1 |
commit: e81afa8e462fd625e95e7458332b1cff1724654f |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Feb 25 16:20:03 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 27 10:44:02 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e81afa8e |
7 |
|
8 |
Network daemon patches from Russell Coker. |
9 |
|
10 |
policy/modules/contrib/apache.fc | 4 +++ |
11 |
policy/modules/contrib/apache.if | 19 +++++++++++++ |
12 |
policy/modules/contrib/apache.te | 46 +++++++++++++++++++++----------- |
13 |
policy/modules/contrib/bind.fc | 3 +++ |
14 |
policy/modules/contrib/bind.te | 6 ++++- |
15 |
policy/modules/contrib/inetd.te | 3 ++- |
16 |
policy/modules/contrib/iodine.fc | 2 ++ |
17 |
policy/modules/contrib/iodine.te | 9 ++++++- |
18 |
policy/modules/contrib/jabber.fc | 4 +++ |
19 |
policy/modules/contrib/jabber.te | 12 ++++++++- |
20 |
policy/modules/contrib/nagios.te | 7 +++-- |
21 |
policy/modules/contrib/networkmanager.fc | 2 +- |
22 |
policy/modules/contrib/networkmanager.te | 6 ++++- |
23 |
policy/modules/contrib/ntp.if | 18 +++++++++++++ |
24 |
policy/modules/contrib/ntp.te | 3 ++- |
25 |
policy/modules/contrib/openvpn.fc | 1 + |
26 |
policy/modules/contrib/openvpn.te | 2 +- |
27 |
policy/modules/contrib/rpc.te | 4 ++- |
28 |
policy/modules/contrib/squid.fc | 8 +++--- |
29 |
policy/modules/contrib/squid.if | 19 +++++++++++++ |
30 |
policy/modules/contrib/squid.te | 15 ++++++++++- |
31 |
21 files changed, 161 insertions(+), 32 deletions(-) |
32 |
|
33 |
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc |
34 |
index faa08802..5fded37a 100644 |
35 |
--- a/policy/modules/contrib/apache.fc |
36 |
+++ b/policy/modules/contrib/apache.fc |
37 |
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec |
38 |
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) |
39 |
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) |
40 |
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
41 |
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) |
42 |
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
43 |
|
44 |
/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) |
45 |
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec |
46 |
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) |
47 |
|
48 |
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) |
49 |
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0) |
50 |
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) |
51 |
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0) |
52 |
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) |
53 |
@@ -110,6 +112,7 @@ ifdef(`distro_suse',` |
54 |
/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
55 |
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
56 |
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
57 |
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
58 |
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
59 |
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
60 |
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
61 |
@@ -124,6 +127,7 @@ ifdef(`distro_suse',` |
62 |
/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) |
63 |
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
64 |
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) |
65 |
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
66 |
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
67 |
|
68 |
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) |
69 |
|
70 |
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if |
71 |
index 16539db5..91191ecc 100644 |
72 |
--- a/policy/modules/contrib/apache.if |
73 |
+++ b/policy/modules/contrib/apache.if |
74 |
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',` |
75 |
|
76 |
######################################## |
77 |
## <summary> |
78 |
+## Delete httpd_var_lib_t files |
79 |
+## </summary> |
80 |
+## <param name="domain"> |
81 |
+## <summary> |
82 |
+## Domain that can delete the files |
83 |
+## </summary> |
84 |
+## </param> |
85 |
+# |
86 |
+interface(`apache_delete_lib_files',` |
87 |
+ gen_require(` |
88 |
+ type httpd_var_lib_t; |
89 |
+ ') |
90 |
+ |
91 |
+ files_search_var_lib($1) |
92 |
+ delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) |
93 |
+') |
94 |
+ |
95 |
+######################################## |
96 |
+## <summary> |
97 |
## Execute CGI in the specified domain. |
98 |
## </summary> |
99 |
## <desc> |
100 |
|
101 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
102 |
index 2f724b68..37af1e22 100644 |
103 |
--- a/policy/modules/contrib/apache.te |
104 |
+++ b/policy/modules/contrib/apache.te |
105 |
@@ -1,4 +1,4 @@ |
106 |
-policy_module(apache, 2.12.0) |
107 |
+policy_module(apache, 2.12.1) |
108 |
|
109 |
######################################## |
110 |
# |
111 |
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
112 |
|
113 |
allow httpd_t httpd_keytab_t:file read_file_perms; |
114 |
|
115 |
+allow httpd_t httpd_lock_t:dir manage_dir_perms; |
116 |
allow httpd_t httpd_lock_t:file manage_file_perms; |
117 |
-files_lock_filetrans(httpd_t, httpd_lock_t, file) |
118 |
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) |
119 |
|
120 |
-allow httpd_t httpd_log_t:dir setattr_dir_perms; |
121 |
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) |
122 |
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
123 |
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
124 |
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
125 |
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) |
126 |
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
127 |
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
128 |
logging_log_filetrans(httpd_t, httpd_log_t, file) |
129 |
|
130 |
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
131 |
allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
132 |
|
133 |
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; |
134 |
+allow httpd_t httpd_sys_script_t:process signull; |
135 |
+ |
136 |
|
137 |
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
138 |
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
139 |
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi |
140 |
|
141 |
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
142 |
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
143 |
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
144 |
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) |
145 |
|
146 |
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) |
147 |
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) |
148 |
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
149 |
|
150 |
kernel_read_kernel_sysctls(httpd_t) |
151 |
+kernel_read_vm_sysctls(httpd_t) |
152 |
+kernel_read_vm_overcommit_sysctl(httpd_t) |
153 |
kernel_read_network_state(httpd_t) |
154 |
kernel_read_system_state(httpd_t) |
155 |
kernel_search_network_sysctl(httpd_t) |
156 |
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t) |
157 |
|
158 |
auth_use_nsswitch(httpd_t) |
159 |
|
160 |
+init_rw_inherited_script_tmp_files(httpd_t) |
161 |
+ |
162 |
libs_read_lib_files(httpd_t) |
163 |
|
164 |
logging_send_syslog_msg(httpd_t) |
165 |
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',` |
166 |
tunable_policy(`httpd_enable_cgi',` |
167 |
allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; |
168 |
allow httpd_t httpd_script_exec_type:dir list_dir_perms; |
169 |
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; |
170 |
') |
171 |
|
172 |
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` |
173 |
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
174 |
|
175 |
tunable_policy(`httpd_use_nfs',` |
176 |
fs_list_auto_mountpoints(httpd_t) |
177 |
- fs_manage_nfs_dirs(httpd_t) |
178 |
- fs_manage_nfs_files(httpd_t) |
179 |
- fs_manage_nfs_symlinks(httpd_t) |
180 |
+ rpc_manage_nfs_rw_content(httpd_t) |
181 |
+ rpc_read_nfs_content(httpd_t) |
182 |
') |
183 |
|
184 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |
185 |
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
186 |
|
187 |
tunable_policy(`httpd_use_nfs',` |
188 |
fs_list_auto_mountpoints(httpd_suexec_t) |
189 |
- fs_manage_nfs_dirs(httpd_suexec_t) |
190 |
- fs_manage_nfs_files(httpd_suexec_t) |
191 |
- fs_manage_nfs_symlinks(httpd_suexec_t) |
192 |
+ rpc_manage_nfs_rw_content(httpd_t) |
193 |
+ rpc_read_nfs_content(httpd_t) |
194 |
') |
195 |
|
196 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |
197 |
@@ -1213,8 +1217,11 @@ optional_policy(` |
198 |
# |
199 |
|
200 |
allow httpd_sys_script_t self:tcp_socket { accept listen }; |
201 |
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms }; |
202 |
+ |
203 |
|
204 |
allow httpd_sys_script_t httpd_t:tcp_socket { read write }; |
205 |
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl }; |
206 |
|
207 |
dontaudit httpd_sys_script_t httpd_config_t:dir search; |
208 |
|
209 |
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; |
210 |
|
211 |
kernel_read_kernel_sysctls(httpd_sys_script_t) |
212 |
|
213 |
+dev_read_sysfs(httpd_sys_script_t) |
214 |
+ |
215 |
fs_search_auto_mountpoints(httpd_sys_script_t) |
216 |
|
217 |
files_read_var_symlinks(httpd_sys_script_t) |
218 |
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t) |
219 |
|
220 |
auth_use_nsswitch(httpd_sys_script_t) |
221 |
|
222 |
+logging_send_syslog_msg(httpd_sys_script_t) |
223 |
+ |
224 |
+ifdef(`init_systemd', ` |
225 |
+ init_search_pid_dirs(httpd_sys_script_t) |
226 |
+') |
227 |
+ |
228 |
tunable_policy(`httpd_can_sendmail',` |
229 |
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) |
230 |
corenet_tcp_connect_smtp_port(httpd_sys_script_t) |
231 |
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
232 |
|
233 |
tunable_policy(`httpd_use_nfs',` |
234 |
fs_list_auto_mountpoints(httpd_sys_script_t) |
235 |
- fs_manage_nfs_dirs(httpd_sys_script_t) |
236 |
- fs_manage_nfs_files(httpd_sys_script_t) |
237 |
- fs_manage_nfs_symlinks(httpd_sys_script_t) |
238 |
+ rpc_manage_nfs_rw_content(httpd_t) |
239 |
+ rpc_read_nfs_content(httpd_t) |
240 |
') |
241 |
|
242 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |
243 |
|
244 |
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc |
245 |
index c9619a4e..de596aed 100644 |
246 |
--- a/policy/modules/contrib/bind.fc |
247 |
+++ b/policy/modules/contrib/bind.fc |
248 |
@@ -28,6 +28,8 @@ |
249 |
|
250 |
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) |
251 |
|
252 |
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) |
253 |
+ |
254 |
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) |
255 |
|
256 |
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) |
257 |
@@ -53,5 +55,6 @@ |
258 |
|
259 |
/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) |
260 |
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) |
261 |
+/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0) |
262 |
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) |
263 |
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) |
264 |
|
265 |
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te |
266 |
index bfec7c74..25329fdb 100644 |
267 |
--- a/policy/modules/contrib/bind.te |
268 |
+++ b/policy/modules/contrib/bind.te |
269 |
@@ -1,4 +1,4 @@ |
270 |
-policy_module(bind, 1.18.0) |
271 |
+policy_module(bind, 1.18.1) |
272 |
|
273 |
######################################## |
274 |
# |
275 |
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms; |
276 |
read_files_pattern(named_t, named_zone_t, named_zone_t) |
277 |
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) |
278 |
|
279 |
+kernel_read_net_sysctls(named_t) |
280 |
+kernel_read_vm_sysctls(named_t) |
281 |
kernel_read_kernel_sysctls(named_t) |
282 |
kernel_read_vm_overcommit_sysctl(named_t) |
283 |
kernel_read_system_state(named_t) |
284 |
@@ -152,6 +154,7 @@ dev_read_urand(named_t) |
285 |
domain_use_interactive_fds(named_t) |
286 |
|
287 |
files_read_etc_runtime_files(named_t) |
288 |
+files_read_usr_files(named_t) |
289 |
|
290 |
fs_getattr_all_fs(named_t) |
291 |
fs_search_auto_mountpoints(named_t) |
292 |
@@ -219,6 +222,7 @@ optional_policy(` |
293 |
# |
294 |
|
295 |
allow ndc_t self:capability { dac_override net_admin }; |
296 |
+allow ndc_t self:capability2 block_suspend; |
297 |
allow ndc_t self:process signal_perms; |
298 |
allow ndc_t self:fifo_file rw_fifo_file_perms; |
299 |
allow ndc_t self:unix_stream_socket { accept listen }; |
300 |
|
301 |
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te |
302 |
index 66c15680..70ecd1e5 100644 |
303 |
--- a/policy/modules/contrib/inetd.te |
304 |
+++ b/policy/modules/contrib/inetd.te |
305 |
@@ -1,4 +1,4 @@ |
306 |
-policy_module(inetd, 1.14.0) |
307 |
+policy_module(inetd, 1.14.1) |
308 |
|
309 |
######################################## |
310 |
# |
311 |
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) |
312 |
kernel_tcp_recvfrom_unlabeled(inetd_t) |
313 |
|
314 |
corecmd_bin_domtrans(inetd_t, inetd_child_t) |
315 |
+corecmd_bin_entry_type(inetd_child_t) |
316 |
|
317 |
corenet_all_recvfrom_unlabeled(inetd_t) |
318 |
corenet_all_recvfrom_netlabel(inetd_t) |
319 |
|
320 |
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc |
321 |
index ca07a874..42a24aaf 100644 |
322 |
--- a/policy/modules/contrib/iodine.fc |
323 |
+++ b/policy/modules/contrib/iodine.fc |
324 |
@@ -1,3 +1,5 @@ |
325 |
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) |
326 |
|
327 |
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) |
328 |
+ |
329 |
+/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) |
330 |
|
331 |
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te |
332 |
index c35fc069..11ef68f9 100644 |
333 |
--- a/policy/modules/contrib/iodine.te |
334 |
+++ b/policy/modules/contrib/iodine.te |
335 |
@@ -1,4 +1,4 @@ |
336 |
-policy_module(iodine, 1.2.0) |
337 |
+policy_module(iodine, 1.2.1) |
338 |
|
339 |
######################################## |
340 |
# |
341 |
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) |
342 |
type iodined_initrc_exec_t; |
343 |
init_script_file(iodined_initrc_exec_t) |
344 |
|
345 |
+type iodined_var_run_t; |
346 |
+files_pid_file(iodined_var_run_t) |
347 |
+ |
348 |
######################################## |
349 |
# |
350 |
# Local policy |
351 |
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot }; |
352 |
allow iodined_t self:rawip_socket create_socket_perms; |
353 |
allow iodined_t self:tun_socket create_socket_perms; |
354 |
allow iodined_t self:udp_socket connected_socket_perms; |
355 |
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms; |
356 |
+ |
357 |
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) |
358 |
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) |
359 |
|
360 |
kernel_read_net_sysctls(iodined_t) |
361 |
kernel_read_network_state(iodined_t) |
362 |
|
363 |
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc |
364 |
index 96325be0..e31f56e8 100644 |
365 |
--- a/policy/modules/contrib/jabber.fc |
366 |
+++ b/policy/modules/contrib/jabber.fc |
367 |
@@ -2,6 +2,7 @@ |
368 |
|
369 |
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) |
370 |
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) |
371 |
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0) |
372 |
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) |
373 |
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) |
374 |
|
375 |
@@ -13,13 +14,16 @@ |
376 |
|
377 |
/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) |
378 |
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) |
379 |
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) |
380 |
|
381 |
/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) |
382 |
/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) |
383 |
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) |
384 |
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) |
385 |
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) |
386 |
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) |
387 |
/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) |
388 |
|
389 |
/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) |
390 |
/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) |
391 |
+/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0) |
392 |
|
393 |
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te |
394 |
index fdea29d5..36f603c3 100644 |
395 |
--- a/policy/modules/contrib/jabber.te |
396 |
+++ b/policy/modules/contrib/jabber.te |
397 |
@@ -1,4 +1,4 @@ |
398 |
-policy_module(jabber, 1.12.0) |
399 |
+policy_module(jabber, 1.12.1) |
400 |
|
401 |
######################################## |
402 |
# |
403 |
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override; |
404 |
dontaudit jabberd_t self:capability sys_tty_config; |
405 |
allow jabberd_t self:tcp_socket create_socket_perms; |
406 |
allow jabberd_t self:udp_socket create_socket_perms; |
407 |
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms; |
408 |
|
409 |
manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) |
410 |
|
411 |
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) |
412 |
manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) |
413 |
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) |
414 |
|
415 |
+domain_dontaudit_search_all_domains_state(jabberd_t) |
416 |
+ |
417 |
kernel_read_kernel_sysctls(jabberd_t) |
418 |
|
419 |
+corecmd_exec_bin(jabberd_t) |
420 |
+ |
421 |
corenet_sendrecv_jabber_client_server_packets(jabberd_t) |
422 |
corenet_tcp_bind_jabber_client_port(jabberd_t) |
423 |
corenet_tcp_sendrecv_jabber_client_port(jabberd_t) |
424 |
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t) |
425 |
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) |
426 |
corenet_tcp_bind_jabber_interserver_port(jabberd_t) |
427 |
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) |
428 |
+corenet_tcp_connect_jabber_interserver_port(jabberd_t) |
429 |
|
430 |
dev_read_rand(jabberd_t) |
431 |
|
432 |
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t) |
433 |
|
434 |
files_read_etc_files(jabberd_t) |
435 |
files_read_etc_runtime_files(jabberd_t) |
436 |
+# usr for lua modules |
437 |
+files_read_usr_files(jabberd_t) |
438 |
|
439 |
fs_search_auto_mountpoints(jabberd_t) |
440 |
|
441 |
+miscfiles_read_all_certs(jabberd_t) |
442 |
+ |
443 |
sysnet_read_config(jabberd_t) |
444 |
|
445 |
userdom_dontaudit_use_unpriv_user_fds(jabberd_t) |
446 |
|
447 |
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te |
448 |
index 44c2abcd..de6a62cf 100644 |
449 |
--- a/policy/modules/contrib/nagios.te |
450 |
+++ b/policy/modules/contrib/nagios.te |
451 |
@@ -1,4 +1,4 @@ |
452 |
-policy_module(nagios, 1.15.0) |
453 |
+policy_module(nagios, 1.15.1) |
454 |
|
455 |
######################################## |
456 |
# |
457 |
@@ -216,12 +216,15 @@ optional_policy(` |
458 |
# Nrpe local policy |
459 |
# |
460 |
|
461 |
-allow nrpe_t self:capability { setgid setuid }; |
462 |
+allow nrpe_t self:capability { dac_override setgid setuid }; |
463 |
dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; |
464 |
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; |
465 |
allow nrpe_t self:fifo_file rw_fifo_file_perms; |
466 |
allow nrpe_t self:tcp_socket { accept listen }; |
467 |
|
468 |
+allow nrpe_t nagios_etc_t:dir list_dir_perms; |
469 |
+allow nrpe_t nagios_etc_t:file read_file_perms; |
470 |
+ |
471 |
allow nrpe_t nagios_plugin_domain:process { signal sigkill }; |
472 |
|
473 |
read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) |
474 |
|
475 |
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc |
476 |
index fe5f8b4c..1e6d0f5b 100644 |
477 |
--- a/policy/modules/contrib/networkmanager.fc |
478 |
+++ b/policy/modules/contrib/networkmanager.fc |
479 |
@@ -3,7 +3,7 @@ |
480 |
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) |
481 |
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) |
482 |
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) |
483 |
-/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) |
484 |
+/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) |
485 |
|
486 |
/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) |
487 |
/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) |
488 |
|
489 |
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te |
490 |
index cde12ad5..1e3237e5 100644 |
491 |
--- a/policy/modules/contrib/networkmanager.te |
492 |
+++ b/policy/modules/contrib/networkmanager.te |
493 |
@@ -1,4 +1,4 @@ |
494 |
-policy_module(networkmanager, 1.20.1) |
495 |
+policy_module(networkmanager, 1.20.2) |
496 |
|
497 |
######################################## |
498 |
# |
499 |
@@ -241,6 +241,10 @@ optional_policy(` |
500 |
optional_policy(` |
501 |
xserver_dbus_chat_xdm(NetworkManager_t) |
502 |
') |
503 |
+ |
504 |
+ optional_policy(` |
505 |
+ unconfined_dbus_send(NetworkManager_t) |
506 |
+ ') |
507 |
') |
508 |
|
509 |
optional_policy(` |
510 |
|
511 |
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if |
512 |
index fa0a1839..8bbb2aa3 100644 |
513 |
--- a/policy/modules/contrib/ntp.if |
514 |
+++ b/policy/modules/contrib/ntp.if |
515 |
@@ -18,6 +18,24 @@ interface(`ntp_stub',` |
516 |
|
517 |
######################################## |
518 |
## <summary> |
519 |
+## Read ntp.conf |
520 |
+## </summary> |
521 |
+## <param name="domain"> |
522 |
+## <summary> |
523 |
+## Domain allowed access. |
524 |
+## </summary> |
525 |
+## </param> |
526 |
+# |
527 |
+interface(`ntp_read_config',` |
528 |
+ gen_require(` |
529 |
+ type ntp_conf_t; |
530 |
+ ') |
531 |
+ |
532 |
+ allow $1 ntp_conf_t:file read_file_perms; |
533 |
+') |
534 |
+ |
535 |
+######################################## |
536 |
+## <summary> |
537 |
## Execute ntp server in the ntpd domain. |
538 |
## </summary> |
539 |
## <param name="domain"> |
540 |
|
541 |
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te |
542 |
index b1969955..9af1ad5f 100644 |
543 |
--- a/policy/modules/contrib/ntp.te |
544 |
+++ b/policy/modules/contrib/ntp.te |
545 |
@@ -1,4 +1,4 @@ |
546 |
-policy_module(ntp, 1.16.1) |
547 |
+policy_module(ntp, 1.16.2) |
548 |
|
549 |
######################################## |
550 |
# |
551 |
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms; |
552 |
allow ntpd_t self:shm create_shm_perms; |
553 |
allow ntpd_t self:socket create; |
554 |
allow ntpd_t self:tcp_socket { accept listen }; |
555 |
+allow ntpd_t self:unix_dgram_socket sendto; |
556 |
|
557 |
allow ntpd_t ntp_conf_t:file read_file_perms; |
558 |
|
559 |
|
560 |
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc |
561 |
index 7703264d..00d176d3 100644 |
562 |
--- a/policy/modules/contrib/openvpn.fc |
563 |
+++ b/policy/modules/contrib/openvpn.fc |
564 |
@@ -1,5 +1,6 @@ |
565 |
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) |
566 |
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) |
567 |
+/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) |
568 |
|
569 |
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) |
570 |
|
571 |
|
572 |
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te |
573 |
index 465716f6..54170a62 100644 |
574 |
--- a/policy/modules/contrib/openvpn.te |
575 |
+++ b/policy/modules/contrib/openvpn.te |
576 |
@@ -1,4 +1,4 @@ |
577 |
-policy_module(openvpn, 1.15.0) |
578 |
+policy_module(openvpn, 1.15.1) |
579 |
|
580 |
######################################## |
581 |
# |
582 |
|
583 |
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te |
584 |
index 5123f079..0b9a71fc 100644 |
585 |
--- a/policy/modules/contrib/rpc.te |
586 |
+++ b/policy/modules/contrib/rpc.te |
587 |
@@ -1,4 +1,4 @@ |
588 |
-policy_module(rpc, 1.19.1) |
589 |
+policy_module(rpc, 1.19.2) |
590 |
|
591 |
######################################## |
592 |
# |
593 |
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t) |
594 |
kernel_rw_fs_sysctls(rpcd_t) |
595 |
kernel_dontaudit_getattr_core_if(rpcd_t) |
596 |
kernel_signal(rpcd_t) |
597 |
+# for /proc/fs/lockd/nlm_end_grace |
598 |
+kernel_write_proc_files(rpcd_t) |
599 |
|
600 |
corecmd_exec_bin(rpcd_t) |
601 |
|
602 |
|
603 |
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc |
604 |
index d6b5ba09..7051c3e1 100644 |
605 |
--- a/policy/modules/contrib/squid.fc |
606 |
+++ b/policy/modules/contrib/squid.fc |
607 |
@@ -4,17 +4,17 @@ |
608 |
|
609 |
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) |
610 |
|
611 |
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) |
612 |
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0) |
613 |
|
614 |
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) |
615 |
|
616 |
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) |
617 |
|
618 |
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) |
619 |
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0) |
620 |
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) |
621 |
|
622 |
-/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) |
623 |
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0) |
624 |
|
625 |
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) |
626 |
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0) |
627 |
|
628 |
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) |
629 |
|
630 |
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if |
631 |
index 941cedf3..b5adfad3 100644 |
632 |
--- a/policy/modules/contrib/squid.if |
633 |
+++ b/policy/modules/contrib/squid.if |
634 |
@@ -191,6 +191,25 @@ interface(`squid_use',` |
635 |
|
636 |
######################################## |
637 |
## <summary> |
638 |
+## dontaudit statting tmpfs files |
639 |
+## </summary> |
640 |
+## <param name="domain"> |
641 |
+## <summary> |
642 |
+## Domain to not be audited |
643 |
+## </summary> |
644 |
+## </param> |
645 |
+## <rolecap/> |
646 |
+# |
647 |
+interface(`squid_dontaudit_read_tmpfs_files',` |
648 |
+ gen_require(` |
649 |
+ type squid_tmpfs_t; |
650 |
+ ') |
651 |
+ |
652 |
+ dontaudit $1 squid_tmpfs_t:file getattr; |
653 |
+') |
654 |
+ |
655 |
+######################################## |
656 |
+## <summary> |
657 |
## All of the rules required to |
658 |
## administrate an squid environment. |
659 |
## </summary> |
660 |
|
661 |
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te |
662 |
index 74fb3c23..f4fd15e8 100644 |
663 |
--- a/policy/modules/contrib/squid.te |
664 |
+++ b/policy/modules/contrib/squid.te |
665 |
@@ -1,4 +1,4 @@ |
666 |
-policy_module(squid, 1.15.0) |
667 |
+policy_module(squid, 1.15.1) |
668 |
|
669 |
######################################## |
670 |
# |
671 |
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false) |
672 |
## </desc> |
673 |
gen_tunable(squid_use_tproxy, false) |
674 |
|
675 |
+## <desc> |
676 |
+## <p> |
677 |
+## Determine whether squid can use the |
678 |
+## pinger daemon (needs raw net access) |
679 |
+## </p> |
680 |
+## </desc> |
681 |
+gen_tunable(squid_use_pinger, true) |
682 |
+ |
683 |
type squid_t; |
684 |
type squid_exec_t; |
685 |
init_daemon_domain(squid_t, squid_exec_t) |
686 |
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',` |
687 |
corenet_tcp_sendrecv_all_ports(squid_t) |
688 |
') |
689 |
|
690 |
+tunable_policy(`squid_use_pinger',` |
691 |
+ allow squid_t self:rawip_socket connected_socket_perms; |
692 |
+ allow squid_t self:capability net_raw; |
693 |
+') |
694 |
+ |
695 |
tunable_policy(`squid_use_tproxy',` |
696 |
allow squid_t self:capability net_admin; |
697 |
corenet_sendrecv_netport_server_packets(squid_t) |