[selinux-policy/f18] - Eliminate dontaudit rules so setroubleshoot and audit2allow can - Add transition from cupsd_config
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 26 12:46:21 UTC 2013
commit 5bd1030ffe062e985fd1d975b093623f52ffb5a4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 26 14:45:57 2013 +0200
- Eliminate dontaudit rules so setroubleshoot and audit2allow can
- Add transition from cupsd_config_t to cupsd_t
- Fix chrome_role_notrans() to allow also append to stream socket
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Label aliases db files with correct label
- Allow setroubleshootd to read var_lib_t to make email_alert work
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not n
- Allow mpd getattr on file system directories
- Add rsync_etc_filetrans_config()
- Label /var/lib/sepolgen as selinux_config_t so that setroublesho
- Add filetrans rules for tw devices
- Allow systemd-tty-ask to write kmsg
- label shared libraries in /opt/google/chrome as testrel_shlib_t
policy-f18-base.patch | 50 +++-
policy-f18-contrib.patch | 672 ++++++++++++++++++++++------------------------
selinux-policy.spec | 18 ++-
3 files changed, 383 insertions(+), 357 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 296fcb6..9046d48 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -123227,7 +123227,7 @@ index 54f1827..409df4f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..6fb69e7 100644
+index 1700ef2..f8f6456 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -123348,7 +123348,7 @@ index 1700ef2..6fb69e7 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -808,3 +891,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +891,400 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -123717,6 +123717,37 @@ index 1700ef2..6fb69e7 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
++
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 7d45d15..22c9cfe 100644
@@ -140169,7 +140200,7 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..c4182e8 100644
+index d43f3b1..f958391 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,14 @@
@@ -140190,7 +140221,7 @@ index d43f3b1..c4182e8 100644
#
# /root
-@@ -35,12 +36,14 @@
+@@ -35,19 +36,26 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -140206,7 +140237,11 @@ index d43f3b1..c4182e8 100644
#
# /var/lib
-@@ -51,3 +54,7 @@
+ #
+ /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
++/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+
+ #
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
@@ -143438,10 +143473,10 @@ index 0000000..96a1a74
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3a2c958
+index 0000000..292b53b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,669 @@
+@@ -0,0 +1,670 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143692,6 +143727,7 @@ index 0000000..3a2c958
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
++dev_write_kmsg(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 1a70344..6085c4f 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -3259,7 +3259,7 @@ index 6480167..c0ece1b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..36feff2 100644
+index 0833afb..30dd0b8 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3903,26 +3903,23 @@ index 0833afb..36feff2 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,23 +814,43 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,23 +814,39 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+')
+
-+
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
-+',`
+ ',`
+- userdom_dontaudit_use_user_terminals(httpd_t)
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
@@ -3951,7 +3948,7 @@ index 0833afb..36feff2 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
-@@ -540,6 +863,24 @@ optional_policy(`
+@@ -540,6 +859,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3976,7 +3973,7 @@ index 0833afb..36feff2 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +890,24 @@ optional_policy(`
+@@ -549,13 +886,24 @@ optional_policy(`
')
optional_policy(`
@@ -4002,7 +3999,7 @@ index 0833afb..36feff2 100644
')
optional_policy(`
-@@ -573,7 +925,25 @@ optional_policy(`
+@@ -573,7 +921,25 @@ optional_policy(`
')
optional_policy(`
@@ -4028,7 +4025,7 @@ index 0833afb..36feff2 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +954,7 @@ optional_policy(`
+@@ -584,6 +950,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -4036,7 +4033,7 @@ index 0833afb..36feff2 100644
')
optional_policy(`
-@@ -594,6 +965,46 @@ optional_policy(`
+@@ -594,6 +961,46 @@ optional_policy(`
')
optional_policy(`
@@ -4083,7 +4080,7 @@ index 0833afb..36feff2 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +1019,11 @@ optional_policy(`
+@@ -608,6 +1015,11 @@ optional_policy(`
')
optional_policy(`
@@ -4095,7 +4092,7 @@ index 0833afb..36feff2 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1036,12 @@ optional_policy(`
+@@ -620,6 +1032,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -4108,7 +4105,7 @@ index 0833afb..36feff2 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1055,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1051,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -4153,7 +4150,7 @@ index 0833afb..36feff2 100644
########################################
#
-@@ -671,28 +1129,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1125,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -4197,7 +4194,7 @@ index 0833afb..36feff2 100644
')
########################################
-@@ -702,6 +1162,7 @@ optional_policy(`
+@@ -702,6 +1158,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4205,7 +4202,7 @@ index 0833afb..36feff2 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1177,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1173,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4234,7 +4231,7 @@ index 0833afb..36feff2 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1207,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1203,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4252,7 +4249,7 @@ index 0833afb..36feff2 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1225,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1221,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4285,7 +4282,7 @@ index 0833afb..36feff2 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1272,25 @@ optional_policy(`
+@@ -786,6 +1268,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4311,7 +4308,7 @@ index 0833afb..36feff2 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1311,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1307,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4329,7 +4326,7 @@ index 0833afb..36feff2 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1330,51 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1326,51 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4389,7 +4386,7 @@ index 0833afb..36feff2 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1382,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1378,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4430,7 +4427,7 @@ index 0833afb..36feff2 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1422,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1418,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4457,7 +4454,7 @@ index 0833afb..36feff2 100644
')
########################################
-@@ -878,11 +1457,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1453,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4469,7 +4466,7 @@ index 0833afb..36feff2 100644
########################################
#
-@@ -908,11 +1485,143 @@ optional_policy(`
+@@ -908,11 +1481,143 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8980,7 +8977,7 @@ index 0000000..88107d7
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..efebae7
+index 0000000..36bd6be
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,134 @@
@@ -9070,7 +9067,7 @@ index 0000000..efebae7
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
@@ -10461,271 +10458,253 @@ index 28fdd8a..5605ed7 100644
corosync_stream_connect(cmirrord_t)
')
diff --git a/cobbler.fc b/cobbler.fc
-index 1cf6c4e..a5882d4 100644
+index 1cf6c4e..972b1b0 100644
--- a/cobbler.fc
+++ b/cobbler.fc
-@@ -1,7 +1,38 @@
+@@ -1,7 +1,25 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
-+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
-+
-+
-+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-+
-+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
-+
-+# This should removable when cobbler package installs /var/www/cobbler/rendered
-+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
-+
-+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
++/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
++
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
++
++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
++
++/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index 116d60f..49f30af 100644
+index 116d60f..83d5104 100644
--- a/cobbler.if
+++ b/cobbler.if
-@@ -1,12 +1,12 @@
+@@ -1,14 +1,4 @@
## <summary>Cobbler installation server.</summary>
- ## <desc>
- ## <p>
+-## <desc>
+-## <p>
-## Cobbler is a Linux installation server that allows for
-## rapid setup of network installation environments. It
-## glues together and automates many associated Linux
-## tasks so you do not have to hop between lots of various
-## commands and applications when rolling out new systems,
-## and, in some cases, changing existing ones.
-+## Cobbler is a Linux installation server that allows for
-+## rapid setup of network installation environments. It
-+## glues together and automates many associated Linux
-+## tasks so you do not have to hop between lots of various
-+## commands and applications when rolling out new systems,
-+## and, in some cases, changing existing ones.
- ## </p>
- ## </desc>
+-## </p>
+-## </desc>
-@@ -15,9 +15,9 @@
- ## Execute a domain transition to run cobblerd.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`cobblerd_domtrans',`
-@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
+ ########################################
+ ## <summary>
+@@ -25,12 +15,14 @@ interface(`cobblerd_domtrans',`
+ type cobblerd_t, cobblerd_exec_t;
')
- domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
')
########################################
-@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
+ ## <summary>
+-## Execute cobblerd server in the cobblerd domain.
++## Execute cobblerd init scripts in
++## the init script domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -46,9 +38,31 @@ interface(`cobblerd_initrc_domtrans',`
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+ ')
++
++
++########################################
++## <summary>
++## Read cobbler configuration dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_list_config',`
++ gen_require(`
++ type cobbler_etc_t;
++ ')
++
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
++')
++
++
########################################
## <summary>
-## Read Cobbler content in /etc
-+## List Cobbler configuration.
++## Read cobbler configuration files.
## </summary>
## <param name="domain">
## <summary>
-@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
- ## </summary>
- ## </param>
- #
--interface(`cobbler_read_config',`
-+interface(`cobbler_list_config',`
- gen_require(`
- type cobbler_etc_t;
- ')
-
-- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
- files_search_etc($1)
- ')
-
+@@ -68,7 +82,7 @@ interface(`cobbler_read_config',`
########################################
## <summary>
--## Do not audit attempts to read and write
+ ## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
-+## Read Cobbler configuration files.
++## cobbler log files.
## </summary>
## <param name="domain">
## <summary>
-@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
- ## </summary>
- ## </param>
- #
--interface(`cobbler_dontaudit_rw_log',`
-+interface(`cobbler_read_config',`
- gen_require(`
-- type cobbler_var_log_t;
-+ type cobbler_etc_t;
- ')
-
-- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
-+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ files_search_etc($1)
- ')
+@@ -86,7 +100,7 @@ interface(`cobbler_dontaudit_rw_log',`
########################################
-@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
+ ## <summary>
+-## Search cobbler dirs in /var/lib
++## Search cobbler lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -99,13 +113,13 @@ interface(`cobbler_search_lib',`
+ type cobbler_var_lib_t;
')
- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
++ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
-@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+ ########################################
+ ## <summary>
+-## Read cobbler files in /var/lib
++## Read cobbler lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -118,13 +132,14 @@ interface(`cobbler_read_lib_files',`
+ type cobbler_var_lib_t;
')
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
++ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
-@@ -137,12 +140,55 @@ interface(`cobbler_manage_lib_files',`
+ ########################################
+ ## <summary>
+-## Manage cobbler files in /var/lib
++## Create, read, write, and delete
++## cobbler lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -137,14 +152,15 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
-+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
++ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
## <summary>
-+## Do not audit attempts to read and write
-+## Cobbler log files (leaked fd).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`cobbler_dontaudit_rw_log',`
-+ gen_require(`
-+ type cobbler_var_log_t;
-+ ')
-+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+-## All of the rules required to administrate
+-## an cobblerd environment
++## All of the rules required to
++## administrate an cobbler environment.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -159,27 +175,51 @@ interface(`cobbler_manage_lib_files',`
+ ## <rolecap/>
+ #
+ interface(`cobblerd_admin',`
++ refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.')
++ cobbler_admin($1, $2)
+')
+
+########################################
+## <summary>
-+## Execute cobblerd server in the cobblerd domain.
++## All of the rules required to
++## administrate an cobbler environment.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`cobblerd_systemctl',`
-+ gen_require(`
-+ type cobblerd_t;
-+ type cobblerd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 cobblerd_unit_file_t:file read_file_perms;
-+ allow $1 cobblerd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cobblerd_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an cobblerd environment
- ## </summary>
-@@ -161,25 +207,43 @@ interface(`cobbler_manage_lib_files',`
- interface(`cobblerd_admin',`
++interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
-+ type cobblerd_unit_file_t;
++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cobblerd_t, cobblerd_t)
-+ allow $1 cobblerd_t:process signal_perms;
++ allow $1 cobblerd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cobblerd_t)
-
-- files_search_etc($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cobblerd_t:process ptrace;
-+ ')
+
-+ files_list_etc($1)
++ cobblerd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cobblerd_initrc_exec_t system_r;
++ allow $2 system_r;
+
+ files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
- files_list_var_lib($1)
+- files_list_var_lib($1)
++ files_search_tmp($1)
++ admin_pattern($1, cobbler_tmp_t)
++
++ files_search_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
-- logging_search_logs($1)
-+ logging_list_logs($1)
+ logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
-
-+ apache_list_sys_content($1)
-+ admin_pattern($1, httpd_cobbler_content_t)
-+ admin_pattern($1, httpd_cobbler_content_ra_t)
- admin_pattern($1, httpd_cobbler_content_rw_t)
-
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ optional_policy(`
-+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
-+ tftp_search_rw_content($1)
-+ ')
-+
-+ cobblerd_systemctl($1)
-+ admin_pattern($1, cobblerd_unit_file_t)
-+ allow $1 cobblerd_unit_file_t:service all_service_perms;
+-
+- admin_pattern($1, httpd_cobbler_content_rw_t)
+-
+- cobblerd_initrc_domtrans($1)
+- domain_system_change_exemption($1)
+- role_transition $2 cobblerd_initrc_exec_t system_r;
+- allow $2 system_r;
')
diff --git a/cobbler.te b/cobbler.te
-index 0258b48..fd0cb06 100644
+index 0258b48..8bb34e2 100644
--- a/cobbler.te
+++ b/cobbler.te
-@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
+@@ -1,18 +1,43 @@
+-policy_module(cobbler, 1.1.0)
++policy_module(cobbler, 1.1.4)
+
+ ########################################
+ #
+-# Cobbler personal declarations.
++# Declarations
#
## <desc>
@@ -10734,30 +10713,33 @@ index 0258b48..fd0cb06 100644
-## used for public file transfer services.
-## </p>
+## <p>
-+## Allow Cobbler to modify public files
-+## used for public file transfer services.
++## Determine whether Cobbler can modify
++## public files used for public file
++## transfer services.
+## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
+## <desc>
+## <p>
-+## Allow Cobbler to connect to the
-+## network using TCP.
++## Determine whether Cobbler can connect
++## to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(cobbler_can_network_connect, false)
+
+## <desc>
+## <p>
-+## Allow Cobbler to access cifs file systems.
++## Determine whether Cobbler can access
++## cifs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_cifs, false)
+
+## <desc>
+## <p>
-+## Allow Cobbler to access nfs file systems.
++## Determine whether Cobbler can access
++## nfs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_nfs, false)
@@ -10765,42 +10747,51 @@ index 0258b48..fd0cb06 100644
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,41 @@ files_config_file(cobbler_etc_t)
+@@ -20,31 +45,46 @@ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+ type cobblerd_initrc_exec_t;
+ init_script_file(cobblerd_initrc_exec_t)
+
++type cobblerd_unit_file_t;
++systemd_unit_file(cobblerd_unit_file_t)
++
+ type cobbler_etc_t;
+ files_config_file(cobbler_etc_t)
+
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-type cobbler_var_lib_t;
-+type cobbler_var_lib_t alias cobbler_content_t;
++type cobbler_var_lib_t alias { cobbler_content_t httpd_cobbler_content_t };
files_type(cobbler_var_lib_t)
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
-+type cobblerd_unit_file_t;
-+systemd_unit_file(cobblerd_unit_file_t)
-+
########################################
#
- # Cobbler personal policy.
+-# Cobbler personal policy.
++# Local policy
#
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability sys_tty_config;
-+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
-+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
- allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_socket_perms;
-+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
+-allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:tcp_socket { accept listen };
- list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
- read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-
-+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
-+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+-list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+-read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
++allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
++allow cobblerd_t cobbler_etc_t:file read_file_perms;
++allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms;
+
++allow cobblerd_t cobbler_tmp_t:file mmap_file_perms;
++manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
@@ -10810,87 +10801,72 @@ index 0258b48..fd0cb06 100644
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,57 +90,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -53,31 +93,49 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
-+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
-+
kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
-+
-+auth_read_passwd(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
--corenet_all_recvfrom_unlabeled(cobblerd_t)
- corenet_sendrecv_cobbler_server_packets(cobblerd_t)
- corenet_tcp_bind_cobbler_port(cobblerd_t)
- corenet_tcp_bind_generic_node(cobblerd_t)
+ corenet_all_recvfrom_unlabeled(cobblerd_t)
+-corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+-corenet_tcp_bind_cobbler_port(cobblerd_t)
+-corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
- corenet_tcp_sendrecv_generic_port(cobblerd_t)
+-corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_bind_generic_node(cobblerd_t)
++
++corenet_sendrecv_cobbler_server_packets(cobblerd_t)
++corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
-+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
++
++corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_ftp_port(cobblerd_t)
-+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
-+corenet_sendrecv_ftp_client_packets(cobblerd_t)
-+corenet_tcp_connect_http_port(cobblerd_t)
++
+corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
dev_read_urand(cobblerd_t)
-+domain_dontaudit_exec_all_entry_files(cobblerd_t)
-+domain_dontaudit_read_all_domains_state(cobblerd_t)
-+
-+files_read_etc_files(cobblerd_t)
-+# mtab
-+files_read_etc_runtime_files(cobblerd_t)
- files_read_usr_files(cobblerd_t)
+-files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
-+files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
-
--miscfiles_read_localization(cobblerd_t)
-+# read from mounted images (install media)
-+fs_read_iso9660_files(cobblerd_t)
++files_read_boot_files(cobblerd_t)
++files_read_etc_runtime_files(cobblerd_t)
+
-+auth_read_passwd(cobblerd_t)
++fs_getattr_all_fs(cobblerd_t)
++fs_read_iso9660_files(cobblerd_t)
+
-+init_dontaudit_read_all_script_files(cobblerd_t)
++selinux_get_enforce_mode(cobblerd_t)
+
+term_use_console(cobblerd_t)
+
+logging_send_syslog_msg(cobblerd_t)
-+
+
+ miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
-+selinux_get_enforce_mode(cobblerd_t)
-+
- sysnet_read_config(cobblerd_t)
+-sysnet_read_config(cobblerd_t)
++sysnet_dns_name_resolve(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
-+userdom_dontaudit_use_user_terminals(cobblerd_t)
-+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
-+userdom_dontaudit_search_admin_dir(cobblerd_t)
-+
- tunable_policy(`cobbler_anon_write',`
+@@ -85,6 +143,28 @@ tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
+tunable_policy(`cobbler_can_network_connect',`
++ corenet_sendrecv_all_client_packets(cobblerd_t)
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
-+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
@@ -10906,18 +10882,13 @@ index 0258b48..fd0cb06 100644
+')
+
+optional_policy(`
-+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
- bind_domtrans_ndc(cobblerd_t)
- bind_domtrans(cobblerd_t)
- bind_initrc_domtrans(cobblerd_t)
-+ bind_systemctl(cobblerd_t)
- bind_manage_zone(cobblerd_t)
+@@ -95,6 +175,10 @@ optional_policy(`
')
optional_policy(`
@@ -10927,64 +10898,30 @@ index 0258b48..fd0cb06 100644
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
-+ dhcpd_systemctl(cobblerd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(cobblerd_t)
- dnsmasq_initrc_domtrans(cobblerd_t)
- dnsmasq_write_config(cobblerd_t)
-+ dnsmasq_systemctl(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ puppet_domtrans_puppetca(cobblerd_t)
')
+@@ -111,18 +195,11 @@ optional_policy(`
optional_policy(`
-@@ -110,12 +222,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-- rsync_read_config(cobblerd_t)
+ rsync_read_config(cobblerd_t)
- rsync_write_config(cobblerd_t)
-+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
-+ # cobbler creates /etc/rsync.conf if its not there.
-+ rsync_filetrans_config(cobblerd_t, file)
++ rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
')
optional_policy(`
- tftp_manage_rw_content(cobblerd_t)
-+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
-+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
-+ # 1. cobbler package installs /var/lib/tftpdir/images.
-+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
-+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
-+ # are any of those hard linked?
-+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+ tftp_manage_config(cobblerd_t)
++ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
-
- ########################################
-@@ -123,6 +244,10 @@ optional_policy(`
- # Cobbler web local policy.
- #
-
+-
+-########################################
+-#
+-# Cobbler web local policy.
+-#
+-
-apache_content_template(cobbler)
-manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+optional_policy(`
-+ apache_content_template(cobbler)
-+
-+ list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
-+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+')
diff --git a/collectd.fc b/collectd.fc
new file mode 100644
index 0000000..2e1007b
@@ -15340,7 +15277,7 @@ index 305ddf4..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..68e9d5b 100644
+index e5a8924..49e2699 100644
--- a/cups.te
+++ b/cups.te
@@ -1,22 +1,28 @@
@@ -15755,7 +15692,7 @@ index e5a8924..68e9d5b 100644
')
optional_policy(`
-@@ -336,18 +371,18 @@ optional_policy(`
+@@ -336,19 +371,20 @@ optional_policy(`
udev_read_db(cupsd_t)
')
@@ -15778,9 +15715,11 @@ index e5a8924..68e9d5b 100644
-allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_config_t self:process { getsched };
++domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -360,9 +395,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+
+@@ -360,9 +396,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
@@ -15791,7 +15730,7 @@ index e5a8924..68e9d5b 100644
manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-@@ -371,70 +404,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,70 +405,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -15875,7 +15814,7 @@ index e5a8924..68e9d5b 100644
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
-@@ -450,12 +462,19 @@ optional_policy(`
+@@ -450,12 +463,19 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
@@ -15896,7 +15835,7 @@ index e5a8924..68e9d5b 100644
')
optional_policy(`
-@@ -467,8 +486,7 @@ optional_policy(`
+@@ -467,8 +487,7 @@ optional_policy(`
')
optional_policy(`
@@ -15906,7 +15845,7 @@ index e5a8924..68e9d5b 100644
')
optional_policy(`
-@@ -489,231 +507,84 @@ optional_policy(`
+@@ -489,231 +508,84 @@ optional_policy(`
########################################
#
@@ -16159,7 +16098,7 @@ index e5a8924..68e9d5b 100644
########################################
#
-@@ -723,14 +594,12 @@ optional_policy(`
+@@ -723,14 +595,12 @@ optional_policy(`
allow ptal_t self:capability { chown sys_rawio };
dontaudit ptal_t self:capability sys_tty_config;
allow ptal_t self:fifo_file rw_fifo_file_perms;
@@ -16175,7 +16114,7 @@ index e5a8924..68e9d5b 100644
manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
-@@ -743,29 +612,26 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,29 +613,26 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16998,7 +16937,7 @@ index fb4bf82..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..e244bde 100644
+index 625cb32..4f67990 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -17018,11 +16957,12 @@ index 625cb32..e244bde 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,9 +54,9 @@ ifdef(`enable_mls',`
+@@ -51,9 +54,10 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability2 block_suspend;
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
@@ -17030,7 +16970,7 @@ index 625cb32..e244bde 100644
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -73,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+@@ -73,9 +77,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -17042,7 +16982,7 @@ index 625cb32..e244bde 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -83,11 +87,17 @@ kernel_read_kernel_sysctls(system_dbusd_t)
+@@ -83,11 +88,17 @@ kernel_read_kernel_sysctls(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
@@ -17060,7 +17000,7 @@ index 625cb32..e244bde 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -110,22 +120,25 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -110,22 +121,25 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -17088,7 +17028,7 @@ index 625cb32..e244bde 100644
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
-@@ -135,11 +148,35 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +149,35 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -17124,7 +17064,7 @@ index 625cb32..e244bde 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +187,163 @@ optional_policy(`
+@@ -150,12 +188,163 @@ optional_policy(`
')
optional_policy(`
@@ -26307,7 +26247,7 @@ index f5afe78..4a90668 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..85573de 100644
+index 783c5fb..08de5ad 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -26386,7 +26326,7 @@ index 783c5fb..85573de 100644
logging_send_syslog_msg(gconfd_t)
-@@ -73,3 +113,169 @@ optional_policy(`
+@@ -73,3 +113,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -26500,8 +26440,7 @@ index 783c5fb..85573de 100644
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
-+allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
-+allow gkeyringd_domain config_home_t:file write;
++manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
@@ -27301,7 +27240,7 @@ index a627b34..0120907 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 03742d8..cf95bdd 100644
+index 03742d8..13f3d76 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -27311,7 +27250,7 @@ index 03742d8..cf95bdd 100644
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
-allow gpsd_t self:process setsched;
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-+dontaudit gpsd_t self:capability { dac_read_search dac_override };
++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
+allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -36722,7 +36661,7 @@ index d72276f..695854e 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/mpd.te b/mpd.te
-index 7f68872..5e3afd2 100644
+index 7f68872..65970eb 100644
--- a/mpd.te
+++ b/mpd.te
@@ -31,6 +31,12 @@ files_tmpfs_file(mpd_tmpfs_t)
@@ -36780,7 +36719,7 @@ index 7f68872..5e3afd2 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -87,6 +104,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
+@@ -87,13 +104,15 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
corenet_sendrecv_pulseaudio_client_packets(mpd_t)
corenet_sendrecv_soundd_client_packets(mpd_t)
@@ -36788,7 +36727,16 @@ index 7f68872..5e3afd2 100644
dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-@@ -101,7 +119,9 @@ auth_use_nsswitch(mpd_t)
+
+ files_read_usr_files(mpd_t)
+
+-fs_getattr_tmpfs(mpd_t)
++fs_getattr_all_fs(mpd_t)
++fs_getattr_all_dirs(mpd_t)
+ fs_list_inotifyfs(mpd_t)
+ fs_rw_anon_inodefs_files(mpd_t)
+
+@@ -101,7 +120,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -36799,7 +36747,7 @@ index 7f68872..5e3afd2 100644
optional_policy(`
alsa_read_rw_config(mpd_t)
-@@ -122,5 +142,20 @@ optional_policy(`
+@@ -122,5 +143,20 @@ optional_policy(`
')
optional_policy(`
@@ -37194,10 +37142,10 @@ index 0e19d80..c203717 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index afa18c8..8654c3c 100644
+index afa18c8..cb2791a 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,30 +1,43 @@
+@@ -1,30 +1,44 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -37215,6 +37163,7 @@ index afa18c8..8654c3c 100644
-/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
++/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
@@ -60904,7 +60853,7 @@ index 479615b..d92f567 100644
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
-index 3386f29..d7de634 100644
+index 3386f29..184cb8e 100644
--- a/rsync.if
+++ b/rsync.if
@@ -119,13 +119,13 @@ interface(`rsync_read_config',`
@@ -60923,7 +60872,7 @@ index 3386f29..d7de634 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -133,11 +133,73 @@ interface(`rsync_read_config',`
+@@ -133,11 +133,98 @@ interface(`rsync_read_config',`
## </summary>
## </param>
#
@@ -60998,6 +60947,31 @@ index 3386f29..d7de634 100644
+
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
++
++########################################
++## <summary>
++## Create objects in etc directories
++## with rsync etc type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## Class of the object being created.
++## </summary>
++## </param>
++#
++
++interface(`rsync_etc_filetrans_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ files_etc_filetrans($1, rsync_etc_t, $2, $3)
++')
diff --git a/rsync.te b/rsync.te
index 2834d86..7eb3030 100644
--- a/rsync.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fa8630e..97cdf36 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,22 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Fri Apr 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-92
+- Eliminate dontaudit rules so setroubleshoot and audit2allow can tell user what to do if apache attempts to use the terminal
+- Add transition from cupsd_config_t to cupsd_t
+- Fix chrome_role_notrans() to allow also append to stream socket
+- Allow gkeyring_domain to create /var/run/UID/config/dbus file
+- system dbus seems to be blocking suspend
+- Label aliases db files with correct label
+- Allow setroubleshootd to read var_lib_t to make email_alert working
+- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
+- Allow mpd getattr on file system directories
+- Add rsync_etc_filetrans_config()
+- Label /var/lib/sepolgen as selinux_config_t so that setroubleshoot can read it
+- Add filetrans rules for tw devices
+- Allow systemd-tty-ask to write kmsg
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-91
- Allow domains to use kerberos to read file_context file
- Allow mozilla_plugin to connect to port 8081
More information about the scm-commits
mailing list