[selinux-policy: 2831/3172] Update f14
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:12:03 UTC 2010
commit 2968e068184d6951b3db2792f24738340f5517bc
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Aug 26 12:55:57 2010 -0400
Update f14
policy/modules/admin/dmesg.te | 2 +-
policy/modules/admin/logrotate.te | 2 +-
policy/modules/apps/kdumpgui.if | 2 +-
policy/modules/apps/livecd.te | 6 +-
policy/modules/apps/mono.if | 7 +-
policy/modules/apps/sambagui.if | 1 -
policy/modules/apps/sambagui.te | 33 ++---
policy/modules/kernel/files.if | 19 +++
policy/modules/roles/dbadm.te | 42 +++++-
policy/modules/roles/staff.te | 261 ++++++++++++++++------------------
policy/modules/roles/sysadm.te | 262 +++++++++++++++-------------------
policy/modules/roles/unprivuser.te | 265 +++++++++++++++++------------------
policy/modules/services/abrt.if | 10 +-
policy/modules/services/apache.te | 2 +-
policy/modules/services/cobbler.fc | 40 +++---
policy/modules/services/cobbler.if | 85 ++++++------
policy/modules/services/cobbler.te | 52 +++-----
policy/modules/services/dnsmasq.te | 2 +-
policy/modules/services/mojomojo.te | 12 +-
policy/modules/services/tftp.te | 2 +-
policy/modules/system/iptables.te | 2 +-
support/Makefile.devel | 4 +-
22 files changed, 550 insertions(+), 563 deletions(-)
---
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 62b7b38..5421065 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -50,7 +50,7 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
userdom_use_user_terminals(dmesg_t)
optional_policy(`
- abrt_append_cache_files(dmesg_t)
+ abrt_cache_append(dmesg_t)
abrt_rw_fifo_file(dmesg_t)
abrt_manage_pid_files(dmesg_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index f7d7c05..23ef05f 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -139,7 +139,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
- abrt_manage_cache_files(logrotate_t)
+ abrt_cache_manage(logrotate_t)
')
optional_policy(`
diff --git a/policy/modules/apps/kdumpgui.if b/policy/modules/apps/kdumpgui.if
index 2b56a87..d6af9b0 100644
--- a/policy/modules/apps/kdumpgui.if
+++ b/policy/modules/apps/kdumpgui.if
@@ -1,2 +1,2 @@
-
## <summary>system-config-kdump GUI</summary>
+
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
index 87b571b..47a193c 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
@@ -20,7 +20,6 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
-unconfined_domain_noaudit(livecd_t)
domain_ptrace_all_domains(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -28,6 +27,9 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
- hal_dbus_chat(livecd_t)
+ unconfined_domain_noaudit(livecd_t)
')
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index e82faff..9c9e6c1 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -43,13 +43,14 @@ template(`mono_role_template',`
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
- userdom_unpriv_usertype($1, $1_mono_t)
- userdom_manage_tmpfs_role($2, $1_mono_t)
-
domtrans_pattern($3, mono_exec_t, $1_mono_t)
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
ifdef(`hide_broken_symptoms', `
dontaudit $1_t $1_mono_t:socket_class_set { read write };
')
diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if
index 6b8383d..b31ed10 100644
--- a/policy/modules/apps/sambagui.if
+++ b/policy/modules/apps/sambagui.if
@@ -1,3 +1,2 @@
## <summary>system-config-samba dbus service policy</summary>
-
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
index e667c4d..26bb71c 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -1,4 +1,4 @@
-policy_module(sambagui,1.0.0)
+policy_module(sambagui, 1.0.0)
########################################
#
@@ -14,29 +14,22 @@ dbus_system_domain(sambagui_t, sambagui_exec_t)
# system-config-samba local policy
#
-allow sambagui_t self:capability dac_override;
+allow sambagui_t self:capability dac_override;
allow sambagui_t self:fifo_file rw_fifo_file_perms;
allow sambagui_t self:unix_dgram_socket create_socket_perms;
-# handling with samba conf files
-samba_append_log(sambagui_t)
-samba_manage_config(sambagui_t)
-samba_manage_var_files(sambagui_t)
-samba_read_secrets(sambagui_t)
-samba_initrc_domtrans(sambagui_t)
-samba_domtrans_smbd(sambagui_t)
-samba_domtrans_nmbd(sambagui_t)
+# read meminfo
+kernel_read_system_state(sambagui_t)
# execut apps of system-config-samba
corecmd_exec_shell(sambagui_t)
corecmd_exec_bin(sambagui_t)
+dev_dontaudit_read_urand(sambagui_t)
+
files_read_etc_files(sambagui_t)
-files_read_usr_files(sambagui_t)
files_search_var_lib(sambagui_t)
-
-# reading shadow by pdbedit
-#auth_read_shadow(sambagui_t)
+files_read_usr_files(sambagui_t)
auth_use_nsswitch(sambagui_t)
@@ -44,14 +37,18 @@ logging_send_syslog_msg(sambagui_t)
miscfiles_read_localization(sambagui_t)
-# read meminfo
-kernel_read_system_state(sambagui_t)
-
-dev_dontaudit_read_urand(sambagui_t)
nscd_dontaudit_search_pid(sambagui_t)
userdom_dontaudit_search_admin_dir(sambagui_t)
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_read_secrets(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smbd(sambagui_t)
+samba_domtrans_nmbd(sambagui_t)
optional_policy(`
consoletype_exec(sambagui_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ef14126..8779f43 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5310,6 +5310,25 @@ interface(`files_getattr_generic_locks',`
########################################
## <summary>
+## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete generic
## lock files.
## </summary>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 2ddeb70..a3ddd43 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,6 +5,20 @@ policy_module(dbadm, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
role dbadm_r;
userdom_unpriv_user_template(dbadm)
@@ -14,17 +28,35 @@ userdom_unpriv_user_template(dbadm)
# database admin local policy
#
-optional_policy(`
- mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
')
optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+ mysql_admin(dbadm_t, dbadm_r)
')
-# For starting up daemon processes
optional_policy(`
- su_role_template(dbadm, dbadm_r, dbadm_t)
+ postgresql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 303d72a..fabc1a0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -22,14 +22,29 @@ kernel_read_ring_buffer(staff_usertype)
kernel_getattr_core_if(staff_usertype)
kernel_getattr_message_if(staff_usertype)
kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
auth_domtrans_pam_console(staff_t)
init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)
-seutil_read_module_store(staff_t)
-seutil_run_newrole(staff_t, staff_r)
+miscfiles_read_hwdata(staff_usertype)
+
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
+
netutils_run_ping(staff_t, staff_r)
netutils_signal_ping(staff_t)
@@ -41,208 +56,184 @@ optional_policy(`
mozilla_run_plugin(staff_t, staff_r)
')
-ifndef(`distro_redhat',`
-
-optional_policy(`
- auth_role(staff_r, staff_t)
-')
-')
-
optional_policy(`
auditadm_role_change(staff_r)
')
optional_policy(`
- kerneloops_manage_tmp_files(staff_t)
+ dbadm_role_change(staff_r)
')
optional_policy(`
logadm_role_change(staff_r)
')
-ifndef(`distro_redhat',`
optional_policy(`
- bluetooth_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cdrecord_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cron_role(staff_r, staff_t)
-')
-
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
- evolution_role(staff_r, staff_t)
-')
-
-optional_policy(`
- games_role(staff_r, staff_t)
-')
-
-optional_policy(`
- gift_role(staff_r, staff_t)
-')
-
-optional_policy(`
- gnome_role(staff_r, staff_t)
+ webadm_role_change(staff_r)
')
optional_policy(`
- gpg_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
- irc_role(staff_r, staff_t)
+ postgresql_role(staff_r, staff_t)
')
optional_policy(`
- java_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
- lockdev_role(staff_r, staff_t)
+ unconfined_role_change(staff_r)
')
optional_policy(`
- lpd_role(staff_r, staff_t)
+ rtkit_scheduled(staff_t)
')
optional_policy(`
- mozilla_role(staff_r, staff_t)
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mplayer_role(staff_r, staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mta_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
-')
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
')
optional_policy(`
- postgresql_role(staff_r, staff_t)
+ telepathy_dbus_session_role(staff_r, staff_t)
')
optional_policy(`
- rtkit_scheduled(staff_t)
+ xserver_role(staff_r, staff_t)
')
ifndef(`distro_redhat',`
-optional_policy(`
- pyzor_role(staff_r, staff_t)
-')
-
-optional_policy(`
- razor_role(staff_r, staff_t)
-')
+ optional_policy(`
+ auth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cron_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(staff, staff_r, staff_t)
+ ')
-optional_policy(`
- rssh_role(staff_r, staff_t)
-')
+ optional_policy(`
+ evolution_role(staff_r, staff_t)
+ ')
-optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
-')
+ optional_policy(`
+ games_role(staff_r, staff_t)
+ ')
-optional_policy(`
- secadm_role_change(staff_r)
-')
+ optional_policy(`
+ gift_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(staff_r, staff_t)
-')
-')
+ optional_policy(`
+ gnome_role(staff_r, staff_t)
+ ')
-optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- su_role_template(staff, staff_r, staff_t)
-')
-')
+ optional_policy(`
+ irc_role(staff_r, staff_t)
+ ')
-optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ java_role(staff_r, staff_t)
+ ')
-optional_policy(`
- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
-')
+ optional_policy(`
+ lockdev_role(staff_r, staff_t)
+ ')
-optional_policy(`
- telepathy_dbus_session_role(staff_r, staff_t)
-')
+ optional_policy(`
+ lpd_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- thunderbird_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mozilla_role(staff_r, staff_t)
+ ')
-optional_policy(`
- tvtime_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mplayer_role(staff_r, staff_t)
+ ')
-optional_policy(`
- uml_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mta_role(staff_r, staff_t)
+ ')
-optional_policy(`
- userhelper_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+ ')
+ optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
-optional_policy(`
- vmware_role(staff_r, staff_t)
-')
+ optional_policy(`
+ razor_role(staff_r, staff_t)
+ ')
-optional_policy(`
- wireshark_role(staff_r, staff_t)
-')
+ optional_policy(`
+ rssh_role(staff_r, staff_t)
+ ')
-')
-
-optional_policy(`
- unconfined_role_change(staff_r)
-')
-
-optional_policy(`
- webadm_role_change(staff_r)
-')
+ optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
-optional_policy(`
- xserver_role(staff_r, staff_t)
-')
+ optional_policy(`
+ su_role_template(staff, staff_r, staff_t)
+ ')
-domain_read_all_domains_state(staff_usertype)
-domain_getattr_all_domains(staff_usertype)
-domain_obj_id_change_exemption(staff_t)
+ optional_policy(`
+ thunderbird_role(staff_r, staff_t)
+ ')
-files_read_kernel_modules(staff_usertype)
+ optional_policy(`
+ tvtime_role(staff_r, staff_t)
+ ')
-kernel_read_fs_sysctls(staff_usertype)
+ optional_policy(`
+ uml_role(staff_r, staff_t)
+ ')
-modutils_read_module_config(staff_usertype)
-modutils_read_module_deps(staff_usertype)
+ optional_policy(`
+ userhelper_role_template(staff, staff_r, staff_t)
+ ')
-miscfiles_read_hwdata(staff_usertype)
+ optional_policy(`
+ vmware_role(staff_r, staff_t)
+ ')
-term_use_unallocated_ttys(staff_usertype)
+ optional_policy(`
+ wireshark_role(staff_r, staff_t)
+ ')
+')
optional_policy(`
accountsd_dbus_chat(staff_t)
@@ -274,10 +265,6 @@ optional_policy(`
')
optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
setroubleshoot_stream_connect(staff_t)
setroubleshoot_dbus_chat(staff_t)
setroubleshoot_dbus_chat_fixit(staff_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index cf17ed1..1a95085 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,11 +24,14 @@ ifndef(`enable_mls',`
#
# Local policy
#
+kernel_read_fs_sysctls(sysadm_t)
corecmd_exec_shell(sysadm_t)
domain_dontaudit_read_all_domains_state(sysadm_t)
+files_read_kernel_modules(sysadm_t)
+
mls_process_read_up(sysadm_t)
mls_file_read_to_clearance(sysadm_t)
mls_process_write_to_clearance(sysadm_t)
@@ -42,6 +45,11 @@ application_exec(sysadm_t)
init_exec(sysadm_t)
init_exec_script_files(sysadm_t)
init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
@@ -83,9 +91,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- ifndef(`distro_redhat',`
- apache_role(sysadm_r, sysadm_t)
- ')
')
optional_policy(`
@@ -101,12 +106,6 @@ optional_policy(`
auditadm_role_change(sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- auth_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
backup_run(sysadm_t, sysadm_r)
')
@@ -115,22 +114,10 @@ optional_policy(`
bind_run_ndc(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- bluetooth_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- cdrecord_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
certmonger_dbus_chat(sysadm_t)
')
@@ -151,16 +138,6 @@ optional_policy(`
consoletype_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
daemonstools_run_start(sysadm_t, sysadm_r)
')
@@ -187,12 +164,6 @@ optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- evolution_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
@@ -201,24 +172,6 @@ optional_policy(`
fstools_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- games_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gift_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gnome_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gpg_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')
@@ -248,16 +201,6 @@ optional_policy(`
kerberos_exec_kadmind(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- irc_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- java_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
')
@@ -266,12 +209,6 @@ optional_policy(`
libs_run_ldconfig(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
')
@@ -296,16 +233,6 @@ optional_policy(`
mount_run_showmount(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
@@ -359,12 +286,6 @@ optional_policy(`
prelink_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
quota_run(sysadm_t, sysadm_r)
')
@@ -373,12 +294,6 @@ optional_policy(`
raid_domtrans_mdadm(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
@@ -387,11 +302,6 @@ optional_policy(`
rpm_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
rsync_exec(sysadm_t)
@@ -419,11 +329,6 @@ optional_policy(`
shutdown_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
@@ -446,12 +351,6 @@ optional_policy(`
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
@@ -459,22 +358,10 @@ optional_policy(`
tripwire_run_twprint(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
tzdata_domtrans(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- uml_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
unconfined_domtrans(sysadm_t)
')
@@ -487,23 +374,12 @@ optional_policy(`
usbmodules_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
@@ -521,16 +397,6 @@ optional_policy(`
virt_stream_connect(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- xserver_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -539,9 +405,111 @@ optional_policy(`
zebra_stream_connect(sysadm_t)
')
-init_script_role_transition(sysadm_r)
+ifndef(`distro_redhat',`
+ optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
-files_read_kernel_modules(sysadm_t)
-kernel_read_fs_sysctls(sysadm_t)
-modutils_read_module_deps(sysadm_t)
-miscfiles_read_hwdata(sysadm_t)
+ optional_policy(`
+ bluetooth_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cron_admin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ evolution_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ games_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gift_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gnome_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gpg_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ irc_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 579825e..aac3fe1 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -22,97 +22,6 @@ optional_policy(`
mozilla_run_plugin(user_t, user_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- auth_role(user_r, user_t)
-')
-
-optional_policy(`
- bluetooth_role(user_r, user_t)
-')
-
-optional_policy(`
- cdrecord_role(user_r, user_t)
-')
-
-optional_policy(`
- cron_role(user_r, user_t)
-')
-
-optional_policy(`
- dbus_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- evolution_role(user_r, user_t)
-')
-
-optional_policy(`
- games_role(user_r, user_t)
-')
-
-optional_policy(`
- gift_role(user_r, user_t)
-')
-
-optional_policy(`
- gnome_role(user_r, user_t)
-')
-
-optional_policy(`
- gpg_role(user_r, user_t)
-')
-
-optional_policy(`
- irc_role(user_r, user_t)
-')
-
-optional_policy(`
- java_role(user_r, user_t)
-')
-
-optional_policy(`
- lockdev_role(user_r, user_t)
-')
-
-optional_policy(`
- lpd_role(user_r, user_t)
-')
-
-optional_policy(`
- mozilla_role(user_r, user_t)
-')
-
-optional_policy(`
- mplayer_role(user_r, user_t)
-')
-
-optional_policy(`
- mta_role(user_r, user_t)
-')
-
-optional_policy(`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
-')
-
-optional_policy(`
- postgresql_role(user_r, user_t)
-')
-
-optional_policy(`
- pyzor_role(user_r, user_t)
-')
-
-optional_policy(`
- razor_role(user_r, user_t)
-')
-
-optional_policy(`
- rssh_role(user_r, user_t)
-')
-')
-
optional_policy(`
rpm_dontaudit_dbus_chat(user_t)
')
@@ -133,49 +42,6 @@ optional_policy(`
telepathy_dbus_session_role(user_r, user_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(user_r, user_t)
-')
-
-optional_policy(`
- ssh_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- su_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- sudo_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- thunderbird_role(user_r, user_t)
-')
-
-optional_policy(`
- tvtime_role(user_r, user_t)
-')
-
-optional_policy(`
- uml_role(user_r, user_t)
-')
-
-optional_policy(`
- userhelper_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- vmware_role(user_r, user_t)
-')
-
-optional_policy(`
- wireshark_role(user_r, user_t)
-')
-
-')
-
optional_policy(`
setroubleshoot_dontaudit_stream_connect(user_t)
')
@@ -183,3 +49,134 @@ optional_policy(`
optional_policy(`
xserver_role(user_r, user_t)
')
+
+ifndef(`distro_redhat',`
+ optional_policy(`
+ auth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cron_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ evolution_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ games_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gift_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gnome_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ irc_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ java_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lpd_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mta_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+ ')
+
+ optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ razor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ rssh_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ su_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ sudo_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ uml_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ vmware_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(user_r, user_t)
+ ')
+')
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 8f99d78..8a5d6a4 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -131,9 +131,9 @@ interface(`abrt_domtrans_helper',`
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
-ifdef(`hide_broken_symptoms', `
- dontaudit abrt_helper_t $1:socket_class_set { read write };
-')
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -172,7 +172,7 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
-interface(`abrt_append_cache_files',`
+interface(`abrt_cache_append',`
gen_require(`
type abrt_var_cache_t;
')
@@ -190,7 +190,7 @@ interface(`abrt_append_cache_files',`
## </summary>
## </param>
#
-interface(`abrt_manage_cache_files',`
+interface(`abrt_cache_manage',`
gen_require(`
type abrt_var_cache_t;
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 61d50b8..08ec94f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -638,7 +638,7 @@ optional_policy(`
optional_policy(`
cobbler_list_config(httpd_t)
cobbler_read_config(httpd_t)
- cobbler_read_content(httpd_t)
+ cobbler_read_lib_files(httpd_t)
tunable_policy(`httpd_can_network_connect_cobbler',`
corenet_tcp_connect_cobbler_port(httpd_t)
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 2419401..5f40c92 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -5,28 +5,28 @@
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-
-/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
# This should removable when cobbler package installs /var/www/cobbler/rendered
-/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
-
-/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_var_lib_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 823021a..cde1fc2 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,4 +1,14 @@
## <summary>Cobbler installation server.</summary>
+## <desc>
+## <p>
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
+## </p>
+## </desc>
########################################
## <summary>
@@ -52,7 +62,7 @@ interface(`cobbler_list_config',`
type cobbler_etc_t;
')
- list_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_etc($1)
')
@@ -77,7 +87,7 @@ interface(`cobbler_read_config',`
########################################
## <summary>
-## Manage cobbler content.
+## Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -85,20 +95,19 @@ interface(`cobbler_read_config',`
## </summary>
## </param>
#
-interface(`cobbler_manage_content',`
+interface(`cobbler_search_lib',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
- manage_files_pattern($1, cobbler_content_t, cobbler_content_t)
- manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
-## Read cobbler content.
+## Read cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -106,19 +115,19 @@ interface(`cobbler_manage_content',`
## </summary>
## </param>
#
-interface(`cobbler_read_content',`
+interface(`cobbler_read_lib_files',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- read_files_pattern($1, cobbler_content_t, cobbler_content_t)
- read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
-## Search cobbler content.
+## Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -126,13 +135,14 @@ interface(`cobbler_read_content',`
## </summary>
## </param>
#
-interface(`cobbler_search_content',`
+interface(`cobbler_manage_lib_files',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- search_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
- read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -193,44 +203,37 @@ interface(`cobbler_dontaudit_rw_log',`
#
interface(`cobblerd_admin',`
gen_require(`
- type cobblerd_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t;
+ type httpd_cobbler_content_rw_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, cobblerd_t, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
-
- admin_pattern($1, cobbler_etc_t)
files_search_etc($1)
+ admin_pattern($1, cobbler_etc_t)
- admin_pattern($1, cobbler_content_t)
files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
- admin_pattern($1, cobbler_var_log_t)
logging_search_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
- # below may want to be removed.
- tunable_policy(`cobbler_anon_write',`
- miscfiles_manage_public_files($1)
- ')
-
- optional_policy(`
- gen_require(`
- type httpd_cobbler_content_t;
- ')
+ apache_search_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
- # manage /var/www/cobbler
- admin_pattern($1, httpd_cobbler_content_t)
- apache_search_sys_content($1)
- ')
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
optional_policy(`
- # traverse /var/lib/tftpdir to get to cobbler_content_t there.
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
tftp_search_rw_content($1)
')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 76bde9b..6a6d7d7 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -1,4 +1,3 @@
-
policy_module(cobbler, 1.1.0)
########################################
@@ -8,8 +7,8 @@ policy_module(cobbler, 1.1.0)
## <desc>
## <p>
-## Allow Cobbler to modify public files
-## used for public file transfer services.
+## Allow Cobbler to modify public files
+## used for public file transfer services.
## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
@@ -46,21 +45,18 @@ init_script_file(cobblerd_initrc_exec_t)
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
-type cobbler_content_t;
-typealias cobbler_content_t alias cobbler_var_lib_t;
-files_type(cobbler_content_t)
-
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
+type cobbler_var_lib_t alias cobbler_content_t;
+files_type(cobbler_var_lib_t)
+
type cobbler_tmp_t;
files_tmp_file(cobbler_tmp_t)
-# Cobbler check is not supported and is silently ignored.
-
########################################
#
-# Cobbler local policy.
+# Cobbler personal policy.
#
allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
@@ -76,13 +72,13 @@ allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
-dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms;
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
-manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file })
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
# Something really needs to write to cobbler.log. Ideally this should not be happening.
allow cobblerd_t cobbler_var_log_t:file write;
@@ -105,13 +101,13 @@ corecmd_exec_shell(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
-corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
-corenet_sendrecv_cobbler_server_packets(cobblerd_t)
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
corenet_tcp_connect_ftp_port(cobblerd_t)
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
@@ -226,7 +222,7 @@ optional_policy(`
# 2. no FILES in /var/lib/TFTPDIR are hard linked.
# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
# are any of those hard linked?
- tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file })
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
########################################
@@ -234,18 +230,6 @@ optional_policy(`
# Cobbler web local policy.
#
-# This should be removable when cobbler package installs /var/www/cobbler/rendered.
-optional_policy(`
- gen_require(`
- attribute httpdcontent;
- ')
-
- apache_content_template(cobbler)
- # To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t.
- # I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type
- # httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but
- # that directory should have been labeled cobbler_content_t.
- filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file })
- # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
- dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
-')
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index df4c740..a50a8a7 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -92,7 +92,7 @@ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
- cobbler_read_content(dnsmasq_t)
+ cobbler_read_lib_files(dnsmasq_t)
')
optional_policy(`
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
index 2a26a33..ed69996 100644
--- a/policy/modules/services/mojomojo.te
+++ b/policy/modules/services/mojomojo.te
@@ -1,4 +1,4 @@
-policy_module(mojomojo, 1.0)
+policy_module(mojomojo, 1.0.0)
########################################
#
@@ -22,20 +22,18 @@ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomo
files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
-corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
-
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
-corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
-
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
files_search_var_lib(httpd_mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
-
sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+mta_send_mail(httpd_mojomojo_script_t)
+
optional_policy(`
mysql_stream_connect(httpd_mojomojo_script_t)
')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 4337b7a..66bfd1c 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -94,7 +94,7 @@ tunable_policy(`tftp_anon_write',`
')
optional_policy(`
- cobbler_read_content(tftpd_t)
+ cobbler_read_lib_files(tftpd_t)
')
optional_policy(`
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index ee34938..e9bd52a 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -26,7 +26,7 @@ files_pid_file(iptables_var_run_t)
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
-allow iptables_t self:fifo_file rw_file_perms;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
# needed by ipvsadm
allow iptables_t self:netlink_socket create_socket_perms;
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 87be614..c5e3ef3 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -68,8 +68,8 @@ endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose := @
More information about the scm-commits
mailing list