[selinux-policy: 2114/3172] trunk: 4 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:07:35 UTC 2010
commit 80348b73a0d67ccbcb57022aaa0a9cc65b1b8473
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu May 14 14:41:50 2009 +0000
trunk: 4 patches from dan.
policy/modules/kernel/corenetwork.te.in | 3 +-
policy/modules/services/consolekit.fc | 2 +
policy/modules/services/consolekit.if | 19 ++++++
policy/modules/services/consolekit.te | 49 +++++++++++++++-
policy/modules/services/dcc.te | 3 +-
policy/modules/services/exim.if | 40 +++++++++++++
policy/modules/services/exim.te | 92 +++++++++++++++++++++++++++++--
policy/modules/services/snmp.fc | 2 +-
policy/modules/services/snmp.te | 3 +-
9 files changed, 199 insertions(+), 14 deletions(-)
---
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index aa2e9dd..5b0672a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.6)
+policy_module(corenetwork, 1.11.7)
########################################
#
@@ -69,6 +69,7 @@ network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
index 6722878..589f671 100644
--- a/policy/modules/services/consolekit.fc
+++ b/policy/modules/services/consolekit.fc
@@ -1,3 +1,5 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index bb4ae1c..f625dcf 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -38,3 +38,22 @@ interface(`consolekit_dbus_chat',`
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 7d2281a..abb4b9d 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -1,5 +1,5 @@
-policy_module(consolekit, 1.4.0)
+policy_module(consolekit, 1.4.1)
########################################
#
@@ -10,6 +10,9 @@ type consolekit_t;
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
+type consolekit_log_t;
+files_pid_file(consolekit_log_t)
+
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -24,36 +27,69 @@ allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
kernel_read_system_state(consolekit_t)
corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
fs_list_inotifyfs(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
+userdom_dontaudit_read_user_home_content_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
optional_policy(`
dbus_system_bus_client(consolekit_t)
- dbus_connect_system_bus(consolekit_t)
- hal_dbus_chat(consolekit_t)
+ optional_policy(`
+ hal_dbus_chat(consolekit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
optional_policy(`
unconfined_dbus_chat(consolekit_t)
@@ -64,3 +100,8 @@ optional_policy(`
xserver_read_user_xauth(consolekit_t)
xserver_stream_connect(consolekit_t)
')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_stream_connect(consolekit_t)
+')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 73cbeb8..03c3dda 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
-policy_module(dcc, 1.7.1)
+policy_module(dcc, 1.7.2)
########################################
#
@@ -140,6 +140,7 @@ corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_generic_node(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index dcec818..88c5ede 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -117,6 +117,46 @@ interface(`exim_append_log',`
########################################
## <summary>
+## Allow the specified domain to manage exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## exim spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_spool_dirs',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
## Read exim spool files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 0c03c52..d757887 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
-policy_module(exim, 1.3.2)
+policy_module(exim, 1.3.3)
########################################
#
@@ -8,6 +8,13 @@ policy_module(exim, 1.3.2)
## <desc>
## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db, false)
+
+## <desc>
+## <p>
## Allow exim to read unprivileged user files.
## </p>
## </desc>
@@ -24,6 +31,10 @@ gen_tunable(exim_manage_user_files, false)
type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
type exim_log_t;
logging_log_file(exim_log_t)
@@ -42,10 +53,12 @@ files_pid_file(exim_var_run_t)
# exim local policy
#
-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
can_exec(exim_t,exim_exec_t)
@@ -66,14 +79,17 @@ manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
kernel_read_kernel_sysctls(exim_t)
-
+kernel_read_network_state(exim_t)
kernel_dontaudit_read_system_state(exim_t)
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
+corenet_udp_sendrecv_generic_if(exim_t)
corenet_tcp_sendrecv_generic_node(exim_t)
+corenet_udp_sendrecv_generic_node(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
corenet_tcp_bind_generic_node(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
@@ -82,6 +98,8 @@ corenet_tcp_connect_auth_port(exim_t)
corenet_tcp_connect_smtp_port(exim_t)
corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
@@ -89,20 +107,34 @@ dev_read_urand(exim_t)
# Init script handling
domain_use_interactive_fds(exim_t)
+files_search_usr(exim_t)
+files_search_var(exim_t)
files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
-
-sysnet_dns_name_resolve(exim_t)
+miscfiles_read_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
tunable_policy(`exim_read_user_files',`
userdom_read_user_home_content_files(exim_t)
@@ -114,3 +146,51 @@ tunable_policy(`exim_manage_user_files',`
userdom_read_user_tmp_files(exim_t)
userdom_write_user_tmp_files(exim_t)
')
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+')
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
index 2bc5cb9..623c8fa 100644
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
@@ -20,5 +20,5 @@
/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 0306b0a..58e79fd 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp, 1.9.2)
+policy_module(snmp, 1.9.3)
########################################
#
@@ -71,6 +71,7 @@ corenet_udp_bind_generic_node(snmpd_t)
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
More information about the scm-commits
mailing list