[selinux-policy: 2144/3172] 5 patches from dan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:10:13 UTC 2010 

commit ce6fee6575bd086427c2fe67eb50e40592fc7ebd
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 14 10:30:22 2009 -0400

    5 patches from dan

 policy/modules/apps/uml.te              |    8 +--
 policy/modules/kernel/corenetwork.te.in |    3 +-
 policy/modules/services/bind.fc         |   11 +++++-
 policy/modules/services/bind.if         |   42 +++++++++++++++++++-
 policy/modules/services/bind.te         |    5 +-
 policy/modules/services/inetd.if        |    3 +-
 policy/modules/services/inetd.te        |    2 +-
 policy/modules/services/munin.fc        |    4 +-
 policy/modules/services/munin.if        |   54 +++++++++++++++++++++++++-
 policy/modules/services/munin.te        |   65 +++++++++++++++++++++++++++----
 10 files changed, 173 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 4d8f914..82c4052 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
 
-policy_module(uml, 2.0.1)
+policy_module(uml, 2.0.2)
 
 ########################################
 #
@@ -16,14 +16,12 @@ ubac_constrained(uml_t)
 type uml_ro_t;
 typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
 typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
-files_type(uml_ro_t)
-ubac_constrained(uml_ro_t)
+userdom_user_home_content(uml_ro_t)
 
 type uml_rw_t;
 typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
 typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
-files_type(uml_rw_t)
-ubac_constrained(uml_rw_t)
+userdom_user_home_content(uml_rw_t)
 
 type uml_tmp_t;
 typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 508fee1..0de3898 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.11.9)
+policy_module(corenetwork, 1.11.10)
 
 ########################################
 #
@@ -131,6 +131,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index bb40138..59aa54f 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,17 +1,22 @@
 /etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
 /etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
 
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 /usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
 
 /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
 /var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,8 +45,12 @@ ifdef(`distro_redhat',`
 /var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? 	gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)?	<<none>>
 /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
 /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 728901d..0bc0189 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -38,6 +38,42 @@ interface(`bind_signal',`
 
 ########################################
 ## <summary>
+##	Send null sigals to BIND.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signull',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send BIND the kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_kill',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Execute ndc in the ndc domain, and
 ##	allow the specified role the ndc domain.
 ## </summary>
@@ -269,7 +305,7 @@ interface(`bind_udp_chat_named',`
 interface(`bind_admin',`
 	gen_require(`
 		type named_t, named_tmp_t, named_log_t;
-		type named_conf_t, named_var_run_t;
+		type named_conf_t, named_var_lib_t, named_var_run_t;
 		type named_cache_t, named_zone_t;
 		type dnssec_t, ndc_t;
 		type named_initrc_exec_t;
@@ -283,6 +319,7 @@ interface(`bind_admin',`
 
 	bind_run_ndc($1, $2)
 
+	init_labeled_script_domtrans($1, bind_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 named_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -300,6 +337,9 @@ interface(`bind_admin',`
 	admin_pattern($1, named_zone_t)
 	admin_pattern($1, dnssec_t)
 
+	files_list_var_lib($1)
+	admin_pattern($1, named_var_lib_t)
+
 	files_list_pids($1)
 	admin_pattern($1, named_var_run_t)
 ')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index f5f80a8..d047e9d 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
 
-policy_module(bind, 1.9.2)
+policy_module(bind, 1.9.3)
 
 ########################################
 #
@@ -123,6 +123,7 @@ corenet_sendrecv_dns_server_packets(named_t)
 corenet_sendrecv_dns_client_packets(named_t)
 corenet_sendrecv_rndc_server_packets(named_t)
 corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
 corenet_udp_bind_all_unreserved_ports(named_t)
 
 dev_read_sysfs(named_t)
@@ -169,7 +170,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_use(named_t)
+	kerberos_keytab_template(named, named_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index 614e0e4..40eeebe 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -36,8 +36,7 @@ interface(`inetd_core_service_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(inetd_t, $2, $1)
-
-	allow inetd_t $1:process sigkill;
+	allow inetd_t $1:process { siginh sigkill };
 ')
 
 ########################################
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index b0d82ba..8eda765 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd, 1.9.2)
+policy_module(inetd, 1.9.3)
 
 ########################################
 #
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index 205f91b..797e903 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -1,4 +1,5 @@
 /etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node	--	gen_context(system_u:object_r:munin_initrc_exec_t,s0)
 
 /usr/bin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
 /usr/sbin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
@@ -6,6 +7,5 @@
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 903e39b..b94c507 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -59,8 +59,9 @@ interface(`munin_append_log',`
 		type munin_log_t;
 	')
 
-	allow $1 munin_log_t:file append_file_perms;
 	logging_search_logs($1)
+	allow $1 munin_log_t:dir list_dir_perms;
+	append_files_pattern($1, munin_log_t, munin_log_t)
 ')
 
 #######################################
@@ -100,3 +101,54 @@ interface(`munin_dontaudit_search_lib',`
 
 	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an munin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the munin domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+	gen_require(`
+		type munin_t, munin_etc_t, munin_tmp_t;
+		type munin_log_t, munin_var_lib_t, munin_var_run_t;
+		type httpd_munin_content_t;
+		type munin_initrc_exec_t;
+	')
+
+	allow $1 munin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, munin_t)
+
+	init_labeled_script_domtrans($1, munin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 munin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, munin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, munin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, munin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, munin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, munin_var_run_t)
+
+	admin_pattern($1, httpd_munin_content_t)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 80afc14..0031618 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
 
-policy_module(munin, 1.6.2)
+policy_module(munin, 1.6.3)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(munin_t, munin_exec_t)
 type munin_etc_t alias lrrd_etc_t;
 files_config_file(munin_etc_t)
 
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
 type munin_log_t alias lrrd_log_t;
 logging_log_file(munin_log_t)
 
@@ -30,21 +33,25 @@ files_pid_file(munin_var_run_t)
 # Local policy
 #
 
-allow munin_t self:capability { setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid };
 dontaudit munin_t self:capability sys_tty_config;
 allow munin_t self:process { getsched setsched signal_perms };
 allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
 
 allow munin_t munin_etc_t:dir list_dir_perms;
 read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
 read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
 files_search_etc(munin_t)
 
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t, munin_log_t, file)
+can_exec(munin_t, munin_exec_t)
+
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
 
 manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
 manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
@@ -61,9 +68,11 @@ manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 files_pid_filetrans(munin_t, munin_var_run_t, file)
 
 kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
 
 corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
 
 corenet_all_recvfrom_unlabeled(munin_t)
 corenet_all_recvfrom_netlabel(munin_t)
@@ -73,30 +82,43 @@ corenet_tcp_sendrecv_generic_node(munin_t)
 corenet_udp_sendrecv_generic_node(munin_t)
 corenet_tcp_sendrecv_all_ports(munin_t)
 corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
 
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
 
 domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
 
 files_read_etc_files(munin_t)
 files_read_etc_runtime_files(munin_t)
 files_read_usr_files(munin_t)
+files_list_spool(munin_t)
 
 fs_getattr_all_fs(munin_t)
 fs_search_auto_mountpoints(munin_t)
 
+auth_use_nsswitch(munin_t)
+
 logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
 
+miscfiles_read_fonts(munin_t)
 miscfiles_read_localization(munin_t)
 
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
 
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
 userdom_dontaudit_search_user_home_dirs(munin_t)
 
 optional_policy(`
-	# for accessing the output directory
+	apache_content_template(munin)
+
+	manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+	manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 	apache_search_sys_content(munin_t)
 ')
 
@@ -105,7 +127,34 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(munin_t)
+	fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+	mta_read_config(munin_t)
+	mta_send_mail(munin_t)
+	mta_read_queue(munin_t)
+')
+
+optional_policy(`
+	mysql_read_config(munin_t)
+	mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(munin_t)
+')
+
+optional_policy(`
+	postfix_list_spool(munin_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+	sendmail_read_log(munin_t)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list