| 1 |
commit: d2423ae4bde7048042e80957e3c727eb59e04c8b |
| 2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
| 3 |
AuthorDate: Wed Jan 27 03:15:50 2021 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2423ae4 |
| 7 |
|
| 8 |
misc services patches with changes Dominick and Chris wanted |
| 9 |
|
| 10 |
I think this one is ready to merge. |
| 11 |
|
| 12 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
| 13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 14 |
|
| 15 |
policy/modules/services/apache.fc | 6 +++++- |
| 16 |
policy/modules/services/apache.if | 22 ++++++++++++++++++++ |
| 17 |
policy/modules/services/apache.te | 15 ++++++++++++-- |
| 18 |
policy/modules/services/aptcacher.fc | 5 ++++- |
| 19 |
policy/modules/services/aptcacher.if | 40 ++++++++++++++++++++++++++++++++++++ |
| 20 |
policy/modules/services/aptcacher.te | 2 ++ |
| 21 |
policy/modules/services/bind.te | 1 + |
| 22 |
policy/modules/services/colord.te | 10 +++++++++ |
| 23 |
policy/modules/services/cron.te | 12 +++++++++++ |
| 24 |
policy/modules/services/cups.te | 3 ++- |
| 25 |
policy/modules/services/devicekit.te | 2 ++ |
| 26 |
policy/modules/services/entropyd.te | 1 + |
| 27 |
policy/modules/services/fail2ban.te | 2 ++ |
| 28 |
policy/modules/services/jabber.te | 3 +++ |
| 29 |
policy/modules/services/l2tp.te | 1 + |
| 30 |
policy/modules/services/mon.te | 7 ++++++- |
| 31 |
policy/modules/services/mysql.fc | 1 + |
| 32 |
policy/modules/services/mysql.te | 7 ++++++- |
| 33 |
policy/modules/services/openvpn.te | 10 +++++++++ |
| 34 |
policy/modules/services/postgrey.te | 1 + |
| 35 |
policy/modules/services/rpc.te | 1 + |
| 36 |
policy/modules/services/samba.te | 18 ++++++++++++++-- |
| 37 |
policy/modules/services/smartmon.te | 2 +- |
| 38 |
policy/modules/services/squid.te | 2 ++ |
| 39 |
policy/modules/services/tor.te | 1 + |
| 40 |
policy/modules/services/watchdog.te | 2 ++ |
| 41 |
policy/modules/services/xserver.if | 1 + |
| 42 |
27 files changed, 168 insertions(+), 10 deletions(-) |
| 43 |
|
| 44 |
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc |
| 45 |
index 52879fe1..6c4ddba7 100644 |
| 46 |
--- a/policy/modules/services/apache.fc |
| 47 |
+++ b/policy/modules/services/apache.fc |
| 48 |
@@ -80,6 +80,8 @@ ifndef(`distro_gentoo',` |
| 49 |
/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 50 |
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 51 |
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 52 |
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 53 |
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 54 |
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 55 |
ifndef(`distro_gentoo',` |
| 56 |
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) |
| 57 |
@@ -152,7 +154,7 @@ ifndef(`distro_gentoo',` |
| 58 |
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 59 |
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
| 60 |
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
| 61 |
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) |
| 62 |
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) |
| 63 |
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) |
| 64 |
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
| 65 |
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) |
| 66 |
@@ -180,6 +182,7 @@ ifndef(`distro_gentoo',` |
| 67 |
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) |
| 68 |
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) |
| 69 |
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
| 70 |
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0) |
| 71 |
|
| 72 |
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 73 |
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 74 |
@@ -188,6 +191,7 @@ ifndef(`distro_gentoo',` |
| 75 |
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 76 |
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 77 |
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 78 |
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 79 |
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0) |
| 80 |
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) |
| 81 |
|
| 82 |
|
| 83 |
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if |
| 84 |
index f8c6c909..44767359 100644 |
| 85 |
--- a/policy/modules/services/apache.if |
| 86 |
+++ b/policy/modules/services/apache.if |
| 87 |
@@ -71,6 +71,7 @@ template(`apache_content_template',` |
| 88 |
|
| 89 |
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
| 90 |
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
| 91 |
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map; |
| 92 |
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
| 93 |
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
| 94 |
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
| 95 |
@@ -97,6 +98,8 @@ template(`apache_content_template',` |
| 96 |
|
| 97 |
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
| 98 |
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) |
| 99 |
+ allow httpd_t httpd_$1_content_t:file map; |
| 100 |
+ allow httpd_t httpd_$1_rw_content_t:file map; |
| 101 |
') |
| 102 |
') |
| 103 |
|
| 104 |
@@ -1023,6 +1026,7 @@ interface(`apache_manage_sys_rw_content',` |
| 105 |
apache_search_sys_content($1) |
| 106 |
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
| 107 |
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
| 108 |
+ allow $1 httpd_sys_rw_content_t:file map; |
| 109 |
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
| 110 |
') |
| 111 |
|
| 112 |
@@ -1149,6 +1153,24 @@ interface(`apache_append_squirrelmail_data',` |
| 113 |
allow $1 httpd_squirrelmail_t:file append_file_perms; |
| 114 |
') |
| 115 |
|
| 116 |
+######################################## |
| 117 |
+## <summary> |
| 118 |
+## delete httpd squirrelmail spool files. |
| 119 |
+## </summary> |
| 120 |
+## <param name="domain"> |
| 121 |
+## <summary> |
| 122 |
+## Domain allowed access. |
| 123 |
+## </summary> |
| 124 |
+## </param> |
| 125 |
+# |
| 126 |
+interface(`apache_delete_squirrelmail_spool',` |
| 127 |
+ gen_require(` |
| 128 |
+ type squirrelmail_spool_t; |
| 129 |
+ ') |
| 130 |
+ |
| 131 |
+ delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) |
| 132 |
+') |
| 133 |
+ |
| 134 |
######################################## |
| 135 |
## <summary> |
| 136 |
## Search httpd system content. |
| 137 |
|
| 138 |
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te |
| 139 |
index 39685bef..da43a1d8 100644 |
| 140 |
--- a/policy/modules/services/apache.te |
| 141 |
+++ b/policy/modules/services/apache.te |
| 142 |
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
| 143 |
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
| 144 |
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
| 145 |
files_var_filetrans(httpd_t, httpd_cache_t, dir) |
| 146 |
+allow httpd_t httpd_cache_t:file map; |
| 147 |
|
| 148 |
allow httpd_t httpd_config_t:dir list_dir_perms; |
| 149 |
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
| 150 |
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
| 151 |
allow httpd_t httpd_htaccess_type:file read_file_perms; |
| 152 |
|
| 153 |
allow httpd_t httpd_ro_content:dir list_dir_perms; |
| 154 |
-allow httpd_t httpd_ro_content:file read_file_perms; |
| 155 |
+allow httpd_t httpd_ro_content:file { map read_file_perms }; |
| 156 |
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms; |
| 157 |
|
| 158 |
allow httpd_t httpd_keytab_t:file read_file_perms; |
| 159 |
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process signal_perms; |
| 160 |
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
| 161 |
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
| 162 |
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
| 163 |
+allow httpd_t httpd_squirrelmail_t:file map; |
| 164 |
|
| 165 |
allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
| 166 |
|
| 167 |
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process signull; |
| 168 |
|
| 169 |
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
| 170 |
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
| 171 |
+allow httpd_t httpd_tmp_t:file map; |
| 172 |
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
| 173 |
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
| 174 |
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) |
| 175 |
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi |
| 176 |
|
| 177 |
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
| 178 |
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
| 179 |
+allow httpd_t httpd_var_lib_t:file map; |
| 180 |
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
| 181 |
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) |
| 182 |
|
| 183 |
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) |
| 184 |
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
| 185 |
|
| 186 |
kernel_read_kernel_sysctls(httpd_t) |
| 187 |
+kernel_read_crypto_sysctls(httpd_t) |
| 188 |
kernel_read_vm_sysctls(httpd_t) |
| 189 |
kernel_read_vm_overcommit_sysctl(httpd_t) |
| 190 |
kernel_read_network_state(httpd_t) |
| 191 |
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t) |
| 192 |
dev_read_rand(httpd_t) |
| 193 |
dev_read_urand(httpd_t) |
| 194 |
dev_rw_crypto(httpd_t) |
| 195 |
+dev_rwx_zero(httpd_t) |
| 196 |
|
| 197 |
domain_use_interactive_fds(httpd_t) |
| 198 |
|
| 199 |
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t) |
| 200 |
|
| 201 |
fs_read_anon_inodefs_files(httpd_t) |
| 202 |
fs_rw_inherited_hugetlbfs_files(httpd_t) |
| 203 |
+fs_mmap_rw_hugetlbfs_files(httpd_t) |
| 204 |
fs_read_iso9660_files(httpd_t) |
| 205 |
|
| 206 |
files_dontaudit_getattr_all_runtime_files(httpd_t) |
| 207 |
files_read_usr_files(httpd_t) |
| 208 |
+files_map_usr_files(httpd_t) |
| 209 |
files_list_mnt(httpd_t) |
| 210 |
files_search_spool(httpd_t) |
| 211 |
files_read_var_symlinks(httpd_t) |
| 212 |
@@ -504,6 +512,7 @@ files_search_home(httpd_t) |
| 213 |
files_getattr_home_dir(httpd_t) |
| 214 |
files_read_etc_runtime_files(httpd_t) |
| 215 |
files_read_var_lib_symlinks(httpd_t) |
| 216 |
+files_map_etc_files(httpd_t) |
| 217 |
|
| 218 |
auth_use_nsswitch(httpd_t) |
| 219 |
|
| 220 |
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting',` |
| 221 |
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) |
| 222 |
|
| 223 |
allow httpd_t httpdcontent:dir list_dir_perms; |
| 224 |
- allow httpd_t httpdcontent:file read_file_perms; |
| 225 |
+ allow httpd_t httpdcontent:file { map read_file_perms }; |
| 226 |
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; |
| 227 |
|
| 228 |
allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; |
| 229 |
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
| 230 |
|
| 231 |
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) |
| 232 |
manage_files_pattern(httpd_t, httpdcontent, httpdcontent) |
| 233 |
+ allow httpd_t httpdcontent:file map; |
| 234 |
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) |
| 235 |
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) |
| 236 |
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) |
| 237 |
@@ -899,6 +909,7 @@ optional_policy(` |
| 238 |
# |
| 239 |
|
| 240 |
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) |
| 241 |
+allow httpd_t httpd_config_t:file map; |
| 242 |
|
| 243 |
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
| 244 |
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
| 245 |
|
| 246 |
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc |
| 247 |
index 5f27bb04..fcdc96a8 100644 |
| 248 |
--- a/policy/modules/services/aptcacher.fc |
| 249 |
+++ b/policy/modules/services/aptcacher.fc |
| 250 |
@@ -2,12 +2,15 @@ |
| 251 |
|
| 252 |
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0) |
| 253 |
|
| 254 |
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0) |
| 255 |
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0) |
| 256 |
|
| 257 |
+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) |
| 258 |
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) |
| 259 |
|
| 260 |
+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) |
| 261 |
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) |
| 262 |
|
| 263 |
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0) |
| 264 |
|
| 265 |
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) |
| 266 |
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) |
| 267 |
|
| 268 |
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if |
| 269 |
index 12c1335a..8c99a699 100644 |
| 270 |
--- a/policy/modules/services/aptcacher.if |
| 271 |
+++ b/policy/modules/services/aptcacher.if |
| 272 |
@@ -63,3 +63,43 @@ interface(`aptcacher_stream_connect',` |
| 273 |
files_search_runtime($1) |
| 274 |
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) |
| 275 |
') |
| 276 |
+ |
| 277 |
+###################################### |
| 278 |
+## <summary> |
| 279 |
+## read aptcacher config |
| 280 |
+## </summary> |
| 281 |
+## <param name="domain"> |
| 282 |
+## <summary> |
| 283 |
+## Domain allowed to read it. |
| 284 |
+## </summary> |
| 285 |
+## </param> |
| 286 |
+# |
| 287 |
+interface(`aptcacher_read_config',` |
| 288 |
+ gen_require(` |
| 289 |
+ type aptcacher_etc_t; |
| 290 |
+ ') |
| 291 |
+ |
| 292 |
+ files_search_etc($1) |
| 293 |
+ allow $1 aptcacher_etc_t:dir list_dir_perms; |
| 294 |
+ allow $1 aptcacher_etc_t:file read_file_perms; |
| 295 |
+') |
| 296 |
+ |
| 297 |
+###################################### |
| 298 |
+## <summary> |
| 299 |
+## mmap and read aptcacher config |
| 300 |
+## </summary> |
| 301 |
+## <param name="domain"> |
| 302 |
+## <summary> |
| 303 |
+## Domain allowed to read it. |
| 304 |
+## </summary> |
| 305 |
+## </param> |
| 306 |
+# |
| 307 |
+interface(`aptcacher_mmap_read_config',` |
| 308 |
+ gen_require(` |
| 309 |
+ type aptcacher_etc_t; |
| 310 |
+ ') |
| 311 |
+ |
| 312 |
+ files_search_etc($1) |
| 313 |
+ allow $1 aptcacher_etc_t:dir list_dir_perms; |
| 314 |
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms; |
| 315 |
+') |
| 316 |
|
| 317 |
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te |
| 318 |
index 57ceaed5..d9089a77 100644 |
| 319 |
--- a/policy/modules/services/aptcacher.te |
| 320 |
+++ b/policy/modules/services/aptcacher.te |
| 321 |
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_t) |
| 322 |
|
| 323 |
auth_use_nsswitch(aptcacher_t) |
| 324 |
|
| 325 |
+files_read_etc_files(aptcacher_t) |
| 326 |
+ |
| 327 |
# Uses sd_notify() to inform systemd it has properly started |
| 328 |
init_dgram_send(aptcacher_t) |
| 329 |
|
| 330 |
|
| 331 |
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te |
| 332 |
index 1eceba35..57ae7be3 100644 |
| 333 |
--- a/policy/modules/services/bind.te |
| 334 |
+++ b/policy/modules/services/bind.te |
| 335 |
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t) |
| 336 |
|
| 337 |
files_read_etc_runtime_files(named_t) |
| 338 |
files_read_usr_files(named_t) |
| 339 |
+files_map_usr_files(named_t) |
| 340 |
|
| 341 |
fs_getattr_all_fs(named_t) |
| 342 |
fs_search_auto_mountpoints(named_t) |
| 343 |
|
| 344 |
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te |
| 345 |
index 1eba7d63..ca035d5e 100644 |
| 346 |
--- a/policy/modules/services/colord.te |
| 347 |
+++ b/policy/modules/services/colord.te |
| 348 |
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 349 |
allow colord_t self:tcp_socket { accept listen }; |
| 350 |
allow colord_t self:shm create_shm_perms; |
| 351 |
|
| 352 |
+can_exec(colord_t, colord_exec_t) |
| 353 |
+ |
| 354 |
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) |
| 355 |
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) |
| 356 |
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) |
| 357 |
@@ -127,6 +129,10 @@ optional_policy(` |
| 358 |
policykit_read_reload(colord_t) |
| 359 |
') |
| 360 |
|
| 361 |
+optional_policy(` |
| 362 |
+ snmp_read_snmp_var_lib_files(colord_t) |
| 363 |
+') |
| 364 |
+ |
| 365 |
optional_policy(` |
| 366 |
sysnet_exec_ifconfig(colord_t) |
| 367 |
') |
| 368 |
@@ -135,6 +141,10 @@ optional_policy(` |
| 369 |
udev_read_runtime_files(colord_t) |
| 370 |
') |
| 371 |
|
| 372 |
+optional_policy(` |
| 373 |
+ unconfined_dbus_send(colord_t) |
| 374 |
+') |
| 375 |
+ |
| 376 |
optional_policy(` |
| 377 |
xserver_read_xdm_lib_files(colord_t) |
| 378 |
xserver_use_xdm_fds(colord_t) |
| 379 |
|
| 380 |
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te |
| 381 |
index 69de0c54..72e1d8c4 100644 |
| 382 |
--- a/policy/modules/services/cron.te |
| 383 |
+++ b/policy/modules/services/cron.te |
| 384 |
@@ -309,6 +309,8 @@ init_start_all_units(system_cronjob_t) |
| 385 |
init_get_generic_units_status(system_cronjob_t) |
| 386 |
init_get_system_status(system_cronjob_t) |
| 387 |
|
| 388 |
+backup_manage_store_files(system_cronjob_t) |
| 389 |
+ |
| 390 |
auth_manage_var_auth(crond_t) |
| 391 |
auth_use_pam(crond_t) |
| 392 |
|
| 393 |
@@ -344,6 +346,11 @@ ifdef(`distro_debian',` |
| 394 |
dpkg_manage_db(system_cronjob_t) |
| 395 |
') |
| 396 |
|
| 397 |
+ optional_policy(` |
| 398 |
+ aptcacher_mmap_read_config(system_cronjob_t) |
| 399 |
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t) |
| 400 |
+ ') |
| 401 |
+ |
| 402 |
optional_policy(` |
| 403 |
logwatch_search_cache_dir(crond_t) |
| 404 |
') |
| 405 |
@@ -432,6 +439,7 @@ optional_policy(` |
| 406 |
init_dbus_chat(crond_t) |
| 407 |
init_dbus_chat(system_cronjob_t) |
| 408 |
systemd_dbus_chat_logind(system_cronjob_t) |
| 409 |
+ systemd_read_journal_files(system_cronjob_t) |
| 410 |
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) |
| 411 |
# so cron jobs can restart daemons |
| 412 |
init_stream_connect(system_cronjob_t) |
| 413 |
@@ -501,6 +509,7 @@ corenet_tcp_sendrecv_generic_if(system_cronjob_t) |
| 414 |
corenet_udp_sendrecv_generic_if(system_cronjob_t) |
| 415 |
corenet_tcp_sendrecv_generic_node(system_cronjob_t) |
| 416 |
corenet_udp_sendrecv_generic_node(system_cronjob_t) |
| 417 |
+corenet_udp_bind_generic_node(system_cronjob_t) |
| 418 |
|
| 419 |
dev_getattr_all_blk_files(system_cronjob_t) |
| 420 |
dev_getattr_all_chr_files(system_cronjob_t) |
| 421 |
@@ -583,6 +592,7 @@ optional_policy(` |
| 422 |
apache_read_log(system_cronjob_t) |
| 423 |
apache_read_sys_content(system_cronjob_t) |
| 424 |
apache_delete_lib_files(system_cronjob_t) |
| 425 |
+ apache_delete_squirrelmail_spool(system_cronjob_t) |
| 426 |
') |
| 427 |
|
| 428 |
optional_policy(` |
| 429 |
@@ -655,6 +665,8 @@ optional_policy(` |
| 430 |
|
| 431 |
optional_policy(` |
| 432 |
spamassassin_manage_lib_files(system_cronjob_t) |
| 433 |
+ spamassassin_status(system_cronjob_t) |
| 434 |
+ spamassassin_reload(system_cronjob_t) |
| 435 |
') |
| 436 |
|
| 437 |
optional_policy(` |
| 438 |
|
| 439 |
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te |
| 440 |
index 9ead4c30..f6e4a0e6 100644 |
| 441 |
--- a/policy/modules/services/cups.te |
| 442 |
+++ b/policy/modules/services/cups.te |
| 443 |
@@ -111,11 +111,12 @@ ifdef(`enable_mls',` |
| 444 |
|
| 445 |
allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; |
| 446 |
dontaudit cupsd_t self:capability { net_admin sys_tty_config }; |
| 447 |
-allow cupsd_t self:capability2 block_suspend; |
| 448 |
+allow cupsd_t self:capability2 { block_suspend wake_alarm }; |
| 449 |
allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; |
| 450 |
allow cupsd_t self:fifo_file rw_fifo_file_perms; |
| 451 |
allow cupsd_t self:unix_stream_socket { accept connectto listen }; |
| 452 |
allow cupsd_t self:netlink_selinux_socket create_socket_perms; |
| 453 |
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 454 |
allow cupsd_t self:shm create_shm_perms; |
| 455 |
allow cupsd_t self:sem create_sem_perms; |
| 456 |
allow cupsd_t self:tcp_socket { accept listen }; |
| 457 |
|
| 458 |
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te |
| 459 |
index fcae68a5..b69c8113 100644 |
| 460 |
--- a/policy/modules/services/devicekit.te |
| 461 |
+++ b/policy/modules/services/devicekit.te |
| 462 |
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t) |
| 463 |
fs_unmount_all_fs(devicekit_disk_t) |
| 464 |
fs_search_all(devicekit_disk_t) |
| 465 |
|
| 466 |
+mount_rw_runtime_files(devicekit_disk_t) |
| 467 |
+ |
| 468 |
mls_file_read_all_levels(devicekit_disk_t) |
| 469 |
mls_file_write_to_clearance(devicekit_disk_t) |
| 470 |
|
| 471 |
|
| 472 |
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te |
| 473 |
index aa404773..f2405692 100644 |
| 474 |
--- a/policy/modules/services/entropyd.te |
| 475 |
+++ b/policy/modules/services/entropyd.te |
| 476 |
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t) |
| 477 |
|
| 478 |
fs_getattr_all_fs(entropyd_t) |
| 479 |
fs_search_auto_mountpoints(entropyd_t) |
| 480 |
+fs_search_tmpfs(entropyd_t) |
| 481 |
|
| 482 |
domain_use_interactive_fds(entropyd_t) |
| 483 |
|
| 484 |
|
| 485 |
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te |
| 486 |
index 352b4ca8..1e97cdfa 100644 |
| 487 |
--- a/policy/modules/services/fail2ban.te |
| 488 |
+++ b/policy/modules/services/fail2ban.te |
| 489 |
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) |
| 490 |
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file) |
| 491 |
|
| 492 |
kernel_read_system_state(fail2ban_t) |
| 493 |
+kernel_search_fs_sysctls(fail2ban_t) |
| 494 |
|
| 495 |
corecmd_exec_bin(fail2ban_t) |
| 496 |
corecmd_exec_shell(fail2ban_t) |
| 497 |
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t) |
| 498 |
auth_use_nsswitch(fail2ban_t) |
| 499 |
|
| 500 |
logging_read_all_logs(fail2ban_t) |
| 501 |
+logging_read_audit_log(fail2ban_t) |
| 502 |
logging_send_syslog_msg(fail2ban_t) |
| 503 |
|
| 504 |
miscfiles_read_localization(fail2ban_t) |
| 505 |
|
| 506 |
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te |
| 507 |
index 7d028b8d..06273d09 100644 |
| 508 |
--- a/policy/modules/services/jabber.te |
| 509 |
+++ b/policy/modules/services/jabber.te |
| 510 |
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t) |
| 511 |
# usr for lua modules |
| 512 |
files_read_usr_files(jabberd_t) |
| 513 |
|
| 514 |
+files_search_var_lib(jabberd_t) |
| 515 |
+ |
| 516 |
fs_search_auto_mountpoints(jabberd_t) |
| 517 |
|
| 518 |
+miscfiles_read_generic_tls_privkey(jabberd_t) |
| 519 |
miscfiles_read_all_certs(jabberd_t) |
| 520 |
|
| 521 |
sysnet_read_config(jabberd_t) |
| 522 |
|
| 523 |
diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te |
| 524 |
index 0fa4d8dd..6a429835 100644 |
| 525 |
--- a/policy/modules/services/l2tp.te |
| 526 |
+++ b/policy/modules/services/l2tp.te |
| 527 |
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_perms; |
| 528 |
allow l2tpd_t self:tcp_socket { accept listen }; |
| 529 |
allow l2tpd_t self:unix_dgram_socket sendto; |
| 530 |
allow l2tpd_t self:unix_stream_socket { accept listen }; |
| 531 |
+allow l2tpd_t self:pppox_socket create; |
| 532 |
|
| 533 |
read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) |
| 534 |
|
| 535 |
|
| 536 |
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te |
| 537 |
index 08f1b0a0..74a94b89 100644 |
| 538 |
--- a/policy/modules/services/mon.te |
| 539 |
+++ b/policy/modules/services/mon.te |
| 540 |
@@ -147,6 +147,10 @@ optional_policy(` |
| 541 |
bind_read_zone(mon_net_test_t) |
| 542 |
') |
| 543 |
|
| 544 |
+optional_policy(` |
| 545 |
+ mysql_stream_connect(mon_net_test_t) |
| 546 |
+') |
| 547 |
+ |
| 548 |
######################################## |
| 549 |
# |
| 550 |
# Local policy |
| 551 |
@@ -156,7 +160,8 @@ optional_policy(` |
| 552 |
# try not to use dontaudit rules for this |
| 553 |
# |
| 554 |
|
| 555 |
-allow mon_local_test_t self:capability sys_admin; |
| 556 |
+# sys_ptrace is for reading /proc/1/maps etc |
| 557 |
+allow mon_local_test_t self:capability { sys_ptrace sys_admin }; |
| 558 |
allow mon_local_test_t self:fifo_file rw_fifo_file_perms; |
| 559 |
allow mon_local_test_t self:process getsched; |
| 560 |
|
| 561 |
|
| 562 |
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc |
| 563 |
index 7739d36d..d23f2636 100644 |
| 564 |
--- a/policy/modules/services/mysql.fc |
| 565 |
+++ b/policy/modules/services/mysql.fc |
| 566 |
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) |
| 567 |
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
| 568 |
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) |
| 569 |
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
| 570 |
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
| 571 |
|
| 572 |
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) |
| 573 |
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) |
| 574 |
|
| 575 |
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te |
| 576 |
index f88f458b..5a264e2f 100644 |
| 577 |
--- a/policy/modules/services/mysql.te |
| 578 |
+++ b/policy/modules/services/mysql.te |
| 579 |
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime_t) |
| 580 |
# Local policy |
| 581 |
# |
| 582 |
|
| 583 |
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; |
| 584 |
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; |
| 585 |
dontaudit mysqld_t self:capability sys_tty_config; |
| 586 |
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; |
| 587 |
allow mysqld_t self:fifo_file rw_fifo_file_perms; |
| 588 |
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept listen }; |
| 589 |
|
| 590 |
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
| 591 |
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
| 592 |
+allow mysqld_t mysqld_db_t:file map; |
| 593 |
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
| 594 |
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) |
| 595 |
|
| 596 |
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) |
| 597 |
|
| 598 |
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
| 599 |
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
| 600 |
+allow mysqld_t mysqld_tmp_t:file map; |
| 601 |
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) |
| 602 |
|
| 603 |
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) |
| 604 |
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t) |
| 605 |
kernel_read_network_state(mysqld_t) |
| 606 |
kernel_read_system_state(mysqld_t) |
| 607 |
kernel_read_vm_sysctls(mysqld_t) |
| 608 |
+kernel_read_vm_overcommit_sysctl(mysqld_t) |
| 609 |
|
| 610 |
corenet_all_recvfrom_netlabel(mysqld_t) |
| 611 |
corenet_tcp_sendrecv_generic_if(mysqld_t) |
| 612 |
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t) |
| 613 |
|
| 614 |
fs_getattr_all_fs(mysqld_t) |
| 615 |
fs_search_auto_mountpoints(mysqld_t) |
| 616 |
+fs_search_tmpfs(mysqld_t) |
| 617 |
fs_rw_hugetlbfs_files(mysqld_t) |
| 618 |
|
| 619 |
files_read_etc_runtime_files(mysqld_t) |
| 620 |
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t) |
| 621 |
|
| 622 |
logging_send_syslog_msg(mysqld_t) |
| 623 |
|
| 624 |
+miscfiles_read_generic_certs(mysqld_t) |
| 625 |
miscfiles_read_localization(mysqld_t) |
| 626 |
|
| 627 |
userdom_search_user_home_dirs(mysqld_t) |
| 628 |
|
| 629 |
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te |
| 630 |
index 76bdae5a..9aa0afaf 100644 |
| 631 |
--- a/policy/modules/services/openvpn.te |
| 632 |
+++ b/policy/modules/services/openvpn.te |
| 633 |
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t) |
| 634 |
|
| 635 |
auth_use_pam(openvpn_t) |
| 636 |
|
| 637 |
+init_read_state(openvpn_t) |
| 638 |
+ |
| 639 |
miscfiles_read_localization(openvpn_t) |
| 640 |
miscfiles_read_all_certs(openvpn_t) |
| 641 |
|
| 642 |
@@ -162,6 +164,10 @@ optional_policy(` |
| 643 |
daemontools_service_domain(openvpn_t, openvpn_exec_t) |
| 644 |
') |
| 645 |
|
| 646 |
+optional_policy(` |
| 647 |
+ dpkg_script_rw_inherited_pipes(openvpn_t) |
| 648 |
+') |
| 649 |
+ |
| 650 |
optional_policy(` |
| 651 |
dbus_system_bus_client(openvpn_t) |
| 652 |
dbus_connect_system_bus(openvpn_t) |
| 653 |
@@ -174,3 +180,7 @@ optional_policy(` |
| 654 |
optional_policy(` |
| 655 |
systemd_use_passwd_agent(openvpn_t) |
| 656 |
') |
| 657 |
+ |
| 658 |
+optional_policy(` |
| 659 |
+ unconfined_use_fds(openvpn_t) |
| 660 |
+') |
| 661 |
|
| 662 |
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te |
| 663 |
index 169dab12..a96e9dd9 100644 |
| 664 |
--- a/policy/modules/services/postgrey.te |
| 665 |
+++ b/policy/modules/services/postgrey.te |
| 666 |
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
| 667 |
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
| 668 |
|
| 669 |
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) |
| 670 |
+allow postgrey_t postgrey_var_lib_t:file map; |
| 671 |
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) |
| 672 |
|
| 673 |
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) |
| 674 |
|
| 675 |
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te |
| 676 |
index 9e95d8dc..844a8038 100644 |
| 677 |
--- a/policy/modules/services/rpc.te |
| 678 |
+++ b/policy/modules/services/rpc.te |
| 679 |
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; |
| 680 |
|
| 681 |
kernel_read_network_state(nfsd_t) |
| 682 |
kernel_dontaudit_getattr_core_if(nfsd_t) |
| 683 |
+kernel_search_debugfs(nfsd_t) |
| 684 |
kernel_setsched(nfsd_t) |
| 685 |
kernel_request_load_module(nfsd_t) |
| 686 |
# kernel_mounton_proc(nfsd_t) |
| 687 |
|
| 688 |
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te |
| 689 |
index 2f0fefef..855d846d 100644 |
| 690 |
--- a/policy/modules/services/samba.te |
| 691 |
+++ b/policy/modules/services/samba.te |
| 692 |
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t) |
| 693 |
|
| 694 |
allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; |
| 695 |
allow samba_net_t self:capability2 block_suspend; |
| 696 |
-allow samba_net_t self:process { getsched setsched }; |
| 697 |
+allow samba_net_t self:process { sigkill getsched setsched }; |
| 698 |
allow samba_net_t self:unix_stream_socket { accept listen }; |
| 699 |
+allow samba_net_t self:fifo_file rw_file_perms; |
| 700 |
|
| 701 |
allow samba_net_t samba_etc_t:file read_file_perms; |
| 702 |
|
| 703 |
+allow samba_net_t samba_var_run_t:file { map read_file_perms }; |
| 704 |
+ |
| 705 |
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) |
| 706 |
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) |
| 707 |
|
| 708 |
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) |
| 709 |
|
| 710 |
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) |
| 711 |
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
| 712 |
+allow samba_net_t samba_var_t:file map; |
| 713 |
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
| 714 |
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") |
| 715 |
|
| 716 |
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem { getattr quotaget }; |
| 717 |
|
| 718 |
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) |
| 719 |
manage_files_pattern(smbd_t, samba_var_t, samba_var_t) |
| 720 |
+allow smbd_t samba_var_t:file map; |
| 721 |
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) |
| 722 |
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) |
| 723 |
files_var_filetrans(smbd_t, samba_var_t, dir, "samba") |
| 724 |
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) |
| 725 |
|
| 726 |
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
| 727 |
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
| 728 |
+allow smbd_t samba_runtime_t:file map; |
| 729 |
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
| 730 |
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) |
| 731 |
|
| 732 |
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file read_sock_file_perms; |
| 733 |
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t) |
| 734 |
|
| 735 |
stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t) |
| 736 |
+allow smbd_t nmbd_t:unix_dgram_socket sendto; |
| 737 |
|
| 738 |
kernel_getattr_core_if(smbd_t) |
| 739 |
kernel_getattr_message_if(smbd_t) |
| 740 |
@@ -479,6 +486,10 @@ optional_policy(` |
| 741 |
cups_stream_connect(smbd_t) |
| 742 |
') |
| 743 |
|
| 744 |
+optional_policy(` |
| 745 |
+ dbus_system_bus_client(smbd_t) |
| 746 |
+') |
| 747 |
+ |
| 748 |
optional_policy(` |
| 749 |
kerberos_read_keytab(smbd_t) |
| 750 |
kerberos_use(smbd_t) |
| 751 |
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { accept connectto listen }; |
| 752 |
|
| 753 |
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
| 754 |
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
| 755 |
+allow nmbd_t samba_runtime_t:file map; |
| 756 |
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
| 757 |
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) |
| 758 |
|
| 759 |
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
| 760 |
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
| 761 |
|
| 762 |
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
| 763 |
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
| 764 |
+allow nmbd_t samba_var_t:file map; |
| 765 |
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
| 766 |
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
| 767 |
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") |
| 768 |
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal signull }; |
| 769 |
|
| 770 |
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; |
| 771 |
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) |
| 772 |
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; |
| 773 |
+init_use_fds(smbcontrol_t) |
| 774 |
|
| 775 |
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) |
| 776 |
|
| 777 |
|
| 778 |
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te |
| 779 |
index fc3f9502..a6351969 100644 |
| 780 |
--- a/policy/modules/services/smartmon.te |
| 781 |
+++ b/policy/modules/services/smartmon.te |
| 782 |
@@ -38,7 +38,7 @@ ifdef(`enable_mls',` |
| 783 |
# Local policy |
| 784 |
# |
| 785 |
|
| 786 |
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; |
| 787 |
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio }; |
| 788 |
dontaudit fsdaemon_t self:capability sys_tty_config; |
| 789 |
allow fsdaemon_t self:process { getcap setcap signal_perms }; |
| 790 |
allow fsdaemon_t self:fifo_file rw_fifo_file_perms; |
| 791 |
|
| 792 |
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te |
| 793 |
index f7b3a5a3..f9890df1 100644 |
| 794 |
--- a/policy/modules/services/squid.te |
| 795 |
+++ b/policy/modules/services/squid.te |
| 796 |
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; |
| 797 |
allow squid_t self:unix_dgram_socket sendto; |
| 798 |
allow squid_t self:unix_stream_socket { accept connectto listen }; |
| 799 |
allow squid_t self:tcp_socket { accept listen }; |
| 800 |
+allow squid_t self:netlink_netfilter_socket create_socket_perms; |
| 801 |
|
| 802 |
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) |
| 803 |
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) |
| 804 |
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) |
| 805 |
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) |
| 806 |
|
| 807 |
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) |
| 808 |
+allow squid_t squid_tmpfs_t:file map; |
| 809 |
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) |
| 810 |
|
| 811 |
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) |
| 812 |
|
| 813 |
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te |
| 814 |
index 445ab87f..0da1a599 100644 |
| 815 |
--- a/policy/modules/services/tor.te |
| 816 |
+++ b/policy/modules/services/tor.te |
| 817 |
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runtime_t, { dir file sock_file }) |
| 818 |
kernel_read_kernel_sysctls(tor_t) |
| 819 |
kernel_read_net_sysctls(tor_t) |
| 820 |
kernel_read_system_state(tor_t) |
| 821 |
+kernel_read_vm_overcommit_sysctl(tor_t) |
| 822 |
|
| 823 |
corenet_all_recvfrom_netlabel(tor_t) |
| 824 |
corenet_tcp_sendrecv_generic_if(tor_t) |
| 825 |
|
| 826 |
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te |
| 827 |
index e1e9d9a9..4a677a3f 100644 |
| 828 |
--- a/policy/modules/services/watchdog.te |
| 829 |
+++ b/policy/modules/services/watchdog.te |
| 830 |
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t) |
| 831 |
|
| 832 |
logging_send_syslog_msg(watchdog_t) |
| 833 |
|
| 834 |
+mcs_killall(watchdog_t) |
| 835 |
+ |
| 836 |
miscfiles_read_localization(watchdog_t) |
| 837 |
|
| 838 |
sysnet_dns_name_resolve(watchdog_t) |
| 839 |
|
| 840 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
| 841 |
index 0e76767f..8ba496cd 100644 |
| 842 |
--- a/policy/modules/services/xserver.if |
| 843 |
+++ b/policy/modules/services/xserver.if |
| 844 |
@@ -1643,6 +1643,7 @@ interface(`xserver_rw_mesa_shader_cache',` |
| 845 |
|
| 846 |
rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) |
| 847 |
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) |
| 848 |
+ allow $1 mesa_shader_cache_t:file map; |
| 849 |
xdg_search_cache_dirs($1) |
| 850 |
') |
Archives