
- attribute postfix_server_domain, postfix_server_tmp_content;
- ')
-
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
- typeattribute postfix_$1_t postfix_server_domain;
-
- type postfix_$1_tmp_t, postfix_server_tmp_content;
+ type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
- ########################################
- #
- # Declarations
- #
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_generic_node(postfix_$1_t)
+ corenet_udp_bind_generic_node(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
')
-#######################################
+########################################
##
-## The template to define a postfix user domain.
+## Creates a process domain for programs
+## that are ran by users.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix of the domain.
##
##
#
@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
attribute postfix_user_domains, postfix_user_domtrans;
')
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
typeattribute postfix_$1_t postfix_user_domains;
- ########################################
- #
- # Policy
- #
-
- allow postfix_$1_t self:capability dac_override;
+ allow postfix_$1_t self:capability { dac_read_search dac_override };
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
+
+ application_domain(postfix_$1_t, postfix_$1_exec_t)
')
########################################
##
-## Read postfix configuration content.
+## Read postfix configuration files.
##
##
##
@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Create specified object in postfix
-## etc directories with a type transition.
+## Create files with the specified type in
+## the postfix configuration directories.
##
##
##
@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
type postfix_etc_t;
')
+ files_search_etc($1)
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
')
@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
########################################
##
-## Read and write postfix local pipes.
+## Allow read/write postfix local pipes
+## TCP sockets.
##
##
##
@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')
-########################################
+#######################################
##
-## Read postfix local process state files.
+## Allow read/write postfix public pipes
+## TCP sockets.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`postfix_read_local_state',`
- gen_require(`
- type postfix_local_t;
- ')
+interface(`postfix_rw_public_pipes',`
+ gen_require(`
+ type postfix_public_t;
+ ')
- kernel_search_proc($1)
- allow $1 postfix_local_t:dir list_dir_perms;
- allow $1 postfix_local_t:file read_file_perms;
- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
')
########################################
##
-## Read and write inherited postfix master pipes.
+## Allow domain to read postfix local process state
##
##
##
@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
##
##
#
-interface(`postfix_rw_inherited_master_pipes',`
+interface(`postfix_read_local_state',`
gen_require(`
- type postfix_master_t;
+ type postfix_local_t;
')
- allow $1 postfix_master_t:fd use;
- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
')
########################################
##
-## Read postfix master process state files.
+## Allow domain to read postfix master process state
##
##
##
@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
')
kernel_search_proc($1)
- allow $1 postfix_master_t:dir list_dir_perms;
- allow $1 postfix_master_t:file read_file_perms;
- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, postfix_master_t)
')
########################################
##
-## Use postfix master file descriptors.
+## Use postfix master process file
+## file descriptors.
##
##
##
@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
type postfix_map_t, postfix_map_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
')
########################################
##
-## Execute postfix map in the postfix
-## map domain, and allow the specified
-## role the postfix_map domain.
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
##
##
##
@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
#
interface(`postfix_run_map',`
gen_require(`
- attribute_role postfix_map_roles;
+ type postfix_map_t;
')
postfix_domtrans_map($1)
- roleattribute $2 postfix_map_roles;
+ role $2 types postfix_map_t;
')
########################################
##
-## Execute the master postfix program
-## in the postfix_master domain.
+## Execute the master postfix program in the
+## postfix_master domain.
##
##
##
@@ -380,16 +365,36 @@ interface(`postfix_run_map',`
interface(`postfix_domtrans_master',`
gen_require(`
type postfix_master_t, postfix_master_exec_t;
+ attribute postfix_domain;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+ allow $1 postfix_master_exec_t:file map;
')
+
########################################
##
-## Execute the master postfix program
-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
+########################################
+##
+## Execute the master postfix program in the
+## caller domain.
##
##
##
@@ -402,21 +407,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_master_exec_t)
')
#######################################
##
-## Connect to postfix master process
-## using a unix domain stream socket.
+## Connect to postfix master process using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
-##
#
interface(`postfix_stream_connect_master',`
gen_require(`
@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',`
########################################
##
-## Read and write postfix master
-## unnamed pipes. (Deprecated)
+## Allow read/write postfix master pipes
##
##
##
@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',`
##
##
#
-interface(`postfix_rw_master_pipes',`
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
- postfix_rw_inherited_master_pipes($1)
+interface(`postfix_rw_inherited_master_pipes',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
## Execute the master postdrop in the
-## postfix postdrop domain.
+## postfix_postdrop domain.
##
##
##
@@ -458,14 +462,14 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+ allow $1 postfix_postdrop_exec_t:file map;
')
########################################
##
## Execute the master postqueue in the
-## postfix postqueue domain.
+## postfix_postqueue domain.
##
##
##
@@ -478,30 +482,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')
-#######################################
+########################################
##
-## Execute the master postqueue in
-## the caller domain. (Deprecated)
+## Execute the master postqueue in the
+## postfix_postdrop domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
+#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t;
+ ')
+
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
+')
+
+########################################
+##
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ type postfix_postgqueue_exec_t;
+ ')
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+')
+
+########################################
+##
+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
+## allow the specified role the postfix_postgqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
##
##
+##
#
-interface(`posftix_exec_postqueue',`
- refpolicywarn(`$0($*) has been deprecated.')
- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ ')
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
')
+
#######################################
##
-## Execute postfix postqueue in
-## the caller domain.
+## Execute the master postqueue in the caller domain.
##
##
##
@@ -514,13 +573,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_postqueue_exec_t)
')
########################################
##
-## Create postfix private sock files.
+## Create a named socket in a postfix private directory.
##
##
##
@@ -533,13 +591,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
##
-## Create, read, write, and delete
-## postfix private sock files.
+## manage named socket in a postfix private directory.
##
##
##
@@ -552,13 +610,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
##
-## Execute the smtp postfix program
-## in the postfix smtp domain.
+## Execute the master postfix program in the
+## postfix_master domain.
##
##
##
@@ -571,14 +630,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
')
########################################
##
-## Get attributes of all postfix mail
-## spool files.
+## Getattr postfix mail spool files.
##
##
##
@@ -586,7 +643,7 @@ interface(`postfix_domtrans_smtp',`
##
##
#
-interface(`postfix_getattr_all_spool_files',`
+interface(`postfix_getattr_spool_files',`
gen_require(`
attribute postfix_spool_type;
')
@@ -607,11 +664,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir search_dir_perms;
')
########################################
@@ -626,11 +683,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir list_dir_perms;
')
########################################
@@ -645,17 +702,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
##
-## Create, read, write, and delete
-## postfix mail spool files.
+## Create, read, write, and delete postfix mail spool files.
##
##
##
@@ -665,11 +721,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+#######################################
+##
+## Read, write, and delete postfix maildrop spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_rw_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete postfix maildrop spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_manage_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')
########################################
@@ -693,8 +788,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
##
-## All of the rules required to
-## administrate an postfix environment.
+## All of the rules required to administrate
+## an postfix environment.
##
##
##
@@ -710,38 +805,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
- type postfix_keytab_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
')
- allow $1 postfix_domain:process { ptrace signal_perms };
- ps_process_pattern($1, postfix_domain)
+ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_cleanup_t:process ptrace;
+ allow $1 postfix_local_t:process ptrace;
+ allow $1 postfix_master_t:process ptrace;
+ allow $1 postfix_pickup_t:process ptrace;
+ allow $1 postfix_qmgr_t:process ptrace;
+ allow $1 postfix_smtpd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ allow $1 postfix_local_t:process signal_perms;
+ ps_process_pattern($1, postfix_local_t)
+
+ allow $1 postfix_master_t:process signal_perms;
+ ps_process_pattern($1, postfix_master_t)
+
+ allow $1 postfix_pickup_t:process signal_perms;
+ ps_process_pattern($1, postfix_pickup_t)
+
+ allow $1 postfix_qmgr_t:process signal_perms;
+ ps_process_pattern($1, postfix_qmgr_t)
+
+ allow $1 postfix_smtpd_t:process signal_perms;
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
+ postfix_run_postqueue($1, $2)
+
+ postfix_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 postfix_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ admin_pattern($1, postfix_data_t)
- files_search_spool($1)
- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
- files_search_var_lib($1)
- admin_pattern($1, postfix_data_t)
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
- files_search_pids($1)
admin_pattern($1, postfix_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
- postfix_exec_master($1)
- postfix_exec_postqueue($1)
- postfix_stream_connect_master($1)
- postfix_run_map($1, $2)
+ admin_pattern($1, postfix_public_t)
+
+ postfix_filetrans_named_content($1)
+')
+
+########################################
+##
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
+
+########################################
+##
+## Execute postfix exec in the users domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_exec',`
+ gen_require(`
+ type postfix_exec_t;
+ ')
+
+ can_exec($1, postfix_exec_t)
+')
+
+########################################
+##
+## Transition to postfix named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_filetrans_named_content',`
+ gen_require(`
+ type postfix_exec_t;
+ type postfix_prng_t;
+ ')
+
+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
index 5cfb83eca..921fcfe70 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
#
##
-##
-## Determine whether postfix local
-## can manage mail spool content.
-##
+##
+## Allow postfix_local domain full write access to mail_spool directories
+##
##
gen_tunable(postfix_local_write_mail_spool, true)
attribute postfix_domain;
-attribute postfix_server_domain;
-attribute postfix_server_tmp_content;
attribute postfix_spool_type;
attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
attribute postfix_user_domtrans;
-attribute_role postfix_map_roles;
-roleattribute system_r postfix_map_roles;
-
postfix_server_domain_template(bounce)
type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
+files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
-role postfix_map_roles types postfix_map_t;
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
+mta_agent_executable(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
mta_mailserver_user_agent(postfix_postqueue_t)
@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
+typealias postfix_spool_t alias postfix_spool_maildrop_t;
+files_spool_file(postfix_spool_maildrop_t)
-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
+typealias postfix_spool_t alias postfix_spool_flush_t;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
files_type(postfix_public_t)
@@ -97,6 +97,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
+# the data_directory config parameter
type postfix_data_t;
files_type(postfix_data_t)
@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
-# Common postfix domain local policy
-#
-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
-
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
-
-allow postfix_domain postfix_master_t:file read_file_perms;
-
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-
-allow postfix_domain postfix_master_t:process sigchld;
-
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
-
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-
-kernel_read_system_state(postfix_domain)
-kernel_read_network_state(postfix_domain)
-kernel_read_all_sysctls(postfix_domain)
-
-dev_read_sysfs(postfix_domain)
-dev_read_rand(postfix_domain)
-dev_read_urand(postfix_domain)
-
-fs_search_auto_mountpoints(postfix_domain)
-fs_getattr_all_fs(postfix_domain)
-fs_rw_anon_inodefs_files(postfix_domain)
-
-term_dontaudit_use_console(postfix_domain)
-
-corecmd_exec_shell(postfix_domain)
-
-files_read_etc_runtime_files(postfix_domain)
-files_read_usr_files(postfix_domain)
-files_search_spool(postfix_domain)
-files_getattr_tmp_dirs(postfix_domain)
-files_search_all_mountpoints(postfix_domain)
-
-init_dontaudit_use_fds(postfix_domain)
-init_sigchld(postfix_domain)
-
-logging_send_syslog_msg(postfix_domain)
-
-miscfiles_read_localization(postfix_domain)
-miscfiles_read_generic_certs(postfix_domain)
-
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-
-optional_policy(`
- udev_read_db(postfix_domain)
-')
-
-########################################
-#
-# Common postfix server domain local policy
+# Postfix master process local policy
#
-allow postfix_server_domain self:capability { setuid setgid dac_override };
-
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
-corenet_all_recvfrom_netlabel(postfix_server_domain)
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
-
-corenet_sendrecv_all_client_packets(postfix_server_domain)
-corenet_tcp_connect_all_ports(postfix_server_domain)
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
-
-########################################
-#
-# Common postfix user domain local policy
-#
-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
-
-########################################
-#
-# Master local policy
-#
-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
+
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
-allow postfix_master_t postfix_domain:process signal;
-
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+can_exec(postfix_master_t, postfix_exec_t)
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
@@ -216,34 +131,36 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+allow postfix_master_t postfix_cleanup_exec_t:file map;
+allow postfix_master_t postfix_showq_exec_t:file map;
+allow postfix_master_t postfix_smtp_exec_t:file map;
+
+# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -253,16 +170,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
@@ -270,50 +179,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
-
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
-
-corenet_sendrecv_all_client_packets(postfix_master_t)
corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+# for spampd
+corenet_tcp_bind_spamd_port(postfix_master_t)
-# Can this be conditional?
-corenet_sendrecv_all_server_packets(postfix_master_t)
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
-
+# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
+corecmd_exec_shell(postfix_master_t)
corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
+files_search_var_lib(postfix_master_t)
files_search_tmp(postfix_master_t)
-mcs_file_read_all(postfix_master_t)
-term_dontaudit_search_ptys(postfix_master_t)
+init_stream_connect(postfix_master_t)
-miscfiles_read_man_pages(postfix_master_t)
+term_dontaudit_search_ptys(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
-seutil_dontaudit_search_config(postfix_master_t)
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
+')
+
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -323,14 +229,6 @@ optional_policy(`
kerberos_use(postfix_master_t)
')
-optional_policy(`
- mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
- mysql_stream_connect(postfix_master_t)
-')
-
optional_policy(`
postgrey_search_spool(postfix_master_t)
')
@@ -341,12 +239,14 @@ optional_policy(`
########################################
#
-# Bounce local policy
+# Postfix bounce local policy
#
allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -363,74 +263,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
-# Cleanup local policy
+# Postfix cleanup local policy
#
allow postfix_cleanup_t self:process setrlimit;
-
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+# connect to master process
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-
-mta_read_aliases(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
+optional_policy(`
+ milter_stream_connect_all(postfix_cleanup_t)
+')
+
########################################
#
-# Local local policy
+# Postfix local local policy
#
-allow postfix_local_t self:capability chown;
-allow postfix_local_t self:process setrlimit;
+allow postfix_local_t self:process { setsched setrlimit };
+# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
logging_dontaudit_search_logs(postfix_local_t)
mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
+# Handle vacation script
mta_send_mail(postfix_local_t)
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files(postfix_local_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files(postfix_local_t)
+')
+
tunable_policy(`postfix_local_write_mail_spool',`
mta_manage_spool(postfix_local_t)
')
optional_policy(`
- clamav_search_lib(postfix_local_t)
- clamav_exec_clamscan(postfix_local_t)
+ antivirus_search_db(postfix_local_t)
+ antivirus_exec(postfix_local_t)
+ antivirus_stream_connect(postfix_domain)
')
optional_policy(`
@@ -442,15 +357,24 @@ optional_policy(`
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
')
+optional_policy(`
+ munin_search_lib(postfix_local_t)
+')
+
optional_policy(`
nagios_search_spool(postfix_local_t)
')
+optional_policy(`
+ openshift_search_lib(postfix_local_t)
+')
+
optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -466,15 +390,17 @@ optional_policy(`
########################################
#
-# Map local policy
+# Postfix map local policy
#
+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
-allow postfix_map_t self:capability { dac_override setgid setuid };
-allow postfix_map_t self:tcp_socket { accept listen };
-
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -484,14 +410,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_all_recvfrom_unlabeled(postfix_map_t)
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
corenet_tcp_sendrecv_generic_node(postfix_map_t)
-
-corenet_sendrecv_all_client_packets(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
@@ -500,7 +427,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
@@ -508,21 +434,24 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
-miscfiles_read_localization(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_map_t)
')
########################################
#
-# Pickup local policy
+# Postfix pickup local policy
#
+dontaudit postfix_pickup_t self:capability net_admin;
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -532,21 +461,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+postfix_list_spool(postfix_pickup_t)
+
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
########################################
#
-# Pipe local policy
+# Postfix pipe local policy
#
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
@@ -556,6 +485,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
+optional_policy(`
+ cyrus_stream_connect(postfix_pipe_t)
+')
+
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
@@ -584,19 +517,28 @@ optional_policy(`
########################################
#
-# Postdrop local policy
+# Postfix postdrop local policy
#
+# usually it does not need a UDP socket
allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t)
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -611,10 +553,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-optional_policy(`
- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
-')
-
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
@@ -629,17 +568,24 @@ optional_policy(`
#######################################
#
-# Postqueue local policy
+# Postfix postqueue local policy
#
+allow postfix_postqueue_t self:capability2 block_suspend;
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# write to /var/spool/postfix/public/qmgr
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+# to write the mailq output, it really should not need read access!
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +601,84 @@ optional_policy(`
########################################
#
-# Qmgr local policy
+# Postfix qmgr local policy
#
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+dontaudit postfix_qmgr_t self:capability { net_admin };
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
+# for /var/spool/postfix/active
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
corecmd_exec_bin(postfix_qmgr_t)
########################################
#
-# Showq local policy
+# Postfix showq local policy
#
allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-mcs_file_read_all(postfix_showq_t)
-
+# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
+optional_policy(`
+ logwatch_dontaudit_leaks(postfix_showq_t)
+')
+
########################################
#
-# Smtp delivery local policy
+# Postfix smtp delivery local policy
#
+# connect to master process
allow postfix_smtp_t self:capability sys_chroot;
-
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
optional_policy(`
- dovecot_stream_connect(postfix_smtp_t)
+ dovecot_stream_connect(postfix_smtp_t)
')
optional_policy(`
@@ -730,28 +691,32 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# Postfix smtpd local policy
#
-
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+# connect to master process
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
-
corecmd_exec_bin(postfix_smtpd_t)
+# for OpenSSL certificates
+
+# postfix checks the size of all mounted file systems
fs_getattr_all_dirs(postfix_smtpd_t)
-fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
+optional_policy(`
+ antivirus_stream_connect(postfix_smtpd_t)
+')
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -764,6 +729,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
+ spamassassin_read_pid_files(postfix_smtpd_t)
')
optional_policy(`
@@ -774,31 +740,105 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
-optional_policy(`
- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
- spamassassin_stream_connect_spamd(postfix_smtpd_t)
-')
-
########################################
#
-# Virtual local policy
+# Postfix virtual local policy
#
-allow postfix_virtual_t self:process setrlimit;
+allow postfix_virtual_t self:process { setsched setrlimit };
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
+# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
-mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_filetrans_home_content(postfix_virtual_t)
+
+########################################
+#
+# postfix_domain common policy
+#
+allow postfix_domain self:capability { sys_nice sys_chroot };
+dontaudit postfix_domain self:capability sys_tty_config;
+allow postfix_domain self:process { signal_perms setpgid setsched };
+allow postfix_domain self:unix_dgram_socket create_socket_perms;
+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
+allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
+allow postfix_domain postfix_etc_t:dir list_dir_perms;
+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+
+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+
+allow postfix_domain postfix_pickup_exec_t:file map;
+allow postfix_domain postfix_qmgr_exec_t:file map;
+
+allow postfix_domain postfix_master_t:process sigchld;
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
+kernel_read_all_sysctls(postfix_domain)
+kernel_dontaudit_request_load_module(postfix_domain)
+
+dev_read_sysfs(postfix_domain)
+dev_read_rand(postfix_domain)
+dev_read_urand(postfix_domain)
+
+fs_search_auto_mountpoints(postfix_domain)
+fs_getattr_all_fs(postfix_domain)
+fs_rw_anon_inodefs_files(postfix_domain)
+
+term_dontaudit_use_console(postfix_domain)
+
+corecmd_exec_shell(postfix_domain)
+corecmd_getattr_all_executables(postfix_domain)
+
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
+files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
+init_sigchld(postfix_domain)
+init_dontaudit_rw_stream_socket(postfix_domain)
+
+# For reading spamassasin
+mta_read_config(postfix_domain)
+mta_read_aliases(postfix_domain)
+
+miscfiles_read_generic_certs(postfix_domain)
+
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+
+optional_policy(`
+ mysql_stream_connect(postfix_domain)
+ mysql_rw_db_sockets(postfix_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(postfix_domain)
+ spamassassin_domtrans_client(postfix_domain)
+')
+
+optional_policy(`
+ udev_read_db(postfix_domain)
+')
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
index 5de817368..985b877ab 100644
--- a/postfixpolicyd.if
+++ b/postfixpolicyd.if
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ allow $1 postfix_policyd_t:process signal_perms;
ps_process_pattern($1, postfix_policyd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_policyd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
index ea1582a3a..0c1a05983 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
corenet_tcp_bind_generic_node(postfix_policyd_t)
@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
-files_read_etc_files(postfix_policyd_t)
-files_read_usr_files(postfix_policyd_t)
logging_send_syslog_msg(postfix_policyd_t)
-miscfiles_read_localization(postfix_policyd_t)
-
sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.if b/postgrey.if
index b9e71b537..a7502cd0e 100644
--- a/postgrey.if
+++ b/postgrey.if
@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
files_search_spool($1)
- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
')
########################################
@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
- type postgrey_t, postgrey_etc_t, postgrey_spool_t;
- type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
')
- allow $1 postgrey_t:process { ptrace signal_perms };
+ allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgrey_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
index fd58805e5..fbb01fc23 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t)
# Local policy
#
-allow postgrey_t self:capability { chown dac_override setgid setuid };
+allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+allow postgrey_t postgrey_spool_t:file map;
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+auth_use_nsswitch(postgrey_t)
+
+corecmd_exec_bin(postgrey_t)
-corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t)
@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t)
-files_read_etc_files(postgrey_t)
files_read_etc_runtime_files(postgrey_t)
-files_read_usr_files(postgrey_t)
files_getattr_tmp_dirs(postgrey_t)
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
-logging_send_syslog_msg(postgrey_t)
+auth_read_passwd(postgrey_t)
-miscfiles_read_localization(postgrey_t)
+logging_send_syslog_msg(postgrey_t)
sysnet_read_config(postgrey_t)
diff --git a/ppp.fc b/ppp.fc
index efcb6532d..ff2c96adb 100644
--- a/ppp.fc
+++ b/ppp.fc
@@ -1,30 +1,45 @@
-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /sbin
+#
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
-
-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0)
+#
+# /usr
+#
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /var
+#
/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
index cd8b8b9cb..ad8424ba3 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
-## Point to Point Protocol daemon creates links in ppp networks.
+## Point to Point Protocol daemon creates links in ppp networks
-########################################
-##
-## Role access for ppp.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-interface(`ppp_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
+#######################################
##
-## Create, read, write, and delete
-## ppp home files.
+## Create, read, write, and delete
+## ppp home files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_manage_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file manage_file_perms;
')
-########################################
+#######################################
##
-## Read ppp user home content files.
+## Read ppp user home content files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_read_home_files',`
- gen_require(`
- type ppp_home_t;
+ gen_require(`
+ type ppp_home_t;
- ')
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file read_file_perms;
')
-########################################
+#######################################
##
-## Relabel ppp home files.
+## Relabel ppp home files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file relabel_file_perms;
')
-########################################
+#######################################
##
-## Create objects in user home
-## directories with the ppp home type.
+## Create objects in user home
+## directories with the ppp home type.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
##
-##
-## Class of the object being created.
-##
+##
+## Class of the object being created.
+##
##
##
-##
-## The name of the object being created.
-##
+##
+## The name of the object being created.
+##
##
#
interface(`ppp_home_filetrans_ppp_home',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
')
########################################
@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
########################################
##
## Do not audit attempts to inherit
-## and use ppp file discriptors.
+## and use PPP file discriptors.
##
##
##
@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
########################################
##
-## Send child terminated signals to ppp.
+## Send a SIGCHLD signal to PPP.
##
##
##
@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
########################################
##
-## Send kill signals to ppp.
+## Send ppp a kill signal
##
##
##
@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
##
##
#
-#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@@ -184,7 +164,7 @@ interface(`ppp_kill',`
########################################
##
-## Send generic signals to ppp.
+## Send a generic signal to PPP.
##
##
##
@@ -202,7 +182,7 @@ interface(`ppp_signal',`
########################################
##
-## Send null signals to ppp.
+## Send a generic signull to PPP.
##
##
##
@@ -220,7 +200,7 @@ interface(`ppp_signull',`
########################################
##
-## Execute pppd in the pppd domain.
+## Execute domain in the ppp domain.
##
##
##
@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
########################################
##
-## Conditionally execute pppd on
-## behalf of a user or staff type.
+## Conditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
##
##
##
-## Role allowed access.
+## The role to allow the ppp domain.
##
##
##
@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
########################################
##
-## Unconditionally execute ppp daemon
-## on behalf of a user or staff type.
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
##
##
##
-## Role allowed access.
+## The role to allow the ppp domain.
##
##
##
@@ -294,7 +272,7 @@ interface(`ppp_run',`
########################################
##
-## Execute domain in the caller domain.
+## Execute domain in the ppp caller.
##
##
##
@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
type pppd_etc_t;
')
- files_search_etc($1)
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
')
########################################
##
-## Read ppp writable configuration content.
+## Read PPP-writable configuration files.
##
##
##
@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
type pppd_etc_t, pppd_etc_rw_t;
')
- files_search_etc($1)
- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
+ allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file read_file_perms;
- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
##
-## Read ppp secret files.
+## Read PPP secrets.
##
##
##
@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
type pppd_etc_t, pppd_secret_t;
')
- files_search_etc($1)
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file read_file_perms;
- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
##
-## Read ppp pid files.
+## Read PPP pid files.
##
##
##
@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
##
-## Create, read, write, and delete
-## ppp pid files.
+## Create, read, write, and delete PPP pid files.
##
##
##
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file manage_file_perms;
+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
##
-## Create specified pppd pid objects
-## with a type transition.
+## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
interface(`ppp_pid_filetrans',`
gen_require(`
type pppd_var_run_t;
')
- files_pid_filetrans($1, pppd_var_run_t, $2, $3)
+ files_pid_filetrans($1, pppd_var_run_t, file)
')
########################################
##
-## Execute pppd init script in
-## the initrc domain.
+## Execute ppp server in the ntpd domain.
##
##
##
@@ -461,31 +424,82 @@ interface(`ppp_initrc_domtrans',`
########################################
##
-## All of the rules required to
-## administrate an ppp environment.
+## Execute pppd server in the pppd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
+#
+interface(`ppp_systemctl',`
+ gen_require(`
+ type pppd_unit_file_t;
+ type pppd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
+
+
+########################################
+##
+## Transition to ppp named content
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
+#
+interface(`ppp_filetrans_named_content',`
+ gen_require(`
+ type pppd_lock_t;
+ ')
+
+ files_lock_filetrans($1, pppd_lock_t, dir, "ppp")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ppp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
##
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
- type pppd_var_run_t, pppd_initrc_exec_t;
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
+ type pppd_unit_file_t;
+ ')
+
+ allow $1 pppd_t:process signal_perms;
+ ps_process_pattern($1, pppd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pppd_t:process ptrace;
+ allow $1 pptp_t:process ptrace;
')
- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { pptp_t pppd_t })
+ allow $1 pptp_t:process signal_perms;
+ ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -496,14 +510,26 @@ interface(`ppp_admin',`
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
- admin_pattern($1, { pptp_log_t pppd_log_t })
+ admin_pattern($1, pppd_log_t)
files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
+ admin_pattern($1, pppd_etc_t)
+
+ admin_pattern($1, pppd_etc_rw_t)
+
+ admin_pattern($1, pppd_secret_t)
files_list_pids($1)
- admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
+ admin_pattern($1, pppd_var_run_t)
+
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
+ admin_pattern($1, pppd_unit_file_t)
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
index d616ca3e3..7910fb889 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
#
##
-##
-## Determine whether pppd can
-## load kernel modules.
-##
+##
+## Allow pppd to load kernel modules for certain modems
+##
##
gen_tunable(pppd_can_insmod, false)
##
-##
-## Determine whether common users can
-## run pppd with a domain transition.
-##
+##
+## Allow pppd to be run for a regular user
+##
##
gen_tunable(pppd_for_user, false)
attribute_role pppd_roles;
-attribute_role pptp_roles;
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
+# Define a separate type for /etc/ppp
type pppd_etc_t;
files_config_file(pppd_etc_t)
+# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
+# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)
@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
-role pptp_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -67,54 +74,61 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
-type ppp_home_t;
-userdom_user_home_content(ppp_home_t)
-
########################################
#
-# PPPD local policy
+# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
+allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket { connectto create_socket_perms };
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_lock_filetrans(pppd_t, pppd_lock_t, dir)
+files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
logging_log_filetrans(pppd_t, pppd_log_t, file)
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-
-can_exec(pppd_t, pppd_exec_t)
-
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+allow pppd_t pppd_var_run_t:file map;
allow pppd_t pptp_t:process signal;
+# for SSP
+# Access secret files
allow pppd_t pppd_secret_t:file read_file_perms;
+ppp_initrc_domtrans(pppd_t)
+
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
@@ -122,10 +136,10 @@ kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
dev_rw_modem(pppd_t)
-corenet_all_recvfrom_unlabeled(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
@@ -135,9 +149,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
-
+corenet_tcp_connect_http_port(pppd_t)
+# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_use_usb_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+term_use_generic_ptys(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
@@ -147,36 +174,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
+# for scripts
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
-auth_run_chk_passwd(pppd_t, pppd_roles)
auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-miscfiles_read_localization(pppd_t)
-
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
+userdom_search_admin_dir(pppd_t)
+
+ppp_exec(pppd_t)
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +208,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
+ l2tpd_read_pid_files(pppd_t)
+ l2tpd_dbus_chat(pppd_t)
')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
- modutils_domtrans_insmod(pppd_t)
+ modutils_domtrans_insmod_uncond(pppd_t)
')
')
@@ -218,16 +242,19 @@ optional_policy(`
########################################
#
-# PPTP local policy
+# PPTP Local policy
#
allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
-allow pptp_t self:unix_stream_socket { accept connectto listen };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:netlink_route_socket nlmsg_write;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +263,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append_file_perms;
-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
-
-can_exec(pptp_t, pppd_etc_rw_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
+kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_network_state(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
kernel_signal(pptp_t)
+dev_read_sysfs(pptp_t)
+
corecmd_exec_shell(pptp_t)
corecmd_read_bin_symlinks(pptp_t)
-corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
-
-corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
-
-corenet_sendrecv_pptp_client_packets(pptp_t)
corenet_tcp_connect_pptp_port(pptp_t)
-dev_read_sysfs(pptp_t)
-
-domain_use_interactive_fds(pptp_t)
-
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +307,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
+domain_use_interactive_fds(pptp_t)
+
auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
-miscfiles_read_localization(pptp_t)
-
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -298,6 +323,10 @@ optional_policy(`
consoletype_exec(pppd_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(pppd_t)
+')
+
optional_policy(`
dbus_system_domain(pppd_t, pppd_exec_t)
diff --git a/prelink.fc b/prelink.fc
index a90d6231f..62af9a4a0 100644
--- a/prelink.fc
+++ b/prelink.fc
@@ -1,11 +1,11 @@
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
index 20d469793..e6605c100 100644
--- a/prelink.if
+++ b/prelink.if
@@ -2,7 +2,7 @@
########################################
##
-## Execute prelink in the prelink domain.
+## Execute the prelink program in the prelink domain.
##
##
##
@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
- ifdef(`hide_broken_symptoms',`
+ ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
+ dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################
##
-## Execute prelink in the caller domain.
+## Execute the prelink program in the current domain.
##
##
##
@@ -45,9 +45,7 @@ interface(`prelink_exec',`
########################################
##
-## Execute prelink in the prelink
-## domain, and allow the specified role
-## the prelink domain.
+## Execute the prelink program in the prelink domain.
##
##
##
@@ -56,18 +54,18 @@ interface(`prelink_exec',`
##
##
##
-## Role allowed access.
+## The role to allow the prelink domain.
##
##
##
#
interface(`prelink_run',`
gen_require(`
- attribute_role prelink_roles;
+ type prelink_t;
')
prelink_domtrans($1)
- roleattribute $2 prelink_roles;
+ role $2 types prelink_t;
')
########################################
@@ -80,6 +78,7 @@ interface(`prelink_run',`
##
##
#
+# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
########################################
##
-## Read prelink cache files.
+## Read the prelink cache.
##
##
##
@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
########################################
##
-## Delete prelink cache files.
+## Delete the prelink cache.
##
##
##
@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
type prelink_cache_t;
')
+ allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
- allow $1 prelink_cache_t:file delete_file_perms;
')
########################################
@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
########################################
##
-## Relabel from prelink lib files.
+## Relabel from files in the /boot directory.
##
##
##
@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
########################################
##
-## Relabel prelink lib files.
+## Relabel from files in the /boot directory.
##
##
##
@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
+
+########################################
+##
+## Transition to prelink named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_filetrans_named_content',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
index 8e262163b..6facb3465 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
attribute prelink_object;
-attribute_role prelink_roles;
-
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
-role prelink_roles types prelink_t;
type prelink_cache_t;
files_type(prelink_cache_t)
@@ -40,31 +37,34 @@ files_type(prelink_var_lib_t)
# Local policy
#
-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
-allow prelink_t prelink_log_t:dir setattr_dir_perms;
+allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
-files_getattr_all_files(prelink_t)
files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
-files_search_var_lib(prelink_t)
-files_write_non_security_dirs(prelink_t)
-files_dontaudit_read_all_symlinks(prelink_t)
-fs_getattr_all_fs(prelink_t)
-fs_search_auto_mountpoints(prelink_t)
-
-selinux_get_enforce_mode(prelink_t)
+fs_getattr_xattr_fs(prelink_t)
storage_getattr_fixed_disk_dev(prelink_t)
+selinux_get_enforce_mode(prelink_t)
+
libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
-miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
-userdom_manage_user_home_content_files(prelink_t)
-# pending
-# userdom_relabel_user_home_content_files(prelink_t)
-# userdom_execmod_user_home_content_files(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
userdom_exec_user_home_content_files(prelink_t)
-ifdef(`hide_broken_symptoms',`
- miscfiles_read_man_pages(prelink_t)
+systemd_read_unit_files(prelink_t)
- optional_policy(`
- dbus_read_config(prelink_t)
- ')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files(prelink_t)
- fs_manage_nfs_files(prelink_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files(prelink_t)
- fs_manage_cifs_files(prelink_t)
-')
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@@ -138,11 +120,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(prelink_t)
gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
')
optional_policy(`
- mozilla_manage_plugin_rw_files(prelink_t)
+ mozilla_plugin_manage_rw_files(prelink_t)
')
optional_policy(`
@@ -155,17 +138,18 @@ optional_policy(`
########################################
#
-# Cron system local policy
+# Prelink Cron system Policy
#
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -174,7 +158,7 @@ optional_policy(`
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
kernel_read_system_state(prelink_cron_system_t)
@@ -184,23 +168,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
- files_rw_etc_dirs(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+ files_dontaudit_list_non_security(prelink_cron_system_t)
+
+ fs_search_cgroup_dirs(prelink_cron_system_t)
auth_use_nsswitch(prelink_cron_system_t)
init_telinit(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
+ init_reload_services(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
- miscfiles_read_localization(prelink_cron_system_t)
+ init_stream_connect(prelink_cron_system_t)
+
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')
+
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
+')
diff --git a/prelude.fc b/prelude.fc
index 8dbc76372..b580f852b 100644
--- a/prelude.fc
+++ b/prelude.fc
@@ -12,7 +12,7 @@
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
diff --git a/prelude.if b/prelude.if
index c83a838d7..f41a4f7dd 100644
--- a/prelude.if
+++ b/prelude.if
@@ -1,13 +1,13 @@
-## Prelude hybrid intrusion detection system.
+## Prelude hybrid intrusion detection system
########################################
##
## Execute a domain transition to run prelude.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`prelude_domtrans',`
@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
type prelude_t, prelude_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_exec_t, prelude_t)
')
########################################
##
-## Execute a domain transition to
-## run prelude audisp.
+## Execute a domain transition to run prelude_audisp.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`prelude_domtrans_audisp',`
@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
type prelude_audisp_t, prelude_audisp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
')
########################################
##
-## Send generic signals to prelude audisp.
+## Signal the prelude_audisp domain.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed acccess.
+##
##
#
interface(`prelude_signal_audisp',`
@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
########################################
##
-## Read prelude spool files.
+## Read the prelude spool files
##
##
##
@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
########################################
##
-## Create, read, write, and delete
-## prelude manager spool files.
+## Manage to prelude-manager spool files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`prelude_manage_spool',`
@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
########################################
##
-## All of the rules required to
-## administrate an prelude environment.
+## All of the rules required to administrate
+## an prelude environment
##
##
##
@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
- type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
+ allow $1 prelude_t:process signal_perms;
+ ps_process_pattern($1, prelude_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 prelude_t:process ptrace;
+ allow $1 prelude_audisp_t:process ptrace;
+ allow $1 prelude_lml_t:process ptrace;
+ ')
+
+ allow $1 prelude_audisp_t:process signal_perms;
+ ps_process_pattern($1, prelude_audisp_t)
+
+ allow $1 prelude_lml_t:process signal_perms;
+ ps_process_pattern($1, prelude_lml_t)
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
- logging_search_logs($1)
- admin_pattern($1, prelude_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
- files_search_pids($1)
- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
index 8f4460928..dd7065356 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
type prelude_log_t;
logging_log_file(prelude_log_t)
@@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t)
# Prelude local policy
#
-allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:capability { dac_read_search dac_override sys_tty_config };
allow prelude_t self:fifo_file rw_fifo_file_perms;
allow prelude_t self:unix_stream_socket { accept listen };
allow prelude_t self:tcp_socket { accept listen };
@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
corecmd_search_bin(prelude_t)
-corenet_all_recvfrom_unlabeled(prelude_t)
corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
files_read_etc_runtime_files(prelude_t)
-files_read_usr_files(prelude_t)
files_search_spool(prelude_t)
files_search_tmp(prelude_t)
@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
logging_send_audit_msgs(prelude_t)
logging_send_syslog_msg(prelude_t)
-miscfiles_read_localization(prelude_t)
-
optional_policy(`
mysql_stream_connect(prelude_t)
mysql_tcp_connect(prelude_t)
@@ -125,7 +121,7 @@ optional_policy(`
# Audisp local policy
#
-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap };
allow prelude_audisp_t self:process { getcap setcap };
allow prelude_audisp_t self:fifo_file rw_fifo_file_perms;
allow prelude_audisp_t self:unix_stream_socket { accept listen };
@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
corecmd_search_bin(prelude_audisp_t)
-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
domain_use_interactive_fds(prelude_audisp_t)
-files_read_etc_files(prelude_audisp_t)
files_read_etc_runtime_files(prelude_audisp_t)
files_search_spool(prelude_audisp_t)
files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
-miscfiles_read_localization(prelude_audisp_t)
-
sysnet_dns_name_resolve(prelude_audisp_t)
########################################
@@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t)
# Correlator local policy
#
-allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:capability { dac_read_search dac_override };
allow prelude_correlator_t self:tcp_socket { accept listen };
manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t)
@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
corecmd_search_bin(prelude_correlator_t)
-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
corenet_all_recvfrom_netlabel(prelude_correlator_t)
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
dev_read_rand(prelude_correlator_t)
dev_read_urand(prelude_correlator_t)
-files_read_etc_files(prelude_correlator_t)
-files_read_usr_files(prelude_correlator_t)
files_search_spool(prelude_correlator_t)
logging_send_syslog_msg(prelude_correlator_t)
-miscfiles_read_localization(prelude_correlator_t)
-
sysnet_dns_name_resolve(prelude_correlator_t)
########################################
@@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t)
# Lml local declarations
#
-allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:capability { dac_read_search dac_override };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
logging_send_syslog_msg(prelude_lml_t)
logging_read_generic_logs(prelude_lml_t)
-miscfiles_read_localization(prelude_lml_t)
-
userdom_read_all_users_state(prelude_lml_t)
optional_policy(`
@@ -278,27 +265,28 @@ optional_policy(`
optional_policy(`
apache_content_template(prewikka)
+ apache_content_alias_template(prewikka, prewikka)
- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+ can_exec(prewikka_script_t, prewikka_script_exec_t)
- files_search_tmp(httpd_prewikka_script_t)
+ files_search_tmp(prewikka_script_t)
- kernel_read_sysctl(httpd_prewikka_script_t)
- kernel_search_network_sysctl(httpd_prewikka_script_t)
+ kernel_read_sysctl(prewikka_script_t)
+ kernel_search_network_sysctl(prewikka_script_t)
- auth_use_nsswitch(httpd_prewikka_script_t)
+ auth_use_nsswitch(prewikka_script_t)
- logging_send_syslog_msg(httpd_prewikka_script_t)
+ logging_send_syslog_msg(prewikka_script_t)
- apache_search_sys_content(httpd_prewikka_script_t)
+ apache_search_sys_content(prewikka_script_t)
optional_policy(`
- mysql_stream_connect(httpd_prewikka_script_t)
- mysql_tcp_connect(httpd_prewikka_script_t)
+ mysql_stream_connect(prewikka_script_t)
+ mysql_tcp_connect(prewikka_script_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_prewikka_script_t)
- postgresql_tcp_connect(httpd_prewikka_script_t)
+ postgresql_stream_connect(prewikka_script_t)
+ postgresql_tcp_connect(prewikka_script_t)
')
')
diff --git a/privoxy.if b/privoxy.if
index bdcee30f5..34f314344 100644
--- a/privoxy.if
+++ b/privoxy.if
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
type privoxy_etc_rw_t, privoxy_var_run_t;
')
- allow $1 privoxy_t:process { ptrace signal_perms };
+ allow $1 privoxy_t:process signal_perms;
ps_process_pattern($1, privoxy_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 privoxy_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
index ec21f80d7..a9f650a1f 100644
--- a/privoxy.te
+++ b/privoxy.te
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_tcp_sendrecv_tor_port(privoxy_t)
+
dev_read_sysfs(privoxy_t)
domain_use_interactive_fds(privoxy_t)
@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
logging_send_syslog_msg(privoxy_t)
-miscfiles_read_localization(privoxy_t)
-
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
diff --git a/procmail.fc b/procmail.fc
index bdff6c931..4b36a13de 100644
--- a/procmail.fc
+++ b/procmail.fc
@@ -1,6 +1,7 @@
-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/procmail.if b/procmail.if
index 00edeab17..cb6c0edbf 100644
--- a/procmail.if
+++ b/procmail.if
@@ -1,4 +1,4 @@
-## Procmail mail delivery agent.
+## Procmail mail delivery agent
########################################
##
@@ -15,8 +15,11 @@ interface(`procmail_domtrans',`
type procmail_exec_t, procmail_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, procmail_exec_t, procmail_t)
+
+ allow $1 procmail_exec_t:file map;
')
########################################
@@ -34,101 +37,33 @@ interface(`procmail_exec',`
type procmail_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, procmail_exec_t)
')
########################################
##
-## Create, read, write, and delete
-## procmail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_manage_home_files',`
- gen_require(`
- type procmail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file manage_file_perms;
-')
-
-########################################
-##
-## Read procmail user home content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_read_home_files',`
- gen_require(`
- type procmail_home_t;
-
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file read_file_perms;
-')
-
-########################################
-##
-## Relabel procmail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file relabel_file_perms;
-')
-
-########################################
-##
-## Create objects in user home
-## directories with the procmail home type.
+## Read procmail tmp files.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`procmail_home_filetrans_procmail_home',`
+interface(`procmail_read_tmp_files',`
gen_require(`
- type procmail_home_t;
+ type procmail_tmp_t;
')
- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
')
########################################
##
-## Read procmail tmp files.
+## Read/write procmail tmp files.
##
##
##
@@ -136,18 +71,18 @@ interface(`procmail_home_filetrans_procmail_home',`
##
##
#
-interface(`procmail_read_tmp_files',`
+interface(`procmail_rw_tmp_files',`
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
- allow $1 procmail_tmp_t:file read_file_perms;
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
########################################
##
-## Read and write procmail tmp files.
+## Read procmail home directory content
##
##
##
@@ -155,11 +90,11 @@ interface(`procmail_read_tmp_files',`
##
##
#
-interface(`procmail_rw_tmp_files',`
+interface(`procmail_read_home_files',`
gen_require(`
- type procmail_tmp_t;
+ type procmail_home_t;
')
- files_search_tmp($1)
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
index cc426e62a..91a1f537e 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
userdom_user_home_content(procmail_home_t)
type procmail_log_t;
-logging_log_file(procmail_log_t)
+logging_log_file(procmail_log_t)
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t)
# Local policy
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
-allow procmail_t self:tcp_socket { accept listen };
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
-allow procmail_t procmail_home_t:file read_file_perms;
+can_exec(procmail_t, procmail_exec_t)
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
-can_exec(procmail_t, procmail_exec_t)
-
+kernel_read_network_state(procmail_t)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_all_recvfrom_unlabeled(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
corenet_tcp_sendrecv_generic_node(procmail_t)
-
-corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
-corenet_tcp_sendrecv_spamd_port(procmail_t)
-
+corenet_sendrecv_spamd_client_packets(procmail_t)
corenet_sendrecv_comsat_client_packets(procmail_t)
-corenet_tcp_connect_comsat_port(procmail_t)
-corenet_tcp_sendrecv_comsat_port(procmail_t)
-
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
+dev_read_rand(procmail_t)
dev_read_urand(procmail_t)
-fs_getattr_all_fs(procmail_t)
+fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+
files_read_etc_runtime_files(procmail_t)
-files_read_usr_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
+
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
-')
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_filetrans_home_content(procmail_t)
+
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
')
+userdom_home_manager(procmail_t)
+
optional_policy(`
- clamav_domtrans_clamscan(procmail_t)
- clamav_search_lib(procmail_t)
+ antivirus_domtrans(procmail_t)
+ antivirus_search_db(procmail_t)
')
optional_policy(`
- cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
+ dovecot_read_config(procmail_t)
')
optional_policy(`
- mta_manage_spool(procmail_t)
- mta_read_config(procmail_t)
- mta_read_queue(procmail_t)
- mta_manage_mail_home_rw_content(procmail_t)
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+ cyrus_stream_connect(procmail_t)
')
optional_policy(`
- munin_dontaudit_search_lib(procmail_t)
+ gnome_manage_data(procmail_t)
')
optional_policy(`
- nagios_search_spool(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
+ # for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
@@ -125,12 +144,19 @@ optional_policy(`
postfix_rw_inherited_master_pipes(procmail_t)
')
+optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
optional_policy(`
+ mta_read_config(procmail_t)
+ mta_mailserver_delivery(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
@@ -145,3 +171,8 @@ optional_policy(`
spamassassin_domtrans_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
+
+optional_policy(`
+ zarafa_stream_connect_server(procmail_t)
+ zarafa_domtrans_deliver(procmail_t)
+')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 000000000..c056a2fb3
--- /dev/null
+++ b/prosody.fc
@@ -0,0 +1,10 @@
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
+
+/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0)
+
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
+
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
+
+/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
index 000000000..8231f4ff5
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,255 @@
+
+## policy for prosody
+
+########################################
+##
+## Execute TEMPLATE in the prosody domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prosody_domtrans',`
+ gen_require(`
+ type prosody_t, prosody_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prosody_exec_t, prosody_t)
+')
+
+########################################
+##
+## Search prosody lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_search_lib',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ allow $1 prosody_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read prosody lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_read_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Manage prosody lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_manage_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Manage prosody lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_manage_lib_dirs',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Read prosody PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_read_pid_files',`
+ gen_require(`
+ type prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
+')
+
+########################################
+##
+## Execute prosody server in the prosody domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prosody_systemctl',`
+ gen_require(`
+ type prosody_t;
+ type prosody_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, prosody_t)
+')
+
+
+########################################
+##
+## Execute prosody in the prosody domain, and
+## allow the specified role the prosody domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the prosody domain.
+##
+##
+#
+interface(`prosody_run',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ prosody_domtrans($1)
+ roleattribute $2 prosody_roles;
+')
+
+######################################
+##
+## Connect to prosody with a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_stream_connect',`
+ gen_require(`
+ type prosody_t, prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
+')
+
+########################################
+##
+## Role access for prosody
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`prosody_role',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ roleattribute $1 prosody_roles;
+
+ prosody_domtrans($2)
+
+ ps_process_pattern($2, prosody_t)
+ allow $2 prosody_t:process { signull signal sigkill };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an prosody environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`prosody_admin',`
+ gen_require(`
+ type prosody_t;
+ type prosody_var_lib_t;
+ type prosody_var_run_t;
+ type prosody_unit_file_t;
+ ')
+
+ allow $1 prosody_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prosody_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, prosody_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, prosody_var_run_t)
+
+ prosody_systemctl($1)
+ admin_pattern($1, prosody_unit_file_t)
+ allow $1 prosody_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
index 000000000..5a9f1d42c
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,99 @@
+policy_module(prosody, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Permit to prosody to bind apache port.
+## Need to be activated to use BOSH.
+##
+##
+gen_tunable(prosody_bind_http_port, false)
+
+type prosody_t;
+type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t)
+
+type prosody_log_t;
+logging_log_file(prosody_log_t)
+
+type prosody_var_lib_t;
+files_type(prosody_var_lib_t)
+
+type prosody_var_run_t;
+files_pid_file(prosody_var_run_t)
+
+type prosody_tmp_t;
+files_tmp_file(prosody_tmp_t)
+
+type prosody_unit_file_t;
+systemd_unit_file(prosody_unit_file_t)
+
+########################################
+#
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid dac_read_search dac_override };
+allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_log_t, prosody_log_t)
+manage_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
+
+manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file })
+
+can_exec(prosody_t, prosody_exec_t)
+
+kernel_read_system_state(prosody_t)
+
+corecmd_exec_bin(prosody_t)
+corecmd_exec_shell(prosody_t)
+
+corenet_udp_bind_generic_node(prosody_t)
+corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_prosody_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
+corenet_tcp_bind_commplex_main_port(prosody_t)
+corenet_tcp_bind_fac_restore_port(prosody_t)
+
+tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t)
+')
+
+dev_read_urand(prosody_t)
+
+domain_use_interactive_fds(prosody_t)
+
+files_read_etc_files(prosody_t)
+
+auth_use_nsswitch(prosody_t)
+sysnet_read_config(prosody_t)
+
+logging_send_syslog_msg(prosody_t)
+
+miscfiles_read_localization(prosody_t)
+
+optional_policy(`
+ sasl_connect(prosody_t)
+')
diff --git a/psad.if b/psad.if
index d4dcf782c..3cce82e50 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
')
files_search_etc($1)
- allow $1 psad_etc_t:dir manage_dir_perms;
- allow $1 psad_etc_t:file manage_file_perms;
- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
')
########################################
@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
########################################
##
-## Read and write psad pid files.
+## Read and write psad PID files.
##
##
##
@@ -177,6 +176,45 @@ interface(`psad_append_log',`
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
')
+########################################
+##
+## Allow the specified domain to write to psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`psad_write_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+#######################################
+##
+## Allow the specified domain to setattr to psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_setattr_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
########################################
##
## Read and write psad fifo files.
@@ -196,6 +234,45 @@ interface(`psad_rw_fifo_file',`
rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
')
+#######################################
+##
+## Allow setattr to psad fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_setattr_fifo_file',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 psad_var_lib_t:fifo_file setattr;
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+##
+## Allow search to psad lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_search_lib_files',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
#######################################
##
## Read and write psad temporary files.
@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
- allow $1 psad_t:process { ptrace signal_perms };
+ allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 psad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, psad_etc_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, psad_var_run_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, psad_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, psad_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
index b5d717b09..e716d9d2c 100644
--- a/psad.te
+++ b/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
# Local policy
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
corecmd_exec_shell(psad_t)
-corenet_all_recvfrom_unlabeled(psad_t)
corenet_all_recvfrom_netlabel(psad_t)
corenet_tcp_sendrecv_generic_if(psad_t)
corenet_tcp_sendrecv_generic_node(psad_t)
@@ -77,8 +76,9 @@ corenet_tcp_sendrecv_whois_port(psad_t)
dev_read_urand(psad_t)
+domain_read_all_domains_state(psad_t)
+
files_read_etc_runtime_files(psad_t)
-files_read_usr_files(psad_t)
fs_getattr_all_fs(psad_t)
@@ -88,8 +88,6 @@ logging_read_generic_logs(psad_t)
logging_read_syslog_config(psad_t)
logging_send_syslog_msg(psad_t)
-miscfiles_read_localization(psad_t)
-
sysnet_exec_ifconfig(psad_t)
optional_policy(`
diff --git a/ptchown.te b/ptchown.te
index 28d2abc03..c2cfb5eaa 100644
--- a/ptchown.te
+++ b/ptchown.te
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
allow ptchown_t self:capability { chown fowner fsetid setuid };
allow ptchown_t self:process { getcap setcap };
-files_read_etc_files(ptchown_t)
fs_rw_anon_inodefs_files(ptchown_t)
@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
term_use_ptmx(ptchown_t)
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/publicfile.te b/publicfile.te
index 3246befff..dd66a21cb 100644
--- a/publicfile.te
+++ b/publicfile.te
@@ -17,7 +17,7 @@ files_type(publicfile_content_t)
# Local policy
#
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t self:capability { dac_read_search dac_override setgid setuid sys_chroot };
allow publicfile_t publicfile_content_t:dir list_dir_perms;
allow publicfile_t publicfile_content_t:file read_file_perms;
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479a7..0e7d87513 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,9 +1,14 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index 45843b55c..4d1adace5 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,43 +2,47 @@
########################################
##
-## Role access for pulseaudio.
+## Role access for pulseaudio
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`pulseaudio_role',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
- type pulseaudio_tmp_t;
+ attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
+ class dbus { acquire_svc send_msg };
')
- pulseaudio_run($2, $1)
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
- allow $2 pulseaudio_t:process { ptrace signal_perms };
ps_process_pattern($2, pulseaudio_t)
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, pulseaudio_t)
- allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@@ -65,9 +69,8 @@ interface(`pulseaudio_domtrans',`
########################################
##
-## Execute pulseaudio in the pulseaudio
-## domain, and allow the specified role
-## the pulseaudio domain.
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
##
##
##
@@ -82,16 +85,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
- attribute_role pulseaudio_roles;
+ type pulseaudio_t;
')
pulseaudio_domtrans($1)
- roleattribute $2 pulseaudio_roles;
+ role $2 types pulseaudio_t;
')
########################################
##
-## Execute pulseaudio in the caller domain.
+## Execute a pulseaudio in the current domain.
##
##
##
@@ -104,13 +107,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, pulseaudio_exec_t)
')
########################################
##
-## Do not audit attempts to execute pulseaudio.
+## Do not audit to execute a pulseaudio.
##
##
##
@@ -128,7 +130,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
##
-## Send null signals to pulseaudio.
+## Send signull signal to pulseaudio
## processes.
##
##
@@ -147,8 +149,8 @@ interface(`pulseaudio_signull',`
#####################################
##
-## Connect to pulseaudio with a unix
-## domain stream socket.
+## Connect to pulseaudio over a unix domain
+## stream socket.
##
##
##
@@ -158,11 +160,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
+ type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_home_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
')
########################################
@@ -188,9 +194,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
##
-## Set attributes of pulseaudio home directories.
+## Set the attributes of the pulseaudio homedir.
##
-##
+##
##
## Domain allowed access.
##
@@ -201,148 +207,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
- allow $1 pulseaudio_home_t:dir setattr_dir_perms;
+ allow $1 pulseaudio_home_t:dir setattr;
')
########################################
##
-## Read pulseaudio home content.
+## Read pulseaudio homedir files.
##
-##
+##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_read_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
- pulseaudio_read_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Read pulseaudio home content.
+## Read and write Pulse Audio files.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_read_home',`
+interface(`pulseaudio_rw_home_files',`
gen_require(`
type pulseaudio_home_t;
')
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir list_dir_perms;
- allow $1 pulseaudio_home_t:file read_file_perms;
- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Read and write Pulse Audio files.
+## Create, read, write, and delete pulseaudio
+## home directories.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_rw_home_files',`
+interface(`pulseaudio_manage_home_dirs',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory files.
##
-##
+##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_manage_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
- pulseaudio_manage_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ pulseaudio_filetrans_home_content($1)
')
########################################
##
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory symlinks.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_manage_home',`
+interface(`pulseaudio_manage_home_symlinks',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
- allow $1 pulseaudio_home_t:file manage_file_perms;
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Create objects in user home
-## directories with the pulseaudio
-## home type.
+## Create pulseaudio content in the user home directory
+## with an correct label.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
+#
+interface(`pulseaudio_filetrans_home_content',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+ optional_policy(`
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
+ ')
+')
+
+########################################
+##
+## Create pulseaudio content in the admin home directory
+## with an correct label.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
gen_require(`
type pulseaudio_home_t;
')
- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
-########################################
+#######################################
##
-## Make the specified tmpfs file type
-## pulseaudio tmpfs content.
+## Make the specified tmpfs file type
+## pulseaudio tmpfs content.
##
##
+##
+## File type to make pulseaudio tmpfs content.
+##
+##
+#
+interface(`pulseaudio_tmpfs_content',`
+ gen_require(`
+ attribute pulseaudio_tmpfsfile;
+ ')
+
+ typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+########################################
+##
+## Allow the domain to read pulseaudio state files in /proc.
+##
+##
##
-## File type to make pulseaudio tmpfs content.
+## Domain allowed access.
##
##
#
-interface(`pulseaudio_tmpfs_content',`
+interface(`pulseaudio_read_state',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t;
')
- typeattribute $1 pulseaudio_tmpfsfile;
+ kernel_search_proc($1)
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
index 6643b49c2..6c374240b 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -8,61 +8,51 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
-attribute_role pulseaudio_roles;
-
type pulseaudio_t;
type pulseaudio_exec_t;
# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
+role system_r types pulseaudio_t;
type pulseaudio_home_t;
userdom_user_home_content(pulseaudio_home_t)
-type pulseaudio_tmp_t;
-userdom_user_tmp_file(pulseaudio_tmp_t)
-
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
type pulseaudio_var_lib_t;
files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
########################################
#
-# Local policy
+# pulseaudio local policy
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
-allow pulseaudio_t self:unix_dgram_socket sendto;
-allow pulseaudio_t self:tcp_socket { accept listen };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
-
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
+allow pulseaudio_t pulseaudio_home_t:file map;
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
+userdom_map_tmp_files(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -72,10 +62,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-
-allow pulseaudio_t pulseaudio_client:process signull;
-ps_process_pattern(pulseaudio_t, pulseaudio_client)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -85,62 +72,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
-
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
-
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
-
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
-corenet_udp_sendrecv_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
-files_read_usr_files(pulseaudio_t)
+fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
-fs_getattr_all_fs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-fs_rw_anon_inodefs_files(pulseaudio_t)
-fs_search_auto_mountpoints(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
-
-userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_read_user_tmp_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_execute_user_tmp_files(pulseaudio_t)
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs(pulseaudio_t)
+ fs_mounton_nfs(pulseaudio_t)
fs_manage_nfs_dirs(pulseaudio_t)
fs_manage_nfs_files(pulseaudio_t)
fs_manage_nfs_symlinks(pulseaudio_t)
+ fs_manage_nfs_named_sockets(pulseaudio_t)
+ fs_manage_nfs_named_pipes(pulseaudio_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs(pulseaudio_t)
+ fs_mounton_cifs(pulseaudio_t)
fs_manage_cifs_dirs(pulseaudio_t)
fs_manage_cifs_files(pulseaudio_t)
fs_manage_cifs_symlinks(pulseaudio_t)
+ fs_manage_cifs_named_sockets(pulseaudio_t)
+ fs_manage_cifs_named_pipes(pulseaudio_t)
')
optional_policy(`
@@ -153,8 +136,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
- dbus_all_session_bus_client(pulseaudio_t)
- dbus_connect_all_session_bus(pulseaudio_t)
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
@@ -173,16 +157,33 @@ optional_policy(`
')
')
+optional_policy(`
+ gnome_read_gkeyringd_state(pulseaudio_t)
+ gnome_signull_gkeyringd(pulseaudio_t)
+ gnome_manage_gstreamer_home_files(pulseaudio_t)
+ gnome_exec_gstreamer_home_files(pulseaudio_t)
+')
+
optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
+optional_policy(`
+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
')
+optional_policy(`
+ systemd_read_logind_sessions_files(pulseaudio_t)
+ systemd_login_read_pid_files(pulseaudio_t)
+')
+
optional_policy(`
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
@@ -190,13 +191,16 @@ optional_policy(`
optional_policy(`
xserver_stream_connect(pulseaudio_t)
- xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-########################################
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
+
+#######################################
#
# Client local policy
#
@@ -210,8 +214,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
-corenet_all_recvfrom_unlabeled(pulseaudio_client)
-corenet_all_recvfrom_netlabel(pulseaudio_client)
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
@@ -220,38 +222,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
-pulseaudio_manage_home(pulseaudio_client)
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+pulseaudio_manage_home_files(pulseaudio_client)
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
userdom_manage_user_home_content_files(pulseaudio_client)
-userdom_read_user_tmpfs_files(pulseaudio_client)
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
+userdom_read_user_tmp_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(pulseaudio_client)
- fs_manage_nfs_dirs(pulseaudio_client)
- fs_manage_nfs_files(pulseaudio_client)
- fs_read_nfs_symlinks(pulseaudio_client)
+ fs_getattr_nfs(pulseaudio_client)
+ fs_manage_nfs_dirs(pulseaudio_client)
+ fs_manage_nfs_files(pulseaudio_client)
+ fs_read_nfs_symlinks(pulseaudio_client)
')
tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(pulseaudio_client)
- fs_manage_cifs_dirs(pulseaudio_client)
- fs_manage_cifs_files(pulseaudio_client)
- fs_read_cifs_symlinks(pulseaudio_client)
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
+ fs_read_cifs_symlinks(pulseaudio_client)
')
optional_policy(`
- pulseaudio_dbus_chat(pulseaudio_client)
+ pulseaudio_dbus_chat(pulseaudio_client)
')
optional_policy(`
- rtkit_scheduled(pulseaudio_client)
+ rtkit_scheduled(pulseaudio_client)
')
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
index d68e26d1f..3b08cfd9d 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,18 +1,23 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/start-puppet-ca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
-
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
index 7cb8b1f9c..173bc5b0e 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,52 @@
-## Configuration management system.
+## Puppet client daemon
+##
+##
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+##
+##
+
+########################################
+##
+## Execute puppet_master in the puppet_master
+## domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`puppet_domtrans_master',`
+ gen_require(`
+ type puppetmaster_t, puppetmaster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
+
+########################################
+##
+## Execute puppet in the puppet
+## domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`puppet_domtrans',`
+ gen_require(`
+ type puppet_t, puppet_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppet_exec_t, puppet_t)
+')
########################################
##
@@ -22,7 +70,7 @@ interface(`puppet_domtrans_puppetca',`
#####################################
##
-## Execute puppetca in the puppetca
+## Execute puppet in the puppet
## domain and allow the specified
## role the puppetca domain.
##
@@ -38,39 +86,49 @@ interface(`puppet_domtrans_puppetca',`
##
##
#
-interface(`puppet_run_puppetca',`
+interface(`puppet_run',`
gen_require(`
- attribute_role puppetca_roles;
+ type puppet_t, puppet_exec_t;
')
- puppet_domtrans_puppetca($1)
- roleattribute $2 puppetca_roles;
+ puppet_domtrans($1)
+ role $2 types puppet_t;
')
-####################################
+#####################################
##
-## Read puppet configuration content.
+## Execute puppetca in the puppetca
+## domain and allow the specified
+## role the puppetca domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
+##
+##
+## Role allowed access.
+##
+##
+##
#
-interface(`puppet_read_config',`
+interface(`puppet_run_puppetca',`
gen_require(`
- type puppet_etc_t;
+ type puppetca_t, puppetca_exec_t;
')
- files_search_etc($1)
- allow $1 puppet_etc_t:dir list_dir_perms;
- allow $1 puppet_etc_t:file read_file_perms;
- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
+ puppet_domtrans_puppetca($1)
+ role $2 types puppetca_t;
')
+
################################################
##
-## Read Puppet lib files.
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
##
##
##
@@ -78,19 +136,18 @@ interface(`puppet_read_config',`
##
##
#
-interface(`puppet_read_lib_files',`
+interface(`puppet_rw_tmp', `
gen_require(`
- type puppet_var_lib_t;
+ type puppet_tmp_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
-###############################################
+################################################
##
-## Create, read, write, and delete
-## puppet lib files.
+## Read Puppet lib files.
##
##
##
@@ -98,138 +155,164 @@ interface(`puppet_read_lib_files',`
##
##
#
-interface(`puppet_manage_lib_files',`
+interface(`puppet_read_lib',`
gen_require(`
type puppet_var_lib_t;
')
+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib($1)
- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
')
-#####################################
+###############################################
##
-## Append puppet log files.
+## Manage Puppet lib files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_append_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_manage_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
- logging_search_logs($1)
- append_files_pattern($1, puppet_log_t, puppet_log_t)
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
')
-#####################################
+######################################
##
-## Create puppet log files.
+## Allow the specified domain to search puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_create_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- create_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ allow $1 puppet_log_t:dir search_dir_perms;
')
#####################################
##
-## Read puppet log files.
+## Allow the specified domain to read puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_read_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_read_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
+ logging_search_logs($1)
read_files_pattern($1, puppet_log_t, puppet_log_t)
')
-################################################
+#####################################
##
-## Read and write to puppet tempoprary files.
+## Allow the specified domain to create puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_rw_tmp', `
- gen_require(`
- type puppet_tmp_t;
- ')
+interface(`puppet_create_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- files_search_tmp($1)
- allow $1 puppet_tmp_t:file rw_file_perms;
+ logging_search_logs($1)
+ create_files_pattern($1, puppet_log_t, puppet_log_t)
')
-########################################
+####################################
##
-## All of the rules required to
-## administrate an puppet environment.
+## Allow the specified domain to append puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`puppet_admin',`
- gen_require(`
- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
- type puppet_var_run_t, puppetmaster_tmp_t;
- type puppet_t, puppetca_t, puppetmaster_t;
- ')
+interface(`puppet_append_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+ logging_search_logs($1)
+ append_files_pattern($1, puppet_log_t, puppet_log_t)
+')
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+####################################
+##
+## Allow the specified domain to manage puppet's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
+')
- logging_search_logs($1)
- admin_pattern($1, puppet_log_t)
+####################################
+##
+## Allow the specified domain to read puppet's config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_read_config',`
+ gen_require(`
+ type puppet_etc_t;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
+#####################################
+##
+## Allow the specified domain to search puppet's pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_search_pid',`
+ gen_require(`
+ type puppet_var_run_t;
+ ')
+
files_search_pids($1)
- admin_pattern($1, puppet_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
-
- puppet_run_puppetca($1, $2)
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
index 618dcfeed..6bd7543ae 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
#
##
-##
-## Determine whether puppet can
-## manage all non-security files.
-##
+##
+## Allow Puppet client to manage all file
+## types.
+##
##
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetagent_manage_all_files, false)
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
+##
+##
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+##
+##
+gen_tunable(puppetmaster_use_db, false)
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
+type puppetagent_t;
+type puppetagent_exec_t;
+typealias puppetagent_exec_t alias puppet_exec_t;
+typealias puppetagent_t alias puppet_t;
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
+type puppetagent_initrc_exec_t;
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
+init_script_file(puppetagent_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
type puppetca_t;
type puppetca_exec_t;
application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
+role system_r types puppetca_t;
type puppetmaster_t;
type puppetmaster_exec_t;
@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
-# Local policy
+# Puppet personal policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-allow puppet_t self:udp_socket create_socket_perms;
-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
-
-domain_interactive_fd(puppet_t)
-domain_read_all_domains_state(puppet_t)
-
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
-
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
-
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
-
-logging_send_syslog_msg(puppet_t)
-
-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-
-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-
-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
+allow puppetagent_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppetagent_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppetagent_t)
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
+kernel_read_system_state(puppetagent_t)
+kernel_read_crypto_sysctls(puppetagent_t)
+kernel_read_kernel_sysctls(puppetagent_t)
+
+corecmd_read_all_executables(puppetagent_t)
+corecmd_dontaudit_access_all_executables(puppetagent_t)
+corecmd_exec_bin(puppetagent_t)
+corecmd_exec_shell(puppetagent_t)
+
+corenet_all_recvfrom_netlabel(puppetagent_t)
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
+corenet_tcp_bind_generic_node(puppetagent_t)
+corenet_tcp_connect_puppet_port(puppetagent_t)
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
+
+dev_read_rand(puppetagent_t)
+dev_read_sysfs(puppetagent_t)
+dev_read_urand(puppetagent_t)
+
+domain_read_all_domains_state(puppetagent_t)
+domain_interactive_fd(puppetagent_t)
+domain_named_filetrans(puppetagent_t)
+
+files_manage_config_files(puppetagent_t)
+files_manage_config_dirs(puppetagent_t)
+files_manage_etc_dirs(puppetagent_t)
+files_manage_etc_files(puppetagent_t)
+files_read_usr_symlinks(puppetagent_t)
+files_relabel_config_dirs(puppetagent_t)
+files_relabel_config_files(puppetagent_t)
+
+selinux_set_all_booleans(puppetagent_t)
+selinux_set_generic_booleans(puppetagent_t)
+selinux_validate_context(puppetagent_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
+term_dontaudit_getattr_all_ttys(puppetagent_t)
+
+auth_use_nsswitch(puppetagent_t)
+
+init_all_labeled_script_domtrans(puppetagent_t)
+init_domtrans_script(puppetagent_t)
+init_read_utmp(puppetagent_t)
+init_signull_script(puppetagent_t)
+
+logging_send_syslog_msg(puppetagent_t)
+
+miscfiles_read_hwdata(puppetagent_t)
+
+seutil_domtrans_setfiles(puppetagent_t)
+seutil_domtrans_semanage(puppetagent_t)
+seutil_read_file_contexts(puppetagent_t)
+
+sysnet_run_ifconfig(puppetagent_t, system_r)
+
+usermanage_access_check_groupadd(puppetagent_t)
+usermanage_access_check_passwd(puppetagent_t)
+usermanage_access_check_useradd(puppetagent_t)
+
+tunable_policy(`puppetagent_manage_all_files',`
+ files_manage_non_security_files(puppetagent_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+ cfengine_read_lib_files(puppetagent_t)
+')
+
+optional_policy(`
+ consoletype_exec(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
+ hostname_exec(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
+ mount_domtrans(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
+ mta_send_mail(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
+ networkmanager_dbus_chat(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
+ firewalld_dbus_chat(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
+ portage_domtrans(puppetagent_t)
+ portage_domtrans_fetch(puppetagent_t)
+ portage_domtrans_gcc_config(puppetagent_t)
')
optional_policy(`
- files_rw_var_files(puppet_t)
+ files_rw_var_files(puppetagent_t)
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
+ rpm_domtrans(puppetagent_t)
+ rpm_manage_db(puppetagent_t)
+ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- unconfined_domain(puppet_t)
+ unconfined_domain_noaudit(puppetagent_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
+ rhsmcertd_dbus_chat(puppetagent_t)
')
########################################
#
-# Ca local policy
+# PuppetCA personal policy
#
-allow puppetca_t self:capability { dac_override setgid setuid };
+allow puppetca_t self:capability { dac_read_search dac_override setgid setuid };
allow puppetca_t self:fifo_file rw_fifo_file_perms;
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
-files_read_etc_files(puppetca_t)
-files_search_pids(puppetca_t)
files_search_var_lib(puppetca_t)
selinux_validate_context(puppetca_t)
logging_search_logs(puppetca_t)
-miscfiles_read_localization(puppetca_t)
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
@@ -246,38 +259,50 @@ optional_policy(`
hostname_exec(puppetca_t)
')
+optional_policy(`
+ mta_sendmail_access_check(puppetca_t)
+')
+
+
########################################
#
-# Master local policy
+# Pupper master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(puppetmaster_t, puppetagent_exec_t, puppetagent_t)
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
@@ -289,23 +314,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
+
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
dev_search_sysfs(puppetmaster_t)
-domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
-files_read_usr_files(puppetmaster_t)
selinux_validate_context(puppetmaster_t)
@@ -314,26 +340,32 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
seutil_read_file_contexts(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
+
optional_policy(`
- hostname_exec(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mta_send_mail(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mysql_stream_connect(puppetmaster_t)
+ systemd_dbus_chat_timedated(puppetagent_t)
+ systemd_dbus_chat_timedated(puppetmaster_t)
')
optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
+ hostname_exec(puppetmaster_t)
')
optional_policy(`
@@ -342,3 +374,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
+
+optional_policy(`
+ usermanage_access_check_groupadd(puppetmaster_t)
+ usermanage_access_check_passwd(puppetmaster_t)
+ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/pwauth.fc b/pwauth.fc
index 7e7b44434..e2f8687db 100644
--- a/pwauth.fc
+++ b/pwauth.fc
@@ -1,3 +1,3 @@
-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
diff --git a/pwauth.if b/pwauth.if
index 1148dce1a..86d25ea26 100644
--- a/pwauth.if
+++ b/pwauth.if
@@ -1,72 +1,74 @@
-## External plugin for mod_authnz_external authenticator.
+
+## policy for pwauth
########################################
##
-## Role access for pwauth.
+## Transition to pwauth.
##
-##
-##
-## Role allowed access.
-##
-##
##
-##
-## User domain for the role.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`pwauth_role',`
+interface(`pwauth_domtrans',`
gen_require(`
- type pwauth_t;
+ type pwauth_t, pwauth_exec_t;
')
- pwauth_run($2, $1)
-
- ps_process_pattern($2, pwauth_t)
- allow $2 pwauth_t:process { ptrace signal_perms };
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
')
########################################
##
-## Execute pwauth in the pwauth domain.
+## Execute pwauth in the pwauth domain, and
+## allow the specified role the pwauth domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the pwauth domain.
##
##
#
-interface(`pwauth_domtrans',`
+interface(`pwauth_run',`
gen_require(`
- type pwauth_t, pwauth_exec_t;
+ type pwauth_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, pwauth_exec_t, pwauth_t)
+ pwauth_domtrans($1)
+ role $2 types pwauth_t;
')
########################################
##
-## Execute pwauth in the pwauth
-## domain, and allow the specified
-## role the pwauth domain.
+## Role access for pwauth
##
-##
+##
##
-## Domain allowed to transition.
+## Role allowed access
##
##
-##
+##
##
-## Role allowed access.
+## User domain for the role
##
##
#
-interface(`pwauth_run',`
+interface(`pwauth_role',`
gen_require(`
- attribute_role pwauth_roles;
+ type pwauth_t;
')
- pwauth_domtrans($1)
- roleattribute $2 pwauth_roles;
+ role $1 types pwauth_t;
+
+ pwauth_domtrans($2)
+
+ ps_process_pattern($2, pwauth_t)
+ allow $2 pwauth_t:process signal;
')
diff --git a/pwauth.te b/pwauth.te
index 3078e349e..215df880c 100644
--- a/pwauth.te
+++ b/pwauth.te
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
# Declarations
#
-attribute_role pwauth_roles;
-roleattribute system_r pwauth_roles;
-
type pwauth_t;
type pwauth_exec_t;
application_domain(pwauth_t, pwauth_exec_t)
-role pwauth_roles types pwauth_t;
+role system_r types pwauth_t;
type pwauth_var_run_t;
files_pid_file(pwauth_var_run_t)
########################################
#
-# Local policy
+# pwauth local policy
#
-
allow pwauth_t self:capability setuid;
allow pwauth_t self:process setrlimit;
+
allow pwauth_t self:fifo_file manage_fifo_file_perms;
-allow pwauth_t self:unix_stream_socket { accept listen };
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
auth_domtrans_chkpwd(pwauth_t)
auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
+auth_rw_lastlog(pwauth_t)
init_read_utmp(pwauth_t)
logging_send_syslog_msg(pwauth_t)
logging_send_audit_msgs(pwauth_t)
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
index 06bec9ba9..1b32632dc 100644
--- a/pxe.te
+++ b/pxe.te
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
domain_use_interactive_fds(pxe_t)
-files_read_etc_files(pxe_t)
fs_getattr_all_fs(pxe_t)
fs_search_auto_mountpoints(pxe_t)
logging_send_syslog_msg(pxe_t)
-miscfiles_read_localization(pxe_t)
-
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_user_home_dirs(pxe_t)
diff --git a/pyicqt.fc b/pyicqt.fc
deleted file mode 100644
index 0c143e3e8..000000000
--- a/pyicqt.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
-
-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/pyicqt.if b/pyicqt.if
deleted file mode 100644
index 0ccea828a..000000000
--- a/pyicqt.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## ICQ transport for XMPP server.
-
-########################################
-##
-## All of the rules required to
-## administrate an pyicqt environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`pyicqt_admin',`
- gen_require(`
- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
- ')
-
- allow $1 pyicqt_t:process { ptrace signal_perms };
- ps_process_pattern($1, pyicqt_t)
-
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pyicqt_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, pyicqt_log_t)
-
- files_search_spool($1)
- admin_pattern($1, pyicqt_spool_t)
-
- files_search_pids($1)
- admin_pattern($1, pyicqt_var_run_t)
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
index f2863ded4..000000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
-policy_module(pyicqt, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-type pyicqt_var_run_t;
-files_pid_file(pyicqt_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_unlabeled(pyicqt_t)
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
- jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
- mysql_stream_connect(pyicqt_t)
- mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pyicqt_t)
-')
diff --git a/pyzor.fc b/pyzor.fc
index af13139a1..a927c5a15 100644
--- a/pyzor.fc
+++ b/pyzor.fc
@@ -1,12 +1,13 @@
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-
-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
index 593c03d09..2c411af3e 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -2,7 +2,7 @@
########################################
##
-## Role access for pyzor.
+## Role access for pyzor
##
##
##
@@ -14,31 +14,30 @@
## User domain for the role
##
##
+##
#
interface(`pyzor_role',`
gen_require(`
- attribute_role pyzor_roles;
- type pyzor_t, pyzor_exec_t, pyzor_home_t;
- type pyzor_tmp_t;
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
- roleattribute $1 pyzor_roles;
+ role $1 types pyzor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, pyzor_exec_t, pyzor_t)
- allow $2 pyzor_t:process { ptrace signal_perms };
+ # allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
-
- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
+ allow $2 pyzor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 pyzor_t:process ptrace;
+ ')
')
########################################
##
-## Send generic signals to pyzor.
+## Send generic signals to pyzor
##
##
##
@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
type pyzor_exec_t, pyzor_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, pyzor_exec_t, pyzor_t)
')
@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
type pyzor_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
########################################
##
-## All of the rules required to
-## administrate an pyzor environment.
+## All of the rules required to administrate
+## an pyzor environment
##
##
##
@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the pyzor domain.
##
##
##
#
interface(`pyzor_admin',`
gen_require(`
- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
- type pyzor_var_lib_t, pyzor_etc_t;
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
- allow $1 pyzord_t:process { ptrace signal_perms };
+ allow $1 pyzord_t:process signal_perms;
ps_process_pattern($1, pyzord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pyzord_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, pyzor_etc_t)
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, pyzord_log_t)
- files_search_var_lib($1)
- admin_pattern($1, pyzor_var_lib_t)
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
- pyzor_role($2, $1)
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
')
diff --git a/pyzor.te b/pyzor.te
index 2439d1304..d7bd6e9a1 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
# Declarations
#
-attribute_role pyzor_roles;
-roleattribute system_r pyzor_roles;
-
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
-role pyzor_roles types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzor_home_t;
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-userdom_user_home_content(pyzor_home_t)
-
-type pyzor_tmp_t;
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-userdom_user_tmp_file(pyzor_tmp_t)
-
-type pyzor_var_lib_t;
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-files_type(pyzor_var_lib_t)
-ubac_constrained(pyzor_var_lib_t)
-
-type pyzord_t;
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
-type pyzord_initrc_exec_t;
-init_script_file(pyzord_initrc_exec_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_t;
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+',`
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+ application_domain(pyzor_t, pyzor_exec_t)
+ ubac_constrained(pyzor_t)
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
+ files_config_file(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+ userdom_user_home_content(pyzor_home_t)
+
+ type pyzor_tmp_t;
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+ files_tmp_file(pyzor_tmp_t)
+ ubac_constrained(pyzor_tmp_t)
+
+ type pyzor_var_lib_t;
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+ files_type(pyzor_var_lib_t)
+ ubac_constrained(pyzor_var_lib_t)
+
+ type pyzord_t;
+ type pyzord_exec_t;
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
+')
########################################
#
-# Local policy
+# Pyzor client local policy
#
+allow pyzor_t self:udp_socket create_socket_perms;
+
manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t)
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
-corenet_all_recvfrom_unlabeled(pyzor_t)
-corenet_all_recvfrom_netlabel(pyzor_t)
corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
corenet_tcp_sendrecv_generic_node(pyzor_t)
-
-corenet_sendrecv_http_client_packets(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
corenet_tcp_connect_http_port(pyzor_t)
-corenet_tcp_sendrecv_http_port(pyzor_t)
dev_read_urand(pyzor_t)
-fs_getattr_all_fs(pyzor_t)
-fs_search_auto_mountpoints(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
auth_use_nsswitch(pyzor_t)
-miscfiles_read_localization(pyzor_t)
mta_read_queue(pyzor_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(pyzor_t)
- fs_manage_nfs_files(pyzor_t)
- fs_manage_nfs_symlinks(pyzor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(pyzor_t)
- fs_manage_cifs_files(pyzor_t)
- fs_manage_cifs_symlinks(pyzor_t)
-')
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
- amavis_manage_lib_files(pyzor_t)
- amavis_manage_spool_files(pyzor_t)
+ antivirus_manage_db(pyzor_t)
')
optional_policy(`
@@ -111,25 +119,24 @@ optional_policy(`
########################################
#
-# Daemon local policy
+# Pyzor server local policy
#
-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
+allow pyzord_t self:udp_socket create_socket_perms;
+
manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
-allow pyzord_t pyzor_etc_t:file read_file_perms;
-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
-can_exec(pyzord_t, pyzor_exec_t)
-
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_all_recvfrom_unlabeled(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_generic_if(pyzord_t)
corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_generic_node(pyzord_t)
-
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
-corenet_udp_sendrecv_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
-auth_use_nsswitch(pyzord_t)
-logging_send_syslog_msg(pyzord_t)
+auth_use_nsswitch(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
-miscfiles_read_localization(pyzord_t)
+# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
index 86ea53ce1..a2dcf7bb2 100644
--- a/qemu.fc
+++ b/qemu.fc
@@ -1,4 +1,4 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
index eaf56b8b0..889472688 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
-## QEMU machine emulator and virtualizer.
+## QEMU machine emulator and virtualizer
-#######################################
+########################################
##
-## The template to define a qemu domain.
+## Creates types and rules for a basic
+## qemu process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
template(`qemu_domain_template',`
+
##############################
#
- # Declarations
+ # Local Policy
#
type $1_t;
@@ -22,9 +24,12 @@ template(`qemu_domain_template',`
type $1_tmp_t;
files_tmp_file($1_tmp_t)
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
##############################
#
- # Policy
+ # Local Policy
#
allow $1_t self:capability { dac_read_search dac_override };
@@ -39,9 +44,12 @@ template(`qemu_domain_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
+
kernel_read_system_state($1_t)
- corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
@@ -61,7 +69,6 @@ template(`qemu_domain_template',`
fs_list_inotifyfs($1_t)
fs_rw_anon_inodefs_files($1_t)
- fs_rw_tmpfs_files($1_t)
storage_raw_write_removable_device($1_t)
storage_raw_read_removable_device($1_t)
@@ -70,11 +77,10 @@ template(`qemu_domain_template',`
term_getattr_pty_fs($1_t)
term_use_generic_ptys($1_t)
- miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
@@ -96,40 +102,14 @@ template(`qemu_domain_template',`
')
')
-########################################
-##
-## Role access for qemu.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-template(`qemu_role',`
- gen_require(`
- type qemu_t;
- ')
-
- qemu_run($2, $1)
-
- allow $2 qemu_t:process { ptrace signal_perms };
- ps_process_pattern($2, qemu_t)
-')
-
########################################
##
## Execute a domain transition to run qemu.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`qemu_domtrans',`
@@ -137,18 +117,17 @@ interface(`qemu_domtrans',`
type qemu_t, qemu_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qemu_exec_t, qemu_t)
')
########################################
##
-## Execute a qemu in the caller domain.
+## Execute a qemu in the callers domain
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`qemu_exec',`
@@ -156,15 +135,12 @@ interface(`qemu_exec',`
type qemu_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, qemu_exec_t)
')
########################################
##
-## Execute qemu in the qemu domain,
-## and allow the specified role the
-## qemu domain.
+## Execute qemu in the qemu domain.
##
##
##
@@ -173,23 +149,25 @@ interface(`qemu_exec',`
##
##
##
-## Role allowed access.
+## The role to allow the qemu domain.
##
##
##
#
interface(`qemu_run',`
gen_require(`
- attribute_role qemu_roles;
+ type qemu_t;
')
qemu_domtrans($1)
- roleattribute $2 qemu_roles;
+ role $2 types qemu_t;
+ allow qemu_t $1:process signull;
+ allow $1 qemu_t:process signull;
')
########################################
##
-## Read qemu process state files.
+## Allow the domain to read state files in /proc.
##
##
##
@@ -202,15 +180,12 @@ interface(`qemu_read_state',`
type qemu_t;
')
- kernel_search_proc($1)
- allow $1 qemu_t:dir list_dir_perms;
- allow $1 qemu_t:file read_file_perms;
- allow $1 qemu_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, qemu_t, qemu_t)
')
########################################
##
-## Set qemu scheduler.
+## Set the schedule on qemu.
##
##
##
@@ -228,7 +203,7 @@ interface(`qemu_setsched',`
########################################
##
-## Send generic signals to qemu.
+## Send a signal to qemu.
##
##
##
@@ -246,7 +221,7 @@ interface(`qemu_signal',`
########################################
##
-## Send kill signals to qemu.
+## Send a sigill to qemu
##
##
##
@@ -264,28 +239,68 @@ interface(`qemu_kill',`
########################################
##
-## Execute a domain transition to
-## run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
##
+##
+##
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+##
+##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
##
##
#
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_spec_domtrans',`
gen_require(`
- type unconfined_qemu_t, qemu_exec_t;
+ type qemu_exec_t;
')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
+')
- corecmd_search_bin($1)
- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+########################################
+##
+## Execute qemu unconfined programs in the role.
+##
+##
+##
+## The role to allow the qemu unconfined domain.
+##
+##
+#
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type unconfined_qemu_t;
+ type qemu_t;
+ ')
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary directories.
+## Manage qemu temporary dirs.
##
##
##
@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
type qemu_tmp_t;
')
- files_search_tmp($1)
manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary files.
+## Manage qemu temporary files.
##
##
##
@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
type qemu_tmp_t;
')
- files_search_tmp($1)
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
##
-## Execute qemu in a specified domain.
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
##
-##
-##
-## Execute qemu in a specified domain.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Domain to transition to.
-##
+##
+##
+## The domain for which qemu_exec_t is an entrypoint.
+##
##
#
-interface(`qemu_spec_domtrans',`
+interface(`qemu_entry_type',`
gen_require(`
type qemu_exec_t;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
+ domain_entry_file($1, qemu_exec_t)
')
-######################################
+#######################################
##
-## Make qemu executable files an
-## entrypoint for the specified domain.
+## Getattr on qemu executable.
##
##
-##
-## The domain for which qemu_exec_t is an entrypoint.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`qemu_entry_type',`
- gen_require(`
- type qemu_exec_t;
- ')
+interface(`qemu_getattr_exec',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
- domain_entry_file($1, qemu_exec_t)
+ allow $1 qemu_exec_t:file getattr;
')
diff --git a/qemu.te b/qemu.te
index 4f9074343..958c0ef1e 100644
--- a/qemu.te
+++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
#
##
-##
-## Determine whether qemu has full
-## access to the network.
-##
+##
+## Allow qemu to connect fully to the network
+##
##
gen_tunable(qemu_full_network, false)
-attribute_role qemu_roles;
-roleattribute system_r qemu_roles;
+##
+##
+## Allow qemu to use cifs/Samba file systems
+##
+##
+gen_tunable(qemu_use_cifs, true)
+
+##
+##
+## Allow qemu to use serial/parallel communication ports
+##
+##
+gen_tunable(qemu_use_comm, false)
-type qemu_exec_t;
-application_executable_file(qemu_exec_t)
+##
+##
+## Allow qemu to use nfs file systems
+##
+##
+gen_tunable(qemu_use_nfs, true)
+
+##
+##
+## Allow qemu to use usb devices
+##
+##
+gen_tunable(qemu_use_usb, true)
virt_domain_template(qemu)
-role qemu_roles types qemu_t;
+role system_r types qemu_t;
########################################
#
-# Local policy
+# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmp_files(qemu_t)
+userdom_stream_connect(qemu_t)
+
tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
optional_policy(`
- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+ dbus_read_lib_files(qemu_t)
')
-########################################
-#
-# Unconfined local policy
-#
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+ tunable_policy(`qemu_use_cifs',`
+ samba_domtrans_smbd(qemu_t)
+ ')
+')
optional_policy(`
- type unconfined_qemu_t;
- typealias unconfined_qemu_t alias qemu_unconfined_t;
- application_type(unconfined_qemu_t)
- unconfined_domain(unconfined_qemu_t)
+ virt_domtrans_bridgehelper(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_home_files(qemu_t)
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
- allow unconfined_qemu_t self:process { execstack execmem };
- allow unconfined_qemu_t qemu_exec_t:file execmod;
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
')
diff --git a/qmail.fc b/qmail.fc
index e53fe5a97..edee505d7 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -1,22 +1,6 @@
-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-
-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
@@ -29,9 +13,36 @@
/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/qmail.if b/qmail.if
index e4f0000e5..05e219e13 100644
--- a/qmail.if
+++ b/qmail.if
@@ -1,12 +1,12 @@
-## Qmail Mail Server.
+## Qmail Mail Server
########################################
##
-## Template for qmail parent/sub-domain pairs.
+## Template for qmail parent/sub-domain pairs
##
##
##
-## The prefix of the child domain.
+## The prefix of the child domain
##
##
##
@@ -16,35 +16,39 @@
##
#
template(`qmail_child_domain_template',`
- gen_require(`
- attribute qmail_child_domain;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_t, qmail_child_domain;
- type $1_exec_t;
+ type $1_t;
domain_type($1_t)
+ type $1_exec_t;
domain_entry_file($1_t, $1_exec_t)
-
+ domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
- ########################################
- #
- # Policy
- #
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
- domtrans_pattern($2, $1_exec_t, $1_t)
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
- kernel_read_system_state($2)
')
########################################
##
-## Transition to qmail_inject_t.
+## Transition to qmail_inject_t
##
##
##
@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_t, qmail_inject_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
########################################
##
-## Transition to qmail_queue_t.
+## Transition to qmail_queue_t
##
##
##
@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_t, qmail_queue_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
type qmail_etc_t;
')
- files_search_var($1)
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+ files_search_var($1)
ifdef(`distro_debian',`
+ # handle /etc/qmail
files_search_etc($1)
')
')
########################################
##
-## Define the specified domain as a
-## qmail-smtp service.
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
##
##
##
@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
+
+########################################
+##
+## Create, read, write, and delete qmail
+## spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qmail_manage_spool_dirs',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete qmail
+## spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qmail_manage_spool_files',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+##
+## Read and write to qmail spool pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`qmail_rw_spool_pipes',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
index 87429441c..53a2fe597 100644
--- a/qmail.te
+++ b/qmail.te
@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
# Declarations
#
-attribute qmail_child_domain;
+attribute qmail_user_domains;
type qmail_alias_home_t;
files_type(qmail_alias_home_t)
@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
type qmail_exec_t;
files_type(qmail_exec_t)
-type qmail_inject_t;
+type qmail_inject_t, qmail_user_domains;
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
mta_mailserver_user_agent(qmail_queue_t)
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
mta_mailserver_sender(qmail_remote_t)
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
qmail_child_domain_template(qmail_send, qmail_start_t)
+
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_keytab_t;
files_type(qmail_keytab_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
type qmail_start_t;
type qmail_start_exec_t;
@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
-# Common qmail child domain local policy
-#
-
-allow qmail_child_domain self:process signal_perms;
-
-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
-allow qmail_child_domain qmail_etc_t:file read_file_perms;
-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
-
-allow qmail_child_domain qmail_start_t:fd use;
-
-corecmd_search_bin(qmail_child_domain)
-
-files_search_var(qmail_child_domain)
-
-fs_getattr_xattr_fs(qmail_child_domain)
-
-miscfiles_read_localization(qmail_child_domain)
-
-########################################
-#
-# Clean local policy
+# qmail-clean local policy
+# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
-# Inject local policy
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
#
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
-miscfiles_read_localization(qmail_inject_t)
qmail_read_config(qmail_inject_t)
########################################
#
-# Local local policy
+# qmail-local local policy
+# this component delivers a mail message
#
-allow qmail_local_t self:fifo_file write_fifo_file_perms;
allow qmail_local_t self:process signal_perms;
-allow qmail_local_t self:unix_stream_socket { accept listen };
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -136,13 +121,18 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
+optional_policy(`
+ uucp_domtrans(qmail_local_t)
+')
+
optional_policy(`
spamassassin_domtrans_client(qmail_local_t)
')
########################################
#
-# Lspawn local policy
+# qmail-lspawn local policy
+# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
-files_read_etc_files(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
+
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)
########################################
#
-# Queue local policy
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -186,28 +178,34 @@ optional_policy(`
########################################
#
-# Remote local policy
+# qmail-remote local policy
+# this component sends mail via SMTP
#
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
-
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
-corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)
-sysnet_dns_name_resolve(qmail_remote_t)
+sysnet_read_config(qmail_remote_t)
########################################
#
-# Rspawn local policy
+# qmail-rspawn local policy
+# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+corecmd_search_bin(qmail_rspawn_t)
+
########################################
#
-# Send local policy
+# qmail-send local policy
+# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
@@ -237,7 +238,8 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# qmail-smtpd local policy
+# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
@@ -268,26 +270,26 @@ optional_policy(`
########################################
#
-# Splogger local policy
+# splogger local policy
+# this component creates entries in syslog
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-files_read_etc_files(qmail_splogger_t)
init_dontaudit_use_script_fds(qmail_splogger_t)
-miscfiles_read_localization(qmail_splogger_t)
########################################
#
-# Start local policy
+# qmail-start local policy
+# this component starts up the mail delivery component
#
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@@ -304,7 +306,8 @@ optional_policy(`
########################################
#
-# Tcp-env local policy
+# tcp-env local policy
+# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
index fe2adf8ae..f7e9c70b0 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
-## Apache QPID AMQP messaging server.
+## policy for qpidd
########################################
##
@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
type qpidd_t, qpidd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-#####################################
+########################################
##
-## Read and write access qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
##
##
##
@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
##
##
#
-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
gen_require(`
- type qpidd_t;
+ type qpidd_initrc_exec_t;
')
- allow $1 qpidd_t:sem rw_sem_perms;
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
')
########################################
##
-## Read and write qpidd shared memory.
+## Read qpidd PID files.
##
##
##
@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
##
##
#
-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
gen_require(`
- type qpidd_t;
+ type qpidd_var_run_t;
')
- allow $1 qpidd_t:shm rw_shm_perms;
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
')
########################################
##
-## Execute qpidd init script in
-## the initrc domain.
+## Manage qpidd var_run files.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
gen_require(`
- type qpidd_initrc_exec_t;
+ type qpidd_var_run_t;
')
- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
########################################
##
-## Read qpidd pid files.
+## Search qpidd lib directories.
##
##
##
@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
##
##
#
-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
gen_require(`
- type qpidd_var_run_t;
+ type qpidd_var_lib_t;
')
- files_search_pids($1)
- allow $1 qpidd_var_run_t:file read_file_perms;
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
##
-## Search qpidd lib directories.
+## Read qpidd lib files.
##
##
##
@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
##
##
#
-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
##
-## Read qpidd lib files.
+## Create, read, write, and delete
+## qpidd lib files.
##
##
##
@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
##
##
#
-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
##
-## Create, read, write, and delete
-## qpidd lib files.
+## Manage qpidd var_lib files.
##
##
##
@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
##
##
#
-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
-########################################
+#####################################
##
-## All of the rules required to
-## administrate an qpidd environment.
+## Allow read and write access to qpidd semaphores.
##
##
##
## Domain allowed access.
##
##
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+#######################################
+##
+## Read and write to qpidd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ type qpidd_tmpfs_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
+')
+
+#######################################
+##
+## All of the rules required to
+## administrate an qpidd environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
#
interface(`qpidd_admin',`
- gen_require(`
- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
- type qpidd_var_run_t;
- ')
+ gen_require(`
+ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
+ type qpidd_var_run_t;
+ ')
- allow $1 qpidd_t:process { ptrace signal_perms };
- ps_process_pattern($1, qpidd_t)
+ allow $1 qpidd_t:process { signal_perms };
+ ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 qpidd_t:process ptrace;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, qpidd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, qpidd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
index 83eb09ef6..a5e7068f6 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
+type qpidd_tmp_t;
+files_tmp_file(qpidd_tmp_t)
+
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
@@ -33,41 +36,58 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
+
manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file })
+allow qpidd_t qpidd_var_lib_t:file map;
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
kernel_read_system_state(qpidd_t)
+kernel_read_network_state(qpidd_t)
+
+auth_read_passwd(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
corenet_tcp_sendrecv_amqp_port(qpidd_t)
+corenet_tcp_connect_amqp_port(qpidd_t)
+
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
+dev_read_rand(qpidd_t)
-files_read_etc_files(qpidd_t)
+# needed by ssl
+files_list_tmp(qpidd_t)
logging_send_syslog_msg(qpidd_t)
-miscfiles_read_localization(qpidd_t)
-
sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
- corosync_stream_connect(qpidd_t)
+ kerberos_use(qpidd_t)
')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(qpidd_t)
+')
+
diff --git a/quantum.fc b/quantum.fc
index 70ab68b02..b985b6570 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -1,10 +1,34 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-metadata-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-netns-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ns-metadata-proxy -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
+/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+
+/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index afc00688d..e974fad4b 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,314 @@
########################################
##
-## All of the rules required to
-## administrate an quantum environment.
+## Transition to neutron.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`neutron_domtrans',`
+ gen_require(`
+ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+##
+## Allow read/write neutron pipes
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Send sigchld to neutron.
##
##
##
## Domain allowed access.
##
##
-##
+#
+#
+interface(`neutron_sigchld',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+##
+## Read neutron's log files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
-interface(`quantum_admin',`
+interface(`neutron_read_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Append to neutron log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_append_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Manage neutron log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
+ manage_files_pattern($1, neutron_log_t, neutron_log_t)
+ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Search neutron lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_search_lib',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read neutron lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_read_lib_files',`
gen_require(`
- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
- type quantum_var_lib_t, quantum_tmp_t;
+ type neutron_var_lib_t;
')
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Manage neutron lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_lib_files',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+ manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Manage neutron lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_lib_dirs',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Read and write neutron fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_rw_fifo_file',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+##
+## Connect to neutron over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_stream_connect',`
+ gen_require(`
+ type neutron_t;
+ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+##
+## Execute neutron server in the neutron domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`neutron_systemctl',`
+ gen_require(`
+ type neutron_t;
+ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 neutron_unit_file_t:file read_file_perms;
+ allow $1 neutron_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, neutron_t)
+')
+
+#######################################
+##
+## Read neutron process state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_read_state',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:dir search_dir_perms;
+ allow $1 neutron_t:file read_file_perms;
+ allow $1 neutron_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an neutron environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_admin',`
+ gen_require(`
+ type neutron_t;
+ type neutron_log_t;
+ type neutron_var_lib_t;
+ type neutron_unit_file_t;
+ ')
+
+ allow $1 neutron_t:process { ptrace signal_perms };
+ ps_process_pattern($1, neutron_t)
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
+ neutron_systemctl($1)
+ admin_pattern($1, neutron_unit_file_t)
+ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b3f..6c415e8b9 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,185 @@ policy_module(quantum, 1.1.0)
# Declarations
#
-type quantum_t;
-type quantum_exec_t;
-init_daemon_domain(quantum_t, quantum_exec_t)
+##
+##
+## Determine whether neutron can
+## connect to all TCP ports
+##
+##
+gen_tunable(neutron_can_network, false)
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
+type neutron_t alias quantum_t;
+type neutron_exec_t alias quantum_exec_t;
+init_daemon_domain(neutron_t, neutron_exec_t)
-type quantum_log_t;
-logging_log_file(quantum_log_t)
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
+init_script_file(neutron_initrc_exec_t)
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
+type neutron_log_t alias quantum_log_t;
+logging_log_file(neutron_log_t)
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
+type neutron_tmp_t alias quantum_tmp_t;
+files_tmp_file(neutron_tmp_t)
+
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
+type neutron_var_run_t alias quantum_var_run_t;
+files_pid_file(neutron_var_run_t)
+
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
########################################
#
# Local policy
#
-allow quantum_t self:capability { setgid setuid sys_resource };
-allow quantum_t self:process { setsched setrlimit };
-allow quantum_t self:fifo_file rw_fifo_file_perms;
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
-
-can_exec(quantum_t, quantum_tmp_t)
-
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
-
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
-
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
-
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen connectto };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
+manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
+
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+can_exec(neutron_t, neutron_tmp_t)
+
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
+
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
+
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
+
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
+
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
+
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
+
+files_mounton_non_security(neutron_t)
+
+auth_use_pam(neutron_t)
+
+init_rw_utmp(neutron_t)
+
+libs_exec_ldconfig(neutron_t)
+
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
+
+netutils_exec(neutron_t)
+
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
+
+tunable_policy(`neutron_can_network',`
+ corenet_sendrecv_all_client_packets(neutron_t)
+ corenet_tcp_connect_all_ports(neutron_t)
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
-files_read_usr_files(quantum_t)
+optional_policy(`
+ dbus_system_bus_client(neutron_t)
+')
-auth_use_nsswitch(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
-libs_exec_ldconfig(quantum_t)
+optional_policy(`
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
+ dnsmasq_kill(neutron_t)
+ dnsmasq_read_state(neutron_t)
+')
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+optional_policy(`
+ rhcs_domtrans_haproxy(neutron_t)
+ rhcs_stream_connect_haproxy(neutron_t)
+')
-miscfiles_read_localization(quantum_t)
+optional_policy(`
+ iptables_domtrans(neutron_t)
+')
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
+ modutils_domtrans_insmod(neutron_t)
+')
optional_policy(`
- brctl_domtrans(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ rpm_exec(neutron_t)
+ rpm_read_db(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ sudo_exec(neutron_t)
')
+
+optional_policy(`
+ udev_domtrans(neutron_t)
+')
diff --git a/quota.fc b/quota.fc
index cadabe360..54ba01d0d 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
index da6421861..3fb8575ca 100644
--- a/quota.if
+++ b/quota.if
@@ -1,4 +1,4 @@
-## File system quota management.
+## File system quota management
########################################
##
@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
########################################
##
-## Execute quota management tools in
-## the quota domain, and allow the
-## specified role the quota domain.
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
##
##
##
@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
#
interface(`quota_run',`
gen_require(`
- attribute_role quota_roles;
+ type quota_t;
')
quota_domtrans($1)
- roleattribute $2 quota_roles;
+ role $2 types quota_t;
')
#######################################
##
-## Execute quota nld in the quota nld domain.
+## Alow to read of filesystem quota data files.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`quota_domtrans_nld',`
- gen_require(`
- type quota_nld_t, quota_nld_exec_t;
- ')
+interface(`quota_read_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+ allow $1 quota_db_t:file read_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## quota db files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`quota_manage_db_files',`
- gen_require(`
- type quota_db_t;
- ')
-
- allow $1 quota_db_t:file manage_file_perms;
-')
-
-########################################
-##
-## Create specified objects in specified
-## directories with a type transition to
-## the quota db file type.
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Directory to transition on.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`quota_spec_filetrans_db',`
+interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
')
- filetrans_pattern($1, $2, quota_db_t, $3, $4)
+ dontaudit $1 quota_db_t:file getattr_file_perms;
')
########################################
##
-## Do not audit attempts to get attributes
-## of filesystem quota data files.
+## Create, read, write, and delete quota
+## db files.
##
##
##
@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
##
##
#
-interface(`quota_dontaudit_getattr_db',`
+interface(`quota_manage_db',`
gen_require(`
type quota_db_t;
')
- dontaudit $1 quota_db_t:file getattr_file_perms;
+ allow $1 quota_db_t:file manage_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## quota flag files.
+## Create, read, write, and delete quota
+## flag files.
##
##
##
@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
########################################
##
-## All of the rules required to
-## administrate an quota environment.
+## Transition to quota named content
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`quota_admin',`
+interface(`quota_filetrans_named_content',`
gen_require(`
- type quota_nld_t, quota_t, quota_db_t;
- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
+ type quota_db_t;
')
- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { quota_nld_t quota_t })
-
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
- files_list_all($1)
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+#######################################
+##
+## Transition to quota_nld.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`quota_domtrans_nld',`
+ gen_require(`
+ type quota_nld_t, quota_nld_exec_t;
+ ')
- quota_run($1, $2)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
index f47c8e81f..0f0b0b43f 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
# Declarations
#
-attribute_role quota_roles;
-
type quota_t;
type quota_exec_t;
-init_system_domain(quota_t, quota_exec_t)
-role quota_roles types quota_t;
+application_domain(quota_t, quota_exec_t)
+#init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
@@ -22,9 +20,6 @@ type quota_nld_t;
type quota_nld_exec_t;
init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-type quota_nld_initrc_exec_t;
-init_script_file(quota_nld_initrc_exec_t)
-
type quota_nld_var_run_t;
files_pid_file(quota_nld_var_run_t)
@@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t)
# Local policy
#
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { sys_admin dac_read_search dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
+# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
@@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-kernel_request_load_module(quota_t)
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
-kernel_setsched(quota_t)
+kernel_dontaudit_setsched(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
-files_list_all(quota_t)
-files_read_all_files(quota_t)
-files_read_all_symlinks(quota_t)
-files_getattr_all_pipes(quota_t)
-files_getattr_all_sockets(quota_t)
-files_getattr_all_file_type_fs(quota_t)
-files_read_etc_runtime_files(quota_t)
-
fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t)
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
init_use_fds(quota_t)
init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
-userdom_use_user_terminals(quota_t)
+mta_spool_filetrans(quota_t, quota_db_t, file)
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
+userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
- mta_queue_filetrans(quota_t, quota_db_t, file)
- mta_spool_filetrans(quota_t, quota_db_t, file)
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
')
optional_policy(`
@@ -103,12 +101,13 @@ optional_policy(`
#######################################
#
-# Nld local policy
+# Local policy
#
allow quota_nld_t self:fifo_file rw_fifo_file_perms;
allow quota_nld_t self:netlink_socket create_socket_perms;
-allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:netlink_generic_socket create_socket_perms;
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
logging_send_syslog_msg(quota_nld_t)
-miscfiles_read_localization(quota_nld_t)
-
userdom_use_user_terminals(quota_nld_t)
optional_policy(`
- dbus_system_bus_client(quota_nld_t)
- dbus_connect_system_bus(quota_nld_t)
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
index c5ad6de76..af2d46f13 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
@@ -1,10 +1,18 @@
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
index 2c3d33896..7d49554eb 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
@@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',`
#
interface(`rabbitmq_admin',`
gen_require(`
- type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
+ type rabbitmq_t, rabbitmq_initrc_exec_t;
type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
')
- allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
+ allow $1 { rabbitmq_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, rabbitmq_t)
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed87..f14522964 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
# Declarations
#
-type rabbitmq_epmd_t;
-type rabbitmq_epmd_exec_t;
-init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
+type rabbitmq_t;
+type rabbitmq_exec_t;
+init_daemon_domain(rabbitmq_t, rabbitmq_exec_t)
-type rabbitmq_beam_t;
-type rabbitmq_beam_exec_t;
-init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+typealias rabbitmq_t alias {rabbitmq_beam_t rabbitmq_epmd_t};
+
+type rabbitmq_unit_file_t;
+systemd_unit_file(rabbitmq_unit_file_t)
type rabbitmq_initrc_exec_t;
init_script_file(rabbitmq_initrc_exec_t)
@@ -19,106 +20,111 @@ init_script_file(rabbitmq_initrc_exec_t)
type rabbitmq_var_lib_t;
files_type(rabbitmq_var_lib_t)
+type rabbitmq_var_lock_t;
+files_lock_file(rabbitmq_var_lock_t)
+
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
type rabbitmq_var_run_t;
files_pid_file(rabbitmq_var_run_t)
-######################################
-#
-# Beam local policy
-#
-
-allow rabbitmq_beam_t self:process { setsched signal signull };
-allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_beam_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-
-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-
-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-
-kernel_read_system_state(rabbitmq_beam_t)
-kernel_read_fs_sysctls(rabbitmq_beam_t)
-
-corecmd_exec_bin(rabbitmq_beam_t)
-corecmd_exec_shell(rabbitmq_beam_t)
-
-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-
-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
-
-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+type rabbitmq_tmp_t;
+files_tmp_file(rabbitmq_tmp_t)
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
-
-dev_read_sysfs(rabbitmq_beam_t)
-dev_read_urand(rabbitmq_beam_t)
-
-fs_getattr_all_fs(rabbitmq_beam_t)
-fs_search_cgroup_dirs(rabbitmq_beam_t)
-
-files_read_etc_files(rabbitmq_beam_t)
-
-storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
-
-miscfiles_read_localization(rabbitmq_beam_t)
-
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
- optional_policy(`
- couchdb_manage_lib_files(rabbitmq_beam_t)
- couchdb_read_conf_files(rabbitmq_beam_t)
- couchdb_read_log_files(rabbitmq_beam_t)
- couchdb_read_pid_files(rabbitmq_beam_t)
- ')
-
-########################################
+######################################
#
-# Epmd local policy
+# Rabbitmq local policy
#
+allow rabbitmq_t self:capability setuid;
+
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_tmp_t, rabbitmq_tmp_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_tmp_t, rabbitmq_tmp_t)
+files_tmp_filetrans(rabbitmq_t, rabbitmq_tmp_t, { file dir })
+
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
+
+corecmd_exec_bin(rabbitmq_t)
+corecmd_exec_shell(rabbitmq_t)
+
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
+corenet_all_recvfrom_netlabel(rabbitmq_t)
+corenet_tcp_sendrecv_generic_if(rabbitmq_t)
+corenet_tcp_sendrecv_generic_node(rabbitmq_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_t)
+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_t)
+corenet_sendrecv_amqp_server_packets(rabbitmq_t)
+corenet_sendrecv_epmd_client_packets(rabbitmq_t)
+corenet_tcp_sendrecv_amqp_port(rabbitmq_t)
+corenet_tcp_bind_amqp_port(rabbitmq_t)
+corenet_tcp_bind_epmd_port(rabbitmq_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
+corenet_tcp_connect_amqp_port(rabbitmq_t)
+corenet_tcp_connect_epmd_port(rabbitmq_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
+corenet_tcp_connect_rabbitmq_port(rabbitmq_t)
+
+domain_read_all_domains_state(rabbitmq_t)
+
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
+files_getattr_all_mountpoints(rabbitmq_t)
+
+fs_getattr_all_fs(rabbitmq_t)
+fs_getattr_all_dirs(rabbitmq_t)
+fs_getattr_cgroup(rabbitmq_t)
+fs_search_cgroup_dirs(rabbitmq_t)
+
+dev_read_sysfs(rabbitmq_t)
+dev_read_urand(rabbitmq_t)
+
+storage_getattr_fixed_disk_dev(rabbitmq_t)
+
+sysnet_dns_name_resolve(rabbitmq_t)
+
+logging_send_syslog_msg(rabbitmq_t)
+
+optional_policy(`
+ dbus_system_bus_client(rabbitmq_t)
+')
+
+optional_policy(`
+ hostname_exec(rabbitmq_t)
+')
+
+optional_policy(`
+ rpc_read_nfs_state_data(rabbitmq_t)
+')
-allow rabbitmq_epmd_t self:process signal;
-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
-
-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-
-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-
-files_read_etc_files(rabbitmq_epmd_t)
-
-logging_send_syslog_msg(rabbitmq_epmd_t)
-
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
index d447e8548..76ed794ce 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,7 +9,9 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
+/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
index 44605825c..4c66c2502 100644
--- a/radius.if
+++ b/radius.if
@@ -14,6 +14,30 @@ interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+#######################################
+##
+## Execute radiusd server in the radiusd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`radiusd_systemctl',`
+ gen_require(`
+ type radiusd_unit_file_t;
+ type radiusd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 radiusd_unit_file_t:file read_file_perms;
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, radiusd_t)
+')
+
########################################
##
## All of the rules required to
@@ -35,11 +59,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
- type radiusd_initrc_exec_t;
+ type radiusd_initrc_exec_t, radiusd_unit_file_t;
')
- allow $1 radiusd_t:process { ptrace signal_perms };
+ allow $1 radiusd_t:process signal_perms;
ps_process_pattern($1, radiusd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radiusd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -57,4 +84,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
+
+ admin_pattern($1, radiusd_unit_file_t)
+ bind_systemctl($1)
+ allow $1 radiusd_unit_file_t:service all_service_perms;
+
')
diff --git a/radius.te b/radius.te
index 403a4fed1..9de0a3d77 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
# Declarations
#
+##
+##
+## Determine whether radius can use JIT compiler.
+##
+##
+gen_tunable(radius_use_jit, false)
+
type radiusd_t;
type radiusd_exec_t;
init_daemon_domain(radiusd_t, radiusd_exec_t)
@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
+type radiusd_unit_file_t;
+systemd_unit_file(radiusd_unit_file_t)
+
########################################
#
# Local policy
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal};
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket { accept listen };
allow radiusd_t self:tcp_socket { accept listen };
@@ -43,15 +53,18 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms;
allow radiusd_t radiusd_etc_t:file read_file_perms;
allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms;
+tunable_policy(`deny_ptrace',`',`
+ allow radiusd_t self:process ptrace;
+')
+
manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+allow radiusd_t radiusd_etc_rw_t:file map;
manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
@@ -60,11 +73,13 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+files_dontaudit_list_tmp(radiusd_t)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
+kernel_read_net_sysctls(radiusd_t)
+kernel_search_network_sysctl(radiusd_t)
-corenet_all_recvfrom_unlabeled(radiusd_t)
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
@@ -74,12 +89,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
+corenet_tcp_connect_postgresql_port(radiusd_t)
+corenet_tcp_connect_http_port(radiusd_t)
+
corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_tcp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_tcp_bind_radius_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
+corenet_sendrecv_radsec_server_packets(radiusd_t)
+corenet_tcp_bind_radsec_port(radiusd_t)
+corenet_udp_bind_radsec_port(radiusd_t)
+corenet_tcp_connect_radsec_port(radiusd_t)
+
corenet_sendrecv_snmp_client_packets(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
@@ -97,7 +122,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
-files_read_usr_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
@@ -109,7 +133,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
-miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
@@ -117,10 +140,21 @@ sysnet_use_ldap(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_user_home_dirs(radiusd_t)
+tunable_policy(`radius_use_jit',`
+ allow radiusd_t self:process execmem;
+',`
+ dontaudit radiusd_t self:process execmem;
+')
+
optional_policy(`
cron_system_entry(radiusd_t, radiusd_exec_t)
')
+optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
+ kerberos_manage_host_rcache(radiusd_t)
+')
+
optional_policy(`
logrotate_exec(radiusd_t)
')
@@ -131,6 +165,11 @@ optional_policy(`
mysql_tcp_connect(radiusd_t)
')
+optional_policy(`
+ postgresql_stream_connect(radiusd_t)
+ postgresql_tcp_connect(radiusd_t)
+')
+
optional_policy(`
samba_domtrans_winbind_helper(radiusd_t)
')
@@ -139,6 +178,11 @@ optional_policy(`
seutil_sigchld_newrole(radiusd_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(radiusd_t)
+ snmp_read_snmp_var_lib_files(radiusd_t)
+')
+
optional_policy(`
udev_read_db(radiusd_t)
')
diff --git a/radvd.if b/radvd.if
index ac7058d1e..48739ac1b 100644
--- a/radvd.if
+++ b/radvd.if
@@ -1,5 +1,24 @@
## IPv6 router advertisement daemon.
+######################################
+##
+## Read radvd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`radvd_read_pid_files',`
+ gen_require(`
+ type radvd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+')
+
########################################
##
## All of the rules required to
@@ -23,8 +42,11 @@ interface(`radvd_admin',`
type radvd_var_run_t;
')
- allow $1 radvd_t:process { ptrace signal_perms };
+ allow $1 radvd_t:process signal_perms;
ps_process_pattern($1, radvd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radvd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
index 6d162e4e6..889c0ed5f 100644
--- a/radvd.te
+++ b/radvd.te
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
-miscfiles_read_localization(radvd_t)
-
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
index 5806046b1..2a4769ff4 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,12 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+/etc/mdadm\.conf\.anacbak -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +22,10 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/var/log/iprdbg -- gen_context(system_u:object_r:mdadm_log_t,s0)
+/var/log/iprdump.* -- gen_context(system_u:object_r:mdadm_log_t,s0)
+
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f1b..00e699da4 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
-## RAID array management tools.
+## RAID array management tools
########################################
##
-## Execute software raid tools in
-## the mdadm domain.
+## Execute software raid tools in the mdadm domain.
##
##
##
@@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',`
######################################
##
-## Execute mdadm in the mdadm
-## domain, and allow the specified
-## role the mdadm domain.
+## Execute a domain transition to mdadm_t for the
+## specified role, allowing it to use the mdadm_t
+## domain
##
##
##
-## Role allowed access.
+## Role allowed to access mdadm_t domain
##
##
##
##
-## Domain allowed to transition.
+## Domain allowed to transition to mdadm_t
##
##
#
interface(`raid_run_mdadm',`
gen_require(`
- attribute_role mdadm_roles;
+ type mdadm_t;
')
+ role $1 types mdadm_t;
raid_domtrans_mdadm($2)
- roleattribute $1 mdadm_roles;
+')
+
+######################################
+##
+## Execute mdadm server in the mdadm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mdadm_systemctl',`
+ gen_require(`
+ type mdadm_t;
+ type mdadm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 mdadm_unit_file_t:file read_file_perms;
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mdadm_t)
')
########################################
##
-## Create, read, write, and delete
-## mdadm pid files.
+## read the mdadm pid files.
##
##
##
@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
##
##
#
-interface(`raid_manage_mdadm_pid',`
+interface(`raid_read_mdadm_pid',`
gen_require(`
type mdadm_var_run_t;
')
- files_search_pids($1)
- allow $1 mdadm_var_run_t:file manage_file_perms;
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
')
########################################
##
-## All of the rules required to
-## administrate an mdadm environment.
+## Create, read, write, and delete the mdadm pid files.
##
+##
+##
+## Create, read, write, and delete the mdadm pid files.
+##
+##
+## Added for use in the init module.
+##
+##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+')
+
+#######################################
+##
+## Check access to the mdadm executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_access_check_mdadm',`
+ gen_require(`
+ type mdadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+##
+## Read mdadm config files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`raid_admin_mdadm',`
+interface(`raid_read_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
')
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
+ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+##
+## Manage mdadm config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_manage_conf_files',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
- files_search_pids($1)
- admin_pattern($1, mdadm_var_run_t)
+########################################
+##
+## Transition to mdadm named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_filetrans_named_content',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
- raid_run_mdadm($2, $1)
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
index c99753f2c..55294acec 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_conf_t;
+files_config_file(mdadm_conf_t)
+
+type mdadm_unit_file_t;
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
+files_tmp_file(mdadm_tmp_t)
+
+type mdadm_tmpfs_t;
+files_tmpfs_file(mdadm_tmpfs_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
+type mdadm_log_t;
+logging_log_file(mdadm_log_t)
+
########################################
#
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { getsched setsched signal_perms };
+allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
+
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mdadm_t, mdadm_log_t, mdadm_log_t)
+logging_log_filetrans(mdadm_t, mdadm_log_t, file)
+
+can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
+kernel_signal(mdadm_t)
+kernel_signull(mdadm_t)
+kernel_stream_connect(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
-dev_dontaudit_getattr_all_blk_files(mdadm_t)
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_getattr_all(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
-
+dev_read_kvm(mdadm_t)
+dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
+dev_read_rand(mdadm_t)
+dev_rw_nvme(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
-files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
+fs_read_efivarfs_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
+storage_tmp_filetrans_fixed_disk(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
+auth_use_nsswitch(mdadm_t)
+
init_dontaudit_getattr_initctl(mdadm_t)
+init_getattr_script_status_files(mdadm_t)
+logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
+systemd_start_systemd_services(mdadm_t)
+
+term_use_generic_ptys(mdadm_t)
+term_use_unallocated_ttys(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -89,14 +149,27 @@ optional_policy(`
cron_system_entry(mdadm_t, mdadm_exec_t)
')
+optional_policy(`
+ dbus_system_bus_client(mdadm_t)
+')
+
optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
+optional_policy(`
+ kdump_manage_kdumpctl_tmp_files(mdadm_t)
+ kdump_rw_lock(mdadm_t)
+')
+
optional_policy(`
mta_send_mail(mdadm_t)
')
+optional_policy(`
+ mdadm_systemctl(mdadm_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(mdadm_t)
')
@@ -104,3 +177,11 @@ optional_policy(`
optional_policy(`
udev_read_db(mdadm_t)
')
+
+optional_policy(`
+ virt_read_blk_images(mdadm_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/rasdaemon.fc b/rasdaemon.fc
new file mode 100644
index 000000000..8e31dd042
--- /dev/null
+++ b/rasdaemon.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
index 000000000..d57006d9c
--- /dev/null
+++ b/rasdaemon.if
@@ -0,0 +1,157 @@
+
+## The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+
+########################################
+##
+## Execute TEMPLATE in the rasdaemon domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rasdaemon_domtrans',`
+ gen_require(`
+ type rasdaemon_t, rasdaemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
+')
+
+########################################
+##
+## Search rasdaemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_search_lib',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read rasdaemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_read_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Manage rasdaemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_manage_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Manage rasdaemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_manage_lib_dirs',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Execute rasdaemon server in the rasdaemon domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rasdaemon_systemctl',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rasdaemon_unit_file_t:file read_file_perms;
+ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rasdaemon_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an rasdaemon environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rasdaemon_admin',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_var_lib_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ allow $1 rasdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rasdaemon_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rasdaemon_var_lib_t)
+
+ rasdaemon_systemctl($1)
+ admin_pattern($1, rasdaemon_unit_file_t)
+ allow $1 rasdaemon_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
index 000000000..dcdca4448
--- /dev/null
+++ b/rasdaemon.te
@@ -0,0 +1,51 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_lib_t;
+files_type(rasdaemon_var_lib_t)
+
+type rasdaemon_unit_file_t;
+systemd_unit_file(rasdaemon_unit_file_t)
+
+########################################
+#
+# rasdaemon local policy
+#
+allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
+allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
+
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
+dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+fs_rw_tracefs_files(rasdaemon_t)
+fs_manage_tracefs_dirs(rasdaemon_t)
+fs_mount_tracefs(rasdaemon_t)
+fs_unmount_tracefs(rasdaemon_t)
+
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+
+auth_use_nsswitch(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
+optional_policy(`
+ dmidecode_exec(rasdaemon_t)
+')
+
diff --git a/razor.fc b/razor.fc
index 6723f4d3b..6e2667392 100644
--- a/razor.fc
+++ b/razor.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
-
-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
index 1e4b523bf..fee3b7cd1 100644
--- a/razor.if
+++ b/razor.if
@@ -1,72 +1,147 @@
## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+##
+##
#######################################
##
-## The template to define a razor domain.
+## Template to create types and rules common to
+## all razor domains.
##
-##
+##
##
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
##
##
#
template(`razor_common_domain_template',`
gen_require(`
- attribute razor_domain;
- type razor_exec_t;
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, razor_domain;
+ type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
- ########################################
- #
- # Declarations
- #
-
- auth_use_nsswitch($1_t)
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+ logging_log_filetrans($1_t, razor_log_t, file)
+
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_read_lib_files($1_t)
+
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
')
########################################
##
-## Role access for razor.
+## Role access for razor
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`razor_role',`
gen_require(`
- attribute_role razor_roles;
type razor_t, razor_exec_t, razor_home_t;
- type razor_tmp_t;
')
- roleattribute $1 razor_roles;
+ role $1 types razor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, razor_exec_t, razor_t)
+ # allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
-
- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 razor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 razor_t:process ptrace;
+ ')
- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
@@ -81,17 +156,16 @@ interface(`razor_role',`
#
interface(`razor_domtrans',`
gen_require(`
- type system_razor_t, razor_exec_t;
+ type razor_t, razor_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, razor_exec_t, system_razor_t)
+ domtrans_pattern($1, razor_exec_t, razor_t)
')
########################################
##
-## Create, read, write, and delete
-## razor home content.
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
##
##
##
@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
##
##
#
-interface(`razor_manage_home_content',`
+interface(`razor_manage_user_home_files',`
gen_require(`
type razor_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 razor_home_t:dir manage_dir_perms;
- allow $1 razor_home_t:file manage_file_perms;
- allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
')
########################################
##
-## Read razor lib files.
+## read razor lib files.
##
##
##
diff --git a/razor.te b/razor.te
index 68455f909..38f69685c 100644
--- a/razor.te
+++ b/razor.te
@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
# Declarations
#
-attribute razor_domain;
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
+
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
+
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
+
+ type razor_log_t;
+ logging_log_file(razor_log_t)
+
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
+
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
+
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
+
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
+
+ ########################################
+ #
+ # System razor local policy
+ #
+
+ # this version of razor is invoked typically
+ # via the system spam filter
+
+ allow system_razor_t self:tcp_socket create_socket_perms;
+
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
+
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
+ auth_use_nsswitch(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
+
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
-attribute_role razor_roles;
+ logging_send_syslog_msg(razor_t)
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ userdom_home_manager(razor_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-userdom_user_tmp_file(razor_tmp_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-userdom_user_application_type(razor_t)
-role razor_roles types razor_t;
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# Common razor domain local policy
-#
-
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow razor_domain self:fd use;
-allow razor_domain self:fifo_file rw_fifo_file_perms;
-allow razor_domain self:unix_dgram_socket sendto;
-allow razor_domain self:unix_stream_socket { accept connectto listen };
-
-allow razor_domain razor_etc_t:dir list_dir_perms;
-allow razor_domain razor_etc_t:file read_file_perms;
-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
-
-allow razor_domain razor_exec_t:file read_file_perms;
-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
-
-kernel_read_system_state(razor_domain)
-kernel_read_network_state(razor_domain)
-kernel_read_software_raid_state(razor_domain)
-kernel_getattr_core_if(razor_domain)
-kernel_getattr_message_if(razor_domain)
-kernel_read_kernel_sysctls(razor_domain)
-
-corecmd_exec_bin(razor_domain)
-
-corenet_all_recvfrom_unlabeled(razor_domain)
-corenet_all_recvfrom_netlabel(razor_domain)
-corenet_tcp_sendrecv_generic_if(razor_domain)
-corenet_tcp_sendrecv_generic_node(razor_domain)
-
-corenet_tcp_sendrecv_razor_port(razor_domain)
-corenet_tcp_connect_razor_port(razor_domain)
-corenet_sendrecv_razor_client_packets(razor_domain)
-
-dev_read_rand(razor_domain)
-dev_read_urand(razor_domain)
-
-files_read_etc_runtime_files(razor_domain)
-
-libs_read_lib_files(razor_domain)
-
-miscfiles_read_localization(razor_domain)
-
-########################################
-#
-# System local policy
-#
-
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-
-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-logging_log_filetrans(system_razor_t, razor_log_t, file)
-
-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
-########################################
-#
-# Session local policy
-#
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-fs_getattr_all_fs(razor_t)
-fs_search_auto_mountpoints(razor_t)
-
-userdom_use_unpriv_users_fds(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/rdisc.fc b/rdisc.fc
index e9765c0f2..ea21331d8 100644
--- a/rdisc.fc
+++ b/rdisc.fc
@@ -1,3 +1,3 @@
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
index 170ef52fb..28ccc4a75 100644
--- a/rdisc.if
+++ b/rdisc.if
@@ -18,3 +18,58 @@ interface(`rdisc_exec',`
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
')
+
+########################################
+##
+## Execute rdisc server in the rdisc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rdisc_systemctl',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rdisc_unit_file_t:file read_file_perms;
+ allow $1 rdisc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rdisc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rdisc environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rdisc_admin',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ allow $1 rdisc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rdisc_t)
+
+ rdisc_systemctl($1)
+ admin_pattern($1, rdisc_unit_file_t)
+ allow $1 rdisc_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rdisc.te b/rdisc.te
index 9196c1dbb..b7759316f 100644
--- a/rdisc.te
+++ b/rdisc.te
@@ -9,6 +9,9 @@ type rdisc_t;
type rdisc_exec_t;
init_daemon_domain(rdisc_t, rdisc_exec_t)
+type rdisc_unit_file_t;
+systemd_unit_file(rdisc_unit_file_t)
+
########################################
#
# Local policy
@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_all_recvfrom_unlabeled(rdisc_t)
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
domain_use_interactive_fds(rdisc_t)
-files_read_etc_files(rdisc_t)
logging_send_syslog_msg(rdisc_t)
-miscfiles_read_localization(rdisc_t)
-
sysnet_read_config(rdisc_t)
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
index f01b32fe2..46279e853 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,11 @@
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88fd..06f69c4ad 100644
--- a/readahead.if
+++ b/readahead.if
@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, readahead_exec_t, readahead_t)
')
+
+########################################
+##
+## Manage readahead var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`readahead_manage_pid_files',`
+ gen_require(`
+ type readahead_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ dev_filetrans($1, readahead_var_run_t, { dir file })
+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
+ init_search_pid_dirs($1)
+')
+
diff --git a/readahead.te b/readahead.te
index c0b02c91c..f4705559c 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+allow readahead_t readahead_var_run_t:file map;
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
+kernel_list_all_proc(readahead_t)
-dev_read_sysfs(readahead_t)
+dev_rw_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
+dev_read_urand(readahead_t)
+dev_write_kmsg(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
@@ -51,12 +58,22 @@ domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_create_boot_flag(readahead_t)
+files_delete_root_files(readahead_t)
files_getattr_all_pipes(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_search_var_lib(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
+ dev_dontaudit_write_all_chr_files(readahead_t)
+ dev_dontaudit_write_all_blk_files(readahead_t)
+')
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
@@ -66,13 +83,12 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
-mcs_file_read_all(readahead_t)
-
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
@@ -84,13 +100,15 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
+# needs to write to /run/systemd/notify
+init_write_pid_socket(readahead_t)
+init_create_pid_dirs(readahead_t)
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
-miscfiles_read_localization(readahead_t)
-
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
index 04babe3d5..3b92679bb 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1,5 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31dfd2..1663054d9 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
-## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.
+
+## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
########################################
##
-## Execute realmd in the realmd domain.
+## Execute realmd in the realmd_t domain.
##
##
##
@@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',`
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
')
+
+########################################
+##
+## Search realmd cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_search_cache',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ allow $1 realmd_var_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read realmd cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_read_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## realmd cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_manage_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+##
+## Manage realmd cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_manage_cache_dirs',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+
+########################################
+##
+## Read realmd tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_read_tmp_files',`
+ gen_require(`
+ type realmd_tmp_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
+')
+
+#######################################
+##
+## Read realmd library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_read_var_lib',`
+ gen_require(`
+ type realmd_var_lib_t;
+ ')
+
+ list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+ read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+
+')
diff --git a/realmd.te b/realmd.te
index 5bc878b29..573620309 100644
--- a/realmd.te
+++ b/realmd.te
@@ -7,46 +7,88 @@ policy_module(realmd, 1.1.0)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+init_daemon_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
+type realmd_tmp_t;
+files_tmp_file(realmd_tmp_t)
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
+
+type realmd_var_lib_t;
+files_type(realmd_var_lib_t)
########################################
#
-# Local policy
+# realmd local policy
#
-allow realmd_t self:capability sys_nice;
+allow realmd_t self:capability { sys_nice };
+allow realmd_t self:capability2 block_suspend;
allow realmd_t self:process setsched;
+allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
+
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
kernel_read_system_state(realmd_t)
+kernel_read_network_state(realmd_t)
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
-corenet_all_recvfrom_unlabeled(realmd_t)
-corenet_all_recvfrom_netlabel(realmd_t)
-corenet_tcp_sendrecv_generic_if(realmd_t)
-corenet_tcp_sendrecv_generic_node(realmd_t)
-
-corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
+corenet_tcp_connect_ldap_port(realmd_t)
+corenet_tcp_connect_smbd_port(realmd_t)
domain_use_interactive_fds(realmd_t)
dev_read_rand(realmd_t)
dev_read_urand(realmd_t)
-fs_getattr_all_fs(realmd_t)
+files_manage_etc_files(realmd_t)
-files_read_usr_files(realmd_t)
+fs_getattr_all_fs(realmd_t)
auth_use_nsswitch(realmd_t)
+init_filetrans_named_content(realmd_t)
+
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
+miscfiles_manage_generic_cert_files(realmd_t)
+
+seutil_domtrans_setfiles(realmd_t)
+seutil_read_file_contexts(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+
+optional_policy(`
+ authconfig_domtrans(realmd_t)
+')
+
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
+ optional_policy(`
+ certmonger_dbus_chat(realmd_t)
+ ')
+
optional_policy(`
networkmanager_dbus_chat(realmd_t)
')
@@ -63,21 +105,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
+ kerberos_rw_config(realmd_t)
+ kerberos_filetrans_named_content(realmd_t)
+')
+
+optional_policy(`
+ ntp_domtrans_ntpdate(realmd_t)
+')
+
+optional_policy(`
+ ssh_domtrans(realmd_t)
+ ssh_systemctl(realmd_t)
')
optional_policy(`
nis_exec_ypbind(realmd_t)
- nis_initrc_domtrans(realmd_t)
+ nis_systemctl_ypbind(realmd_t)
')
optional_policy(`
- gnome_read_generic_home_content(realmd_t)
+ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
+ gnome_manage_cache_home_dir(realmd_t)
+
')
optional_policy(`
samba_domtrans_net(realmd_t)
samba_manage_config(realmd_t)
- samba_getattr_winbind_exec(realmd_t)
+ samba_getattr_winbind(realmd_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(realmd_t)
')
optional_policy(`
@@ -86,5 +147,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
+')
+
+optional_policy(`
+ unconfined_domain(realmd_t)
+')
+
+#####################################
+#
+# realmd consolehelper local policy
+#
+
+optional_policy(`
+ userhelper_console_role_template(realmd, system_r, realmd_t)
+ authconfig_manage_lib_files(realmd_consolehelper_t)
+
+ oddjob_systemctl(realmd_consolehelper_t)
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
index e240ac99c..83edd1be2 100644
--- a/redis.fc
+++ b/redis.fc
@@ -1,9 +1,16 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+
+
+/var/opt/rh/rh-redis32/redis(/.*)? -- gen_context(system_u:object_r:redis_exec_t,s0)
diff --git a/redis.if b/redis.if
index 16c8ecbe3..4e021eca7 100644
--- a/redis.if
+++ b/redis.if
@@ -1,9 +1,225 @@
-## Advanced key-value store.
+## Advanced key-value store
########################################
##
-## All of the rules required to
-## administrate an redis environment.
+## Execute redis server in the redis domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`redis_domtrans',`
+ gen_require(`
+ type redis_t, redis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+##
+## Execute redis server in the redis domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_initrc_domtrans',`
+ gen_require(`
+ type redis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+
+########################################
+##
+## Read redis's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Append to redis log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_append_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Manage redis log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
+ manage_files_pattern($1, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Search redis lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_search_lib',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ allow $1 redis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read redis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Manage redis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Manage redis lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_lib_dirs',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Read redis PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_pid_files',`
+ gen_require(`
+ type redis_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+##
+## Execute redis server in the redis domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`redis_systemctl',`
+ gen_require(`
+ type redis_t;
+ type redis_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an redis environment
##
##
##
@@ -20,7 +236,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
- type redis_log_t, redis_var_run_t;
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
')
allow $1 redis_t:process { ptrace signal_perms };
@@ -32,11 +248,20 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($!, redis_log_t)
+ admin_pattern($1, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/redis.te b/redis.te
index 25cd4175f..82c34b2e9 100644
--- a/redis.te
+++ b/redis.te
@@ -5,6 +5,13 @@ policy_module(redis, 1.0.1)
# Declarations
#
+##
+##
+## Allow Redis to run redis-sentinal notification scripts.
+##
+##
+gen_tunable(redis_enable_notify, false)
+
type redis_t;
type redis_exec_t;
init_daemon_domain(redis_t, redis_exec_t)
@@ -12,6 +19,9 @@ init_daemon_domain(redis_t, redis_exec_t)
type redis_initrc_exec_t;
init_script_file(redis_initrc_exec_t)
+type redis_conf_t;
+files_config_file(redis_conf_t)
+
type redis_log_t;
logging_log_file(redis_log_t)
@@ -21,6 +31,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
########################################
#
# Local policy
@@ -31,6 +44,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
allow redis_t self:unix_stream_socket create_stream_socket_perms;
allow redis_t self:tcp_socket create_stream_socket_perms;
+manage_files_pattern(redis_t, redis_conf_t, redis_conf_t)
+
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
@@ -42,14 +57,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
kernel_read_system_state(redis_t)
+kernel_read_net_sysctls(redis_t)
corenet_all_recvfrom_unlabeled(redis_t)
corenet_all_recvfrom_netlabel(redis_t)
corenet_tcp_sendrecv_generic_if(redis_t)
corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
+corenet_tcp_connect_redis_port(redis_t)
corenet_sendrecv_redis_server_packets(redis_t)
corenet_tcp_bind_redis_port(redis_t)
@@ -60,6 +78,10 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
-miscfiles_read_localization(redis_t)
-
sysnet_dns_name_resolve(redis_t)
+
+tunable_policy(`redis_enable_notify',`
+ corecmd_exec_bin(redis_t)
+ corecmd_exec_shell(redis_t)
+ sendmail_domtrans(redis_t)
+')
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf059..d8691bd14 100644
--- a/remotelogin.fc
+++ b/remotelogin.fc
@@ -1 +1,2 @@
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
index a9ce68e33..92520aa92 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
-## Rshd, rlogind, and telnetd.
+## Policy for rshd, rlogind, and telnetd.
########################################
##
@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
type remote_login_t;
')
- corecmd_search_bin($1)
auth_domtrans_login_program($1, remote_login_t)
')
########################################
##
-## Send generic signals to remote login.
+## allow Domain to signal remote login domain.
##
##
##
@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
########################################
##
-## Create, read, write, and delete
-## remote login temporary content.
+## allow Domain to signal remote login domain.
##
##
##
@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
##
##
#
-interface(`remotelogin_manage_tmp_content',`
+interface(`remotelogin_signull',`
gen_require(`
- type remote_login_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir manage_dir_perms;
- allow $1 remote_login_tmp_t:file manage_file_perms;
-')
-
-########################################
-##
-## Relabel remote login temporary content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
+ type remote_login_t;
')
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
+ allow $1 remote_login_t:process signull;
')
diff --git a/remotelogin.te b/remotelogin.te
index ae308717f..15a669cd4 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t)
auth_login_pgm_domain(remote_login_t)
auth_login_entry_type(remote_login_t)
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
########################################
#
-# Local policy
+# Remote login remote policy
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
-allow remote_login_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctls(remote_login_t)
dev_getattr_mouse_dev(remote_login_t)
dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
term_use_all_ptys(remote_login_t)
term_setattr_all_ptys(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-auth_domtrans_pam_console(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t)
corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
domain_read_all_entry_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
-files_read_usr_files(remote_login_t)
files_list_world_readable(remote_login_t)
files_read_world_readable_files(remote_login_t)
files_read_world_readable_symlinks(remote_login_t)
files_read_world_readable_pipes(remote_login_t)
files_read_world_readable_sockets(remote_login_t)
files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
-miscfiles_read_localization(remote_login_t)
+auth_use_nsswitch(remote_login_t)
+
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
+userdom_manage_user_tmp_dirs(remote_login_t)
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
-')
+userdom_home_reader(remote_login_t)
optional_policy(`
alsa_domtrans(remote_login_t)
')
optional_policy(`
+ # Search for mail spool file.
mta_getattr_spool(remote_login_t)
')
diff --git a/resmgr.te b/resmgr.te
index f6eb358ad..b6319191c 100644
--- a/resmgr.te
+++ b/resmgr.te
@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t)
# Local policy
#
-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio };
dontaudit resmgrd_t self:capability sys_tty_config;
allow resmgrd_t self:process signal_perms;
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
domain_use_interactive_fds(resmgrd_t)
-files_read_etc_files(resmgrd_t)
fs_search_auto_mountpoints(resmgrd_t)
@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
logging_send_syslog_msg(resmgrd_t)
-miscfiles_read_localization(resmgrd_t)
-
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
index 5421af0b6..91e69b869 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
@@ -1,12 +1,22 @@
-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 1c2f9aa12..a4133dc92 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
-## Resource Group Manager.
+## rgmanager - Resource Group Manager
#######################################
##
## Execute a domain transition to run rgmanager.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`rgmanager_domtrans',`
@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
########################################
##
-## Connect to rgmanager with a unix
-## domain stream socket.
+## Connect to rgmanager over a unix stream socket.
##
##
##
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
')
+########################################
+##
+## Manage rgmanager pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_pid_files',`
+ gen_require(`
+ type rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
+')
+
######################################
##
-## Create, read, write, and delete
-## rgmanager tmp files.
+## Allow manage rgmanager tmp files.
##
##
##
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
######################################
##
-## Create, read, write, and delete
-## rgmanager tmpfs files.
+## Allow manage rgmanager tmpfs files.
##
##
##
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
+#######################################
+##
+## Allow read and write access to rgmanager semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
######################################
##
-## All of the rules required to
-## administrate an rgmanager environment.
+## All of the rules required to administrate
+## an rgmanager environment
##
##
##
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the rgmanager domain.
##
##
##
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
- allow $1 rgmanager_t:process { ptrace signal_perms };
+ allow $1 rgmanager_t:process signal_perms;
ps_process_pattern($1, rgmanager_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rgmanager_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
+
+
+######################################
+##
+## Allow the specified domain to manage rgmanager's lib/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_files',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ type rgmanager_var_run_t;
+ ')
+
+ files_list_var_lib($1)
+ admin_pattern($1, rgmanager_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
+
+######################################
+##
+## Allow the specified domain to execute rgmanager's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_execute_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
+
+######################################
+##
+## Allow the specified domain to search rgmanager's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_search_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
index c8a1e16e4..f9d6fb341 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
#
##
-##
-## Determine whether rgmanager can
-## connect to the network using TCP.
-##
+##
+## Allow rgmanager domain to connect to the network using TCP.
+##
##
gen_tunable(rgmanager_can_network_connect, false)
@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t)
+type rgmanager_var_lib_t;
+files_type(rgmanager_var_lib_t)
+
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
########################################
#
-# Local policy
+# rgmanager local policy
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
allow rgmanager_t self:process { setsched signal };
+
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+# var/lib files
+# # needed by hearbeat
+can_exec(rgmanager_t, rgmanager_var_lib_t)
+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
+
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+kernel_kill(rgmanager_t)
kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
kernel_search_network_state(rgmanager_t)
-corenet_all_recvfrom_unlabeled(rgmanager_t)
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
+# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
+fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
+# needed by resources scripts
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
logging_send_syslog_msg(rgmanager_t)
-miscfiles_read_localization(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
- corenet_sendrecv_all_client_packets(rgmanager_t)
corenet_tcp_connect_all_ports(rgmanager_t)
- corenet_tcp_sendrecv_all_ports(rgmanager_t)
')
+# rgmanager can run resource scripts
optional_policy(`
aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
')
optional_policy(`
- consoletype_exec(rgmanager_t)
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
')
optional_policy(`
- corosync_stream_connect(rgmanager_t)
+ consoletype_exec(rgmanager_t)
')
optional_policy(`
- apache_domtrans(rgmanager_t)
- apache_signal(rgmanager_t)
+ dbus_system_bus_client(rgmanager_t)
')
optional_policy(`
@@ -130,7 +150,6 @@ optional_policy(`
optional_policy(`
rhcs_stream_connect_groupd(rgmanager_t)
- rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
@@ -140,12 +159,19 @@ optional_policy(`
optional_policy(`
ccs_manage_config(rgmanager_t)
ccs_stream_connect(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
lvm_domtrans(rgmanager_t)
')
+optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
optional_policy(`
mount_domtrans(rgmanager_t)
')
@@ -174,12 +200,18 @@ optional_policy(`
')
optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+ rpc_systemctl_nfsd(rgmanager_t)
+ rpc_systemctl_rpcd(rgmanager_t)
+
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
rpc_manage_nfs_state_data(rgmanager_t)
')
optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
samba_domtrans_smbd(rgmanager_t)
samba_domtrans_nmbd(rgmanager_t)
samba_manage_var_files(rgmanager_t)
@@ -200,6 +232,10 @@ optional_policy(`
virt_stream_connect(rgmanager_t)
')
+optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
optional_policy(`
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d681..c06395f39 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,107 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/haproxy-systemd-wrapper -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <>
+/var/log/cluster/.*\.*log <>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/mpath\.devices -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.sock.* -s gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qnetd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qdevice.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/bin/corosync-qnetd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/share/corosync/corosync-qdevice -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_mpath_check -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_mpath_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+
+
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index c8bdea28d..0f8b732c4 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
-## Red Hat Cluster Suite.
+## RHCS - Red Hat Cluster Suite
#######################################
##
-## The template to define a rhcs domain.
+## Creates types and rules for a basic
+## rhcs init daemon domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
')
##############################
@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
@@ -56,20 +51,21 @@ template(`rhcs_domain_template',`
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
- ')
+ kernel_read_system_state($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
######################################
##
-## Execute a domain transition to
-## run dlm_controld.
+## Execute a domain transition to run dlm_controld.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`rhcs_domtrans_dlm_controld',`
@@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',`
#####################################
##
-## Get attributes of fenced
-## executable files.
+## Connect to dlm_controld over a unix domain
+## stream socket.
##
##
##
@@ -92,18 +88,19 @@ interface(`rhcs_domtrans_dlm_controld',`
##
##
#
-interface(`rhcs_getattr_fenced_exec_files',`
+interface(`rhcs_stream_connect_dlm_controld',`
gen_require(`
- type fenced_exec_t;
+ type dlm_controld_t, dlm_controld_var_run_t;
')
- allow $1 fenced_exec_t:file getattr_file_perms;
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
')
#####################################
##
-## Connect to dlm_controld with a
-## unix domain stream socket.
+## Connect to haproxy over a unix domain
+## stream socket.
##
##
##
@@ -111,18 +108,36 @@ interface(`rhcs_getattr_fenced_exec_files',`
##
##
#
-interface(`rhcs_stream_connect_dlm_controld',`
+interface(`rhcs_stream_connect_haproxy',`
gen_require(`
- type dlm_controld_t, dlm_controld_var_run_t;
+ type haproxy_t, haproxy_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+ stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
+')
+
+########################################
+##
+## Send a null signal to haproxy.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_signull_haproxy',`
+ gen_require(`
+ type haproxy_t;
+ ')
+
+ allow $1 haproxy_t:process signull;
')
#####################################
##
-## Read and write dlm_controld semaphores.
+## Allow read and write access to dlm_controld semaphores.
##
##
##
@@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
+#####################################
+##
+## Allow a domain to getattr on fenced executable.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_getattr_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ allow $1 fenced_exec_t:file getattr;
+')
+
######################################
##
-## Read and write fenced semaphores.
+## Allow read and write access to fenced semaphores.
##
##
##
@@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',`
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
-####################################
+######################################
##
-## Connect to all cluster domains
-## with a unix domain stream socket.
+## Read fenced PID files.
##
##
##
@@ -192,19 +224,18 @@ interface(`rhcs_rw_fenced_semaphores',`
##
##
#
-interface(`rhcs_stream_connect_cluster',`
+interface(`rhcs_read_fenced_pid_files',`
gen_require(`
- attribute cluster_domain, cluster_pid;
+ type fenced_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
')
######################################
##
-## Connect to fenced with an unix
-## domain stream socket.
+## Connect to fenced over a unix domain stream socket.
##
##
##
@@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',`
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
+######################################
+##
+## Execute a domain transition to run fenced.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_haproxy',`
+ gen_require(`
+ type haproxy_t, haproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
#####################################
##
-## Execute a domain transition
-## to run gfs_controld.
+## Execute a domain transition to run gfs_controld.
##
##
##
@@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
##