[selinux-policy/f18] - Allow pki apache domain to create own tmp files and execute httpd_suexec
Miroslav Grepl
mgrepl at fedoraproject.org
Thu May 2 15:21:59 UTC 2013
commit ec7d68832211b97c23b27e0c2292142caf785059
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu May 2 17:21:37 2013 +0200
- Allow pki apache domain to create own tmp files and execute httpd_suexec
policy-f18-base.patch | 34 +++--
policy-f18-contrib.patch | 379 ++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 5 +-
3 files changed, 289 insertions(+), 129 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 9046d48..25e4754 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -124640,7 +124640,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..9d8fdd5 100644
+index e5aee97..8425d4b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
@@ -124966,7 +124966,7 @@ index e5aee97..9d8fdd5 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +372,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +372,21 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -124985,6 +124985,7 @@ index e5aee97..9d8fdd5 100644
+ allow staff_t self:fifo_file relabelfrom;
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
++ virt_stream_connect_svirt(staff_t)
+ ')
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
@@ -145502,7 +145503,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..562af0e 100644
+index e720dcd..a246d7c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -148227,7 +148228,7 @@ index e720dcd..562af0e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3295,4 +4171,1367 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3295,4 +4171,1364 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -149008,13 +149009,10 @@ index e720dcd..562af0e 100644
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
-+ type home_cert_t;
++ attribute userdom_home_reader_certs_type;
+ ')
+
-+ userdom_search_user_home_content($1)
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ read_files_pattern($1, home_cert_t, home_cert_t)
-+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
++ typeattribute $1 userdom_home_reader_certs_type;
+')
+
+########################################
@@ -149596,7 +149594,7 @@ index e720dcd..562af0e 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..0d03483 100644
+index 6a4bd85..f8e2d6b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
@@ -149659,10 +149657,11 @@ index 6a4bd85..0d03483 100644
# all user domains
attribute userdomain;
-@@ -59,6 +53,22 @@ attribute unpriv_userdomain;
+@@ -59,6 +53,23 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
++attribute userdom_home_reader_certs_type;
+attribute userdom_home_reader_type;
+attribute userdom_home_manager_type;
+
@@ -149682,7 +149681,7 @@ index 6a4bd85..0d03483 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +81,124 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +82,135 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -149766,6 +149765,17 @@ index 6a4bd85..0d03483 100644
+ xserver_filetrans_home_content(userdomain)
+')
+
++
++# rules for types which can read home certs
++allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
++read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++userdom_search_user_home_content(userdom_home_reader_certs_type)
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_reader_type)
+ fs_read_nfs_files(userdom_home_reader_type)
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 6085c4f..6ddbdb1 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -2191,10 +2191,10 @@ index 0000000..adcd6f4
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..ac64761 100644
+index fd9fa07..3f948ab 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,20 +1,37 @@
+@@ -1,20 +1,39 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -2215,6 +2215,7 @@ index fd9fa07..ac64761 100644
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -2228,12 +2229,13 @@ index fd9fa07..ac64761 100644
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -22,20 +41,26 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -2262,11 +2264,12 @@ index fd9fa07..ac64761 100644
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,8 +65,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +68,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -2278,7 +2281,7 @@ index fd9fa07..ac64761 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +77,13 @@ ifdef(`distro_suse', `
+@@ -54,9 +80,13 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2292,7 +2295,7 @@ index fd9fa07..ac64761 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -69,35 +96,55 @@ ifdef(`distro_suse', `
+@@ -69,35 +99,59 @@ ifdef(`distro_suse', `
/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -2310,6 +2313,8 @@ index fd9fa07..ac64761 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -2331,6 +2336,7 @@ index fd9fa07..ac64761 100644
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -2348,13 +2354,14 @@ index fd9fa07..ac64761 100644
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +156,38 @@ ifdef(`distro_debian', `
+@@ -109,3 +163,38 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -2394,7 +2401,7 @@ index fd9fa07..ac64761 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..c0ece1b 100644
+index 6480167..c5be77c 100644
--- a/apache.if
+++ b/apache.if
@@ -13,68 +13,55 @@
@@ -2634,7 +2641,7 @@ index 6480167..c0ece1b 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +237,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +237,44 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -2657,10 +2664,29 @@ index 6480167..c0ece1b 100644
+ can_exec($1, httpd_exec_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to execute apache suexec
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_exec_suexec',`
++ gen_require(`
++ type httpd_suexec_exec_t;
++ ')
++
++ can_exec($1, httpd_suexec_exec_t)
++')
++
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +363,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -2669,7 +2695,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +445,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -2678,7 +2704,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +489,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -2704,7 +2730,7 @@ index 6480167..c0ece1b 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +526,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -2731,7 +2757,7 @@ index 6480167..c0ece1b 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -641,6 +619,27 @@ interface(`apache_run_helper',`
+@@ -641,6 +638,27 @@ interface(`apache_run_helper',`
########################################
## <summary>
@@ -2759,7 +2785,7 @@ index 6480167..c0ece1b 100644
## Allow the specified domain to read
## apache log files.
## </summary>
-@@ -683,6 +682,25 @@ interface(`apache_append_log',`
+@@ -683,6 +701,25 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -2785,7 +2811,7 @@ index 6480167..c0ece1b 100644
########################################
## <summary>
## Do not audit attempts to append to the
-@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +736,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -2794,7 +2820,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +782,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -2820,7 +2846,7 @@ index 6480167..c0ece1b 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +798,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +817,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -2828,7 +2854,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +859,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -2872,7 +2898,7 @@ index 6480167..c0ece1b 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +913,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -2880,7 +2906,7 @@ index 6480167..c0ece1b 100644
files_search_var($1)
')
-@@ -846,6 +922,94 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +941,94 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -2975,7 +3001,7 @@ index 6480167..c0ece1b 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1026,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1045,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -2989,7 +3015,7 @@ index 6480167..c0ece1b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1090,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1109,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -3001,7 +3027,7 @@ index 6480167..c0ece1b 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1120,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1139,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -3010,7 +3036,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -1091,6 +1261,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1280,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -3036,7 +3062,7 @@ index 6480167..c0ece1b 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -3045,7 +3071,7 @@ index 6480167..c0ece1b 100644
')
########################################
-@@ -1148,14 +1337,31 @@ interface(`apache_cgi_domain',`
+@@ -1148,14 +1356,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -3081,7 +3107,7 @@ index 6480167..c0ece1b 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,19 +1376,21 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1395,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -3110,7 +3136,7 @@ index 6480167..c0ece1b 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1399,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1418,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -3123,7 +3149,7 @@ index 6480167..c0ece1b 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1413,129 @@ interface(`apache_admin',`
+@@ -1205,14 +1432,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -8513,12 +8539,14 @@ index c3e3f79..54c74eb 100644
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/certwatch.te b/certwatch.te
-index e07cef5..ebadfa9 100644
+index e07cef5..9c0796c 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -17,6 +17,11 @@ role system_r types certwatch_t;
+@@ -16,7 +16,13 @@ role system_r types certwatch_t;
+ #
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
++allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
@@ -8528,7 +8556,7 @@ index e07cef5..ebadfa9 100644
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
-@@ -27,22 +32,27 @@ files_list_tmp(certwatch_t)
+@@ -27,22 +33,27 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
@@ -19983,7 +20011,7 @@ index e1d7dc5..66d42bb 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..56a1ca6 100644
+index 2df7766..8c2a834 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
@@ -20161,9 +20189,8 @@ index 2df7766..56a1ca6 100644
+ mta_manage_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
+')
-
- optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
++
++optional_policy(`
+ kerberos_keytab_template(dovecot_t, dovecot_t)
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+')
@@ -20171,8 +20198,9 @@ index 2df7766..56a1ca6 100644
+optional_policy(`
+ gnome_manage_data(dovecot_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
@@ -20212,13 +20240,14 @@ index 2df7766..56a1ca6 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+@@ -198,31 +234,26 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
-kernel_read_all_sysctls(dovecot_auth_t)
-kernel_read_system_state(dovecot_auth_t)
--
++corecmd_exec_bin(dovecot_auth_t)
+
logging_send_audit_msgs(dovecot_auth_t)
-logging_send_syslog_msg(dovecot_auth_t)
-
@@ -20249,7 +20278,7 @@ index 2df7766..56a1ca6 100644
optional_policy(`
kerberos_use(dovecot_auth_t)
-@@ -236,6 +265,8 @@ optional_policy(`
+@@ -236,6 +267,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -20258,7 +20287,7 @@ index 2df7766..56a1ca6 100644
')
optional_policy(`
-@@ -243,6 +274,8 @@ optional_policy(`
+@@ -243,6 +276,8 @@ optional_policy(`
')
optional_policy(`
@@ -20267,7 +20296,7 @@ index 2df7766..56a1ca6 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,25 +283,32 @@ optional_policy(`
+@@ -250,25 +285,32 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -20310,7 +20339,7 @@ index 2df7766..56a1ca6 100644
dovecot_stream_connect_auth(dovecot_deliver_t)
-@@ -283,24 +323,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +325,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -28499,7 +28528,7 @@ index 14d9670..e94b352 100644
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/iscsi.te b/iscsi.te
-index 8bcfa2f..82dfe5b 100644
+index 8bcfa2f..ed4f703 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
@@ -28510,17 +28539,18 @@ index 8bcfa2f..82dfe5b 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -66,8 +65,9 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
+kernel_setsched(iscsid_t)
++kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -75,23 +74,23 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+@@ -75,23 +75,23 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
@@ -29010,10 +29040,10 @@ index 9878499..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index 53e53ca..1f2daae 100644
+index 53e53ca..6ea3c1c 100644
--- a/jabber.te
+++ b/jabber.te
-@@ -1,94 +1,147 @@
+@@ -1,94 +1,148 @@
-policy_module(jabber, 1.9.0)
+policy_module(jabber, 1.8.0)
@@ -29137,6 +29167,7 @@ index 53e53ca..1f2daae 100644
-sysnet_read_config(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
@@ -31601,10 +31632,10 @@ index 4f7bd3c..74cc11d 100644
diff --git a/l2tpd.fc b/l2tpd.fc
new file mode 100644
-index 0000000..6b27066
+index 0000000..6602bce
--- /dev/null
+++ b/l2tpd.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,19 @@
+/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
+
+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
@@ -31616,6 +31647,7 @@ index 0000000..6b27066
+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
+/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
@@ -48136,10 +48168,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..8119448
+index 0000000..e1d3320
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,265 @@
+@@ -0,0 +1,272 @@
+
+## <summary>policy for pki</summary>
+########################################
@@ -48208,6 +48240,9 @@ index 0000000..8119448
+ type $1_lock_t;
+ files_lock_file($1_lock_t)
+
++ type $1_tmp_t;
++ files_tmpfs_file($1_tmp_t)
++
+ ########################################
+ #
+ # $1 local policy
@@ -48238,6 +48273,10 @@ index 0000000..8119448
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
++
+ #talk to lunasa hsm
+ logging_send_syslog_msg($1_t)
+
@@ -48407,10 +48446,10 @@ index 0000000..8119448
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..8bad28e
+index 0000000..d808340
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,292 @@
+@@ -0,0 +1,293 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -48690,6 +48729,7 @@ index 0000000..8bad28e
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
++ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+
+ # should be started using a script which will execute httpd
@@ -52434,7 +52474,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/procmail.te b/procmail.te
-index 29b9295..d75017c 100644
+index 29b9295..6aad841 100644
--- a/procmail.te
+++ b/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -52495,18 +52535,22 @@ index 29b9295..d75017c 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
-@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +96,12 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_user_home_dirs(procmail_t)
++userdom_manage_user_tmp_dirs(procmail_t)
++userdom_manage_user_tmp_files(procmail_t)
++userdom_manage_user_tmp_symlinks(procmail_t)
++
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -97,21 +106,19 @@ ifdef(`hide_broken_symptoms',`
+@@ -97,21 +110,19 @@ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -52536,7 +52580,7 @@ index 29b9295..d75017c 100644
')
optional_policy(`
-@@ -125,6 +132,11 @@ optional_policy(`
+@@ -125,6 +136,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -52548,7 +52592,7 @@ index 29b9295..d75017c 100644
')
optional_policy(`
-@@ -134,6 +146,7 @@ optional_policy(`
+@@ -134,6 +150,7 @@ optional_policy(`
optional_policy(`
mta_read_config(procmail_t)
@@ -70321,10 +70365,10 @@ index 0000000..c5e890b
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..9a09574
+index 0000000..7a35df3
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,143 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -70354,6 +70398,7 @@ index 0000000..9a09574
+#
+
+allow thumb_t self:process { setsched signal signull setrlimit };
++dontaudit thumb_t self:capability sys_tty_config;
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
@@ -71352,28 +71397,36 @@ index 2ae8b62..bfe64af 100644
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
diff --git a/tuned.fc b/tuned.fc
-index 639c962..e789b2e 100644
+index 639c962..23ba272 100644
--- a/tuned.fc
+++ b/tuned.fc
@@ -1,8 +1,12 @@
/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
-+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
-+/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
-+
- /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+-/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
++/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
- /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+-/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
-/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
-+/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
++/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
-+/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
- /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
+-/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
++/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
++/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
++
++/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
++/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/tuned.if b/tuned.if
-index 54b8605..a04f013 100644
+index 54b8605..061fb98 100644
--- a/tuned.if
+++ b/tuned.if
-@@ -5,9 +5,9 @@
+@@ -1,13 +1,13 @@
+-## <summary>Dynamic adaptive system tuning daemon</summary>
++## <summary>Dynamic adaptive system tuning daemon.</summary>
+
+ ########################################
+ ## <summary>
## Execute a domain transition to run tuned.
## </summary>
## <param name="domain">
@@ -71385,36 +71438,102 @@ index 54b8605..a04f013 100644
## </param>
#
interface(`tuned_domtrans',`
-@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',`
+@@ -15,6 +15,7 @@ interface(`tuned_domtrans',`
+ type tuned_t, tuned_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, tuned_exec_t, tuned_t)
+ ')
+
+@@ -39,7 +40,7 @@ interface(`tuned_exec',`
+
+ ######################################
+ ## <summary>
+-## Read tuned PID files.
++## Read tuned pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -58,7 +59,8 @@ interface(`tuned_read_pid_files',`
+
+ #######################################
+ ## <summary>
+-## Manage tuned PID files.
++## Create, read, write, and delete
++## tuned pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -77,11 +79,12 @@ interface(`tuned_manage_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Execute tuned server in the tuned domain.
++## Execute tuned init scripts in
++## the initrc domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+@@ -95,8 +98,8 @@ interface(`tuned_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to administrate
+-## an tuned environment
++## All of the rules required to
++## administrate an tuned environment.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,18 +115,28 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
- type tuned_t, tuned_var_run_t;
- type tuned_initrc_exec_t;
+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
++ type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
')
- allow $1 tuned_t:process { ptrace signal_perms };
+ allow $1 tuned_t:process signal_perms;
ps_process_pattern($1, tuned_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tuned_t:process ptrace;
+ ')
-
++
tuned_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
allow $2 system_r;
-- files_search_pids($1)
-+ files_list_pids($1)
++ files_search_etc($1)
++ admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
++
++ logging_search_logs($1)
++ admin_pattern($1, tuned_log_t)
++
+ files_search_pids($1)
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..0e28206 100644
+index db9d2a5..8beef17 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -12,53 +12,119 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+@@ -1,4 +1,4 @@
+-policy_module(tuned, 1.1.0)
++policy_module(tuned, 1.1.4)
+
+ ########################################
+ #
+@@ -12,53 +12,117 @@ init_daemon_domain(tuned_t, tuned_exec_t)
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -71427,15 +71546,16 @@ index db9d2a5..0e28206 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
- type tuned_var_run_t;
- files_pid_file(tuned_var_run_t)
-
+type tuned_tmp_t;
+files_tmp_file(tuned_tmp_t)
+
+ type tuned_var_run_t;
+ files_pid_file(tuned_var_run_t)
+
########################################
#
- # tuned local policy
+-# tuned local policy
++# Local policy
#
+allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
@@ -71443,6 +71563,7 @@ index db9d2a5..0e28206 100644
+allow tuned_t self:process { setsched signal };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+
+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
@@ -71456,40 +71577,41 @@ index db9d2a5..0e28206 100644
-logging_log_filetrans(tuned_t, tuned_log_t, file)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
- manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+-manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-files_pid_filetrans(tuned_t, tuned_var_run_t, file)
-+manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-+files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
-+
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
-+files_tmp_filetrans(tuned_t, tuned_tmp_t, { dir file })
++files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
- corecmd_exec_shell(tuned_t)
- corecmd_exec_bin(tuned_t)
+-corecmd_exec_shell(tuned_t)
+-corecmd_exec_bin(tuned_t)
++manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
--
+kernel_read_kernel_sysctls(tuned_t)
+kernel_request_load_module(tuned_t)
+kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t)
+kernel_setsched(tuned_t)
+
++corecmd_exec_bin(tuned_t)
++corecmd_exec_shell(tuned_t)
+
+dev_getattr_all_blk_files(tuned_t)
+dev_getattr_all_chr_files(tuned_t)
-+dev_dontaudit_getattr_all(tuned_t)
dev_read_urand(tuned_t)
-dev_read_sysfs(tuned_t)
+-# to allow cpu tuning
+dev_read_cpuid(tuned_t)
+dev_rw_sysfs(tuned_t)
- # to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-files_read_etc_files(tuned_t)
- files_read_usr_files(tuned_t)
+-files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
+files_list_tmp(tuned_t)
+
@@ -72939,7 +73061,7 @@ index 2124b6a..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..820fbb7 100644
+index 6f0736b..bb1421c 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -73104,7 +73226,32 @@ index 6f0736b..820fbb7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',`
+@@ -135,6 +152,24 @@ interface(`virt_stream_connect',`
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+ ')
+
++#######################################
++## <summary>
++## Connect to svirt process over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_svirt',`
++ gen_require(`
++ type svirt_t;
++ ')
++
++ allow $1 svirt_t:unix_stream_socket connectto;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow domain to attach to virt TUN devices
+@@ -166,13 +201,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -73120,7 +73267,7 @@ index 6f0736b..820fbb7 100644
')
########################################
-@@ -187,13 +204,13 @@ interface(`virt_read_config',`
+@@ -187,13 +222,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -73136,7 +73283,7 @@ index 6f0736b..820fbb7 100644
')
########################################
-@@ -233,6 +250,24 @@ interface(`virt_read_content',`
+@@ -233,6 +268,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -73161,7 +73308,7 @@ index 6f0736b..820fbb7 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',`
+@@ -252,6 +305,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
@@ -73190,7 +73337,7 @@ index 6f0736b..820fbb7 100644
## Manage virt pid files.
## </summary>
## <param name="domain">
-@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',`
+@@ -263,10 +338,47 @@ interface(`virt_read_pid_files',`
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
@@ -73238,7 +73385,7 @@ index 6f0736b..820fbb7 100644
')
########################################
-@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',`
+@@ -310,6 +422,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -73263,7 +73410,7 @@ index 6f0736b..820fbb7 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -354,9 +466,9 @@ interface(`virt_read_log',`
+@@ -354,9 +484,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -73275,7 +73422,7 @@ index 6f0736b..820fbb7 100644
## </param>
#
interface(`virt_append_log',`
-@@ -390,6 +502,25 @@ interface(`virt_manage_log',`
+@@ -390,6 +520,25 @@ interface(`virt_manage_log',`
########################################
## <summary>
@@ -73301,7 +73448,7 @@ index 6f0736b..820fbb7 100644
## Allow domain to read virt image files
## </summary>
## <param name="domain">
-@@ -410,6 +541,7 @@ interface(`virt_read_images',`
+@@ -410,6 +559,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -73309,7 +73456,7 @@ index 6f0736b..820fbb7 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -426,6 +558,42 @@ interface(`virt_read_images',`
+@@ -426,6 +576,42 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -73352,7 +73499,7 @@ index 6f0736b..820fbb7 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -435,15 +603,15 @@ interface(`virt_read_images',`
+@@ -435,15 +621,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -73373,7 +73520,7 @@ index 6f0736b..820fbb7 100644
')
########################################
-@@ -468,20 +636,94 @@ interface(`virt_manage_images',`
+@@ -468,20 +654,94 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -73446,11 +73593,11 @@ index 6f0736b..820fbb7 100644
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
- ')
++ ')
+
+ allow $1 virt_domain:process ptrace;
- ')
-
++')
++
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
@@ -73465,18 +73612,18 @@ index 6f0736b..820fbb7 100644
+ gen_require(`
+ attribute svirt_lxc_domain;
+ type svirt_lxc_file_t;
-+ ')
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
+ ps_process_pattern(svirt_lxc_domain, $1)
-+')
-+
+ ')
+
+
########################################
## <summary>
## All of the rules required to administrate
-@@ -502,10 +744,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +762,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -73498,7 +73645,7 @@ index 6f0736b..820fbb7 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +769,342 @@ interface(`virt_admin',`
+@@ -517,4 +787,342 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 97cdf36..79dfd2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 92%{?dist}
+Release: 93%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,9 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Thu May 1 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-93
+- Allow pki apache domain to create own tmp files and execute httpd_suexec
+
* Fri Apr 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-92
- Eliminate dontaudit rules so setroubleshoot and audit2allow can tell user what to do if apache attempts to use the terminal
- Add transition from cupsd_config_t to cupsd_t
More information about the scm-commits
mailing list