1 |
commit: d2423ae4bde7048042e80957e3c727eb59e04c8b |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Wed Jan 27 03:15:50 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2423ae4 |
7 |
|
8 |
misc services patches with changes Dominick and Chris wanted |
9 |
|
10 |
I think this one is ready to merge. |
11 |
|
12 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/services/apache.fc | 6 +++++- |
16 |
policy/modules/services/apache.if | 22 ++++++++++++++++++++ |
17 |
policy/modules/services/apache.te | 15 ++++++++++++-- |
18 |
policy/modules/services/aptcacher.fc | 5 ++++- |
19 |
policy/modules/services/aptcacher.if | 40 ++++++++++++++++++++++++++++++++++++ |
20 |
policy/modules/services/aptcacher.te | 2 ++ |
21 |
policy/modules/services/bind.te | 1 + |
22 |
policy/modules/services/colord.te | 10 +++++++++ |
23 |
policy/modules/services/cron.te | 12 +++++++++++ |
24 |
policy/modules/services/cups.te | 3 ++- |
25 |
policy/modules/services/devicekit.te | 2 ++ |
26 |
policy/modules/services/entropyd.te | 1 + |
27 |
policy/modules/services/fail2ban.te | 2 ++ |
28 |
policy/modules/services/jabber.te | 3 +++ |
29 |
policy/modules/services/l2tp.te | 1 + |
30 |
policy/modules/services/mon.te | 7 ++++++- |
31 |
policy/modules/services/mysql.fc | 1 + |
32 |
policy/modules/services/mysql.te | 7 ++++++- |
33 |
policy/modules/services/openvpn.te | 10 +++++++++ |
34 |
policy/modules/services/postgrey.te | 1 + |
35 |
policy/modules/services/rpc.te | 1 + |
36 |
policy/modules/services/samba.te | 18 ++++++++++++++-- |
37 |
policy/modules/services/smartmon.te | 2 +- |
38 |
policy/modules/services/squid.te | 2 ++ |
39 |
policy/modules/services/tor.te | 1 + |
40 |
policy/modules/services/watchdog.te | 2 ++ |
41 |
policy/modules/services/xserver.if | 1 + |
42 |
27 files changed, 168 insertions(+), 10 deletions(-) |
43 |
|
44 |
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc |
45 |
index 52879fe1..6c4ddba7 100644 |
46 |
--- a/policy/modules/services/apache.fc |
47 |
+++ b/policy/modules/services/apache.fc |
48 |
@@ -80,6 +80,8 @@ ifndef(`distro_gentoo',` |
49 |
/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0) |
50 |
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) |
51 |
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) |
52 |
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) |
53 |
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0) |
54 |
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) |
55 |
ifndef(`distro_gentoo',` |
56 |
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) |
57 |
@@ -152,7 +154,7 @@ ifndef(`distro_gentoo',` |
58 |
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
59 |
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
60 |
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) |
61 |
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) |
62 |
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) |
63 |
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) |
64 |
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
65 |
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) |
66 |
@@ -180,6 +182,7 @@ ifndef(`distro_gentoo',` |
67 |
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) |
68 |
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) |
69 |
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) |
70 |
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0) |
71 |
|
72 |
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
73 |
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0) |
74 |
@@ -188,6 +191,7 @@ ifndef(`distro_gentoo',` |
75 |
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
76 |
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
77 |
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0) |
78 |
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) |
79 |
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0) |
80 |
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) |
81 |
|
82 |
|
83 |
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if |
84 |
index f8c6c909..44767359 100644 |
85 |
--- a/policy/modules/services/apache.if |
86 |
+++ b/policy/modules/services/apache.if |
87 |
@@ -71,6 +71,7 @@ template(`apache_content_template',` |
88 |
|
89 |
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
90 |
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
91 |
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map; |
92 |
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
93 |
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
94 |
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
95 |
@@ -97,6 +98,8 @@ template(`apache_content_template',` |
96 |
|
97 |
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
98 |
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) |
99 |
+ allow httpd_t httpd_$1_content_t:file map; |
100 |
+ allow httpd_t httpd_$1_rw_content_t:file map; |
101 |
') |
102 |
') |
103 |
|
104 |
@@ -1023,6 +1026,7 @@ interface(`apache_manage_sys_rw_content',` |
105 |
apache_search_sys_content($1) |
106 |
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
107 |
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
108 |
+ allow $1 httpd_sys_rw_content_t:file map; |
109 |
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
110 |
') |
111 |
|
112 |
@@ -1149,6 +1153,24 @@ interface(`apache_append_squirrelmail_data',` |
113 |
allow $1 httpd_squirrelmail_t:file append_file_perms; |
114 |
') |
115 |
|
116 |
+######################################## |
117 |
+## <summary> |
118 |
+## delete httpd squirrelmail spool files. |
119 |
+## </summary> |
120 |
+## <param name="domain"> |
121 |
+## <summary> |
122 |
+## Domain allowed access. |
123 |
+## </summary> |
124 |
+## </param> |
125 |
+# |
126 |
+interface(`apache_delete_squirrelmail_spool',` |
127 |
+ gen_require(` |
128 |
+ type squirrelmail_spool_t; |
129 |
+ ') |
130 |
+ |
131 |
+ delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) |
132 |
+') |
133 |
+ |
134 |
######################################## |
135 |
## <summary> |
136 |
## Search httpd system content. |
137 |
|
138 |
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te |
139 |
index 39685bef..da43a1d8 100644 |
140 |
--- a/policy/modules/services/apache.te |
141 |
+++ b/policy/modules/services/apache.te |
142 |
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
143 |
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
144 |
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
145 |
files_var_filetrans(httpd_t, httpd_cache_t, dir) |
146 |
+allow httpd_t httpd_cache_t:file map; |
147 |
|
148 |
allow httpd_t httpd_config_t:dir list_dir_perms; |
149 |
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
150 |
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
151 |
allow httpd_t httpd_htaccess_type:file read_file_perms; |
152 |
|
153 |
allow httpd_t httpd_ro_content:dir list_dir_perms; |
154 |
-allow httpd_t httpd_ro_content:file read_file_perms; |
155 |
+allow httpd_t httpd_ro_content:file { map read_file_perms }; |
156 |
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms; |
157 |
|
158 |
allow httpd_t httpd_keytab_t:file read_file_perms; |
159 |
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process signal_perms; |
160 |
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
161 |
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
162 |
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
163 |
+allow httpd_t httpd_squirrelmail_t:file map; |
164 |
|
165 |
allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
166 |
|
167 |
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process signull; |
168 |
|
169 |
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
170 |
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
171 |
+allow httpd_t httpd_tmp_t:file map; |
172 |
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
173 |
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
174 |
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) |
175 |
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi |
176 |
|
177 |
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
178 |
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
179 |
+allow httpd_t httpd_var_lib_t:file map; |
180 |
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
181 |
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) |
182 |
|
183 |
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) |
184 |
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
185 |
|
186 |
kernel_read_kernel_sysctls(httpd_t) |
187 |
+kernel_read_crypto_sysctls(httpd_t) |
188 |
kernel_read_vm_sysctls(httpd_t) |
189 |
kernel_read_vm_overcommit_sysctl(httpd_t) |
190 |
kernel_read_network_state(httpd_t) |
191 |
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t) |
192 |
dev_read_rand(httpd_t) |
193 |
dev_read_urand(httpd_t) |
194 |
dev_rw_crypto(httpd_t) |
195 |
+dev_rwx_zero(httpd_t) |
196 |
|
197 |
domain_use_interactive_fds(httpd_t) |
198 |
|
199 |
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t) |
200 |
|
201 |
fs_read_anon_inodefs_files(httpd_t) |
202 |
fs_rw_inherited_hugetlbfs_files(httpd_t) |
203 |
+fs_mmap_rw_hugetlbfs_files(httpd_t) |
204 |
fs_read_iso9660_files(httpd_t) |
205 |
|
206 |
files_dontaudit_getattr_all_runtime_files(httpd_t) |
207 |
files_read_usr_files(httpd_t) |
208 |
+files_map_usr_files(httpd_t) |
209 |
files_list_mnt(httpd_t) |
210 |
files_search_spool(httpd_t) |
211 |
files_read_var_symlinks(httpd_t) |
212 |
@@ -504,6 +512,7 @@ files_search_home(httpd_t) |
213 |
files_getattr_home_dir(httpd_t) |
214 |
files_read_etc_runtime_files(httpd_t) |
215 |
files_read_var_lib_symlinks(httpd_t) |
216 |
+files_map_etc_files(httpd_t) |
217 |
|
218 |
auth_use_nsswitch(httpd_t) |
219 |
|
220 |
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting',` |
221 |
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) |
222 |
|
223 |
allow httpd_t httpdcontent:dir list_dir_perms; |
224 |
- allow httpd_t httpdcontent:file read_file_perms; |
225 |
+ allow httpd_t httpdcontent:file { map read_file_perms }; |
226 |
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; |
227 |
|
228 |
allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; |
229 |
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
230 |
|
231 |
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) |
232 |
manage_files_pattern(httpd_t, httpdcontent, httpdcontent) |
233 |
+ allow httpd_t httpdcontent:file map; |
234 |
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) |
235 |
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) |
236 |
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) |
237 |
@@ -899,6 +909,7 @@ optional_policy(` |
238 |
# |
239 |
|
240 |
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) |
241 |
+allow httpd_t httpd_config_t:file map; |
242 |
|
243 |
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
244 |
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
245 |
|
246 |
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc |
247 |
index 5f27bb04..fcdc96a8 100644 |
248 |
--- a/policy/modules/services/aptcacher.fc |
249 |
+++ b/policy/modules/services/aptcacher.fc |
250 |
@@ -2,12 +2,15 @@ |
251 |
|
252 |
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0) |
253 |
|
254 |
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0) |
255 |
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0) |
256 |
|
257 |
+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) |
258 |
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) |
259 |
|
260 |
+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) |
261 |
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) |
262 |
|
263 |
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0) |
264 |
|
265 |
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) |
266 |
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) |
267 |
|
268 |
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if |
269 |
index 12c1335a..8c99a699 100644 |
270 |
--- a/policy/modules/services/aptcacher.if |
271 |
+++ b/policy/modules/services/aptcacher.if |
272 |
@@ -63,3 +63,43 @@ interface(`aptcacher_stream_connect',` |
273 |
files_search_runtime($1) |
274 |
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) |
275 |
') |
276 |
+ |
277 |
+###################################### |
278 |
+## <summary> |
279 |
+## read aptcacher config |
280 |
+## </summary> |
281 |
+## <param name="domain"> |
282 |
+## <summary> |
283 |
+## Domain allowed to read it. |
284 |
+## </summary> |
285 |
+## </param> |
286 |
+# |
287 |
+interface(`aptcacher_read_config',` |
288 |
+ gen_require(` |
289 |
+ type aptcacher_etc_t; |
290 |
+ ') |
291 |
+ |
292 |
+ files_search_etc($1) |
293 |
+ allow $1 aptcacher_etc_t:dir list_dir_perms; |
294 |
+ allow $1 aptcacher_etc_t:file read_file_perms; |
295 |
+') |
296 |
+ |
297 |
+###################################### |
298 |
+## <summary> |
299 |
+## mmap and read aptcacher config |
300 |
+## </summary> |
301 |
+## <param name="domain"> |
302 |
+## <summary> |
303 |
+## Domain allowed to read it. |
304 |
+## </summary> |
305 |
+## </param> |
306 |
+# |
307 |
+interface(`aptcacher_mmap_read_config',` |
308 |
+ gen_require(` |
309 |
+ type aptcacher_etc_t; |
310 |
+ ') |
311 |
+ |
312 |
+ files_search_etc($1) |
313 |
+ allow $1 aptcacher_etc_t:dir list_dir_perms; |
314 |
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms; |
315 |
+') |
316 |
|
317 |
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te |
318 |
index 57ceaed5..d9089a77 100644 |
319 |
--- a/policy/modules/services/aptcacher.te |
320 |
+++ b/policy/modules/services/aptcacher.te |
321 |
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_t) |
322 |
|
323 |
auth_use_nsswitch(aptcacher_t) |
324 |
|
325 |
+files_read_etc_files(aptcacher_t) |
326 |
+ |
327 |
# Uses sd_notify() to inform systemd it has properly started |
328 |
init_dgram_send(aptcacher_t) |
329 |
|
330 |
|
331 |
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te |
332 |
index 1eceba35..57ae7be3 100644 |
333 |
--- a/policy/modules/services/bind.te |
334 |
+++ b/policy/modules/services/bind.te |
335 |
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t) |
336 |
|
337 |
files_read_etc_runtime_files(named_t) |
338 |
files_read_usr_files(named_t) |
339 |
+files_map_usr_files(named_t) |
340 |
|
341 |
fs_getattr_all_fs(named_t) |
342 |
fs_search_auto_mountpoints(named_t) |
343 |
|
344 |
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te |
345 |
index 1eba7d63..ca035d5e 100644 |
346 |
--- a/policy/modules/services/colord.te |
347 |
+++ b/policy/modules/services/colord.te |
348 |
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; |
349 |
allow colord_t self:tcp_socket { accept listen }; |
350 |
allow colord_t self:shm create_shm_perms; |
351 |
|
352 |
+can_exec(colord_t, colord_exec_t) |
353 |
+ |
354 |
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) |
355 |
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) |
356 |
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) |
357 |
@@ -127,6 +129,10 @@ optional_policy(` |
358 |
policykit_read_reload(colord_t) |
359 |
') |
360 |
|
361 |
+optional_policy(` |
362 |
+ snmp_read_snmp_var_lib_files(colord_t) |
363 |
+') |
364 |
+ |
365 |
optional_policy(` |
366 |
sysnet_exec_ifconfig(colord_t) |
367 |
') |
368 |
@@ -135,6 +141,10 @@ optional_policy(` |
369 |
udev_read_runtime_files(colord_t) |
370 |
') |
371 |
|
372 |
+optional_policy(` |
373 |
+ unconfined_dbus_send(colord_t) |
374 |
+') |
375 |
+ |
376 |
optional_policy(` |
377 |
xserver_read_xdm_lib_files(colord_t) |
378 |
xserver_use_xdm_fds(colord_t) |
379 |
|
380 |
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te |
381 |
index 69de0c54..72e1d8c4 100644 |
382 |
--- a/policy/modules/services/cron.te |
383 |
+++ b/policy/modules/services/cron.te |
384 |
@@ -309,6 +309,8 @@ init_start_all_units(system_cronjob_t) |
385 |
init_get_generic_units_status(system_cronjob_t) |
386 |
init_get_system_status(system_cronjob_t) |
387 |
|
388 |
+backup_manage_store_files(system_cronjob_t) |
389 |
+ |
390 |
auth_manage_var_auth(crond_t) |
391 |
auth_use_pam(crond_t) |
392 |
|
393 |
@@ -344,6 +346,11 @@ ifdef(`distro_debian',` |
394 |
dpkg_manage_db(system_cronjob_t) |
395 |
') |
396 |
|
397 |
+ optional_policy(` |
398 |
+ aptcacher_mmap_read_config(system_cronjob_t) |
399 |
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t) |
400 |
+ ') |
401 |
+ |
402 |
optional_policy(` |
403 |
logwatch_search_cache_dir(crond_t) |
404 |
') |
405 |
@@ -432,6 +439,7 @@ optional_policy(` |
406 |
init_dbus_chat(crond_t) |
407 |
init_dbus_chat(system_cronjob_t) |
408 |
systemd_dbus_chat_logind(system_cronjob_t) |
409 |
+ systemd_read_journal_files(system_cronjob_t) |
410 |
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) |
411 |
# so cron jobs can restart daemons |
412 |
init_stream_connect(system_cronjob_t) |
413 |
@@ -501,6 +509,7 @@ corenet_tcp_sendrecv_generic_if(system_cronjob_t) |
414 |
corenet_udp_sendrecv_generic_if(system_cronjob_t) |
415 |
corenet_tcp_sendrecv_generic_node(system_cronjob_t) |
416 |
corenet_udp_sendrecv_generic_node(system_cronjob_t) |
417 |
+corenet_udp_bind_generic_node(system_cronjob_t) |
418 |
|
419 |
dev_getattr_all_blk_files(system_cronjob_t) |
420 |
dev_getattr_all_chr_files(system_cronjob_t) |
421 |
@@ -583,6 +592,7 @@ optional_policy(` |
422 |
apache_read_log(system_cronjob_t) |
423 |
apache_read_sys_content(system_cronjob_t) |
424 |
apache_delete_lib_files(system_cronjob_t) |
425 |
+ apache_delete_squirrelmail_spool(system_cronjob_t) |
426 |
') |
427 |
|
428 |
optional_policy(` |
429 |
@@ -655,6 +665,8 @@ optional_policy(` |
430 |
|
431 |
optional_policy(` |
432 |
spamassassin_manage_lib_files(system_cronjob_t) |
433 |
+ spamassassin_status(system_cronjob_t) |
434 |
+ spamassassin_reload(system_cronjob_t) |
435 |
') |
436 |
|
437 |
optional_policy(` |
438 |
|
439 |
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te |
440 |
index 9ead4c30..f6e4a0e6 100644 |
441 |
--- a/policy/modules/services/cups.te |
442 |
+++ b/policy/modules/services/cups.te |
443 |
@@ -111,11 +111,12 @@ ifdef(`enable_mls',` |
444 |
|
445 |
allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; |
446 |
dontaudit cupsd_t self:capability { net_admin sys_tty_config }; |
447 |
-allow cupsd_t self:capability2 block_suspend; |
448 |
+allow cupsd_t self:capability2 { block_suspend wake_alarm }; |
449 |
allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; |
450 |
allow cupsd_t self:fifo_file rw_fifo_file_perms; |
451 |
allow cupsd_t self:unix_stream_socket { accept connectto listen }; |
452 |
allow cupsd_t self:netlink_selinux_socket create_socket_perms; |
453 |
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms; |
454 |
allow cupsd_t self:shm create_shm_perms; |
455 |
allow cupsd_t self:sem create_sem_perms; |
456 |
allow cupsd_t self:tcp_socket { accept listen }; |
457 |
|
458 |
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te |
459 |
index fcae68a5..b69c8113 100644 |
460 |
--- a/policy/modules/services/devicekit.te |
461 |
+++ b/policy/modules/services/devicekit.te |
462 |
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t) |
463 |
fs_unmount_all_fs(devicekit_disk_t) |
464 |
fs_search_all(devicekit_disk_t) |
465 |
|
466 |
+mount_rw_runtime_files(devicekit_disk_t) |
467 |
+ |
468 |
mls_file_read_all_levels(devicekit_disk_t) |
469 |
mls_file_write_to_clearance(devicekit_disk_t) |
470 |
|
471 |
|
472 |
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te |
473 |
index aa404773..f2405692 100644 |
474 |
--- a/policy/modules/services/entropyd.te |
475 |
+++ b/policy/modules/services/entropyd.te |
476 |
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t) |
477 |
|
478 |
fs_getattr_all_fs(entropyd_t) |
479 |
fs_search_auto_mountpoints(entropyd_t) |
480 |
+fs_search_tmpfs(entropyd_t) |
481 |
|
482 |
domain_use_interactive_fds(entropyd_t) |
483 |
|
484 |
|
485 |
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te |
486 |
index 352b4ca8..1e97cdfa 100644 |
487 |
--- a/policy/modules/services/fail2ban.te |
488 |
+++ b/policy/modules/services/fail2ban.te |
489 |
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) |
490 |
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file) |
491 |
|
492 |
kernel_read_system_state(fail2ban_t) |
493 |
+kernel_search_fs_sysctls(fail2ban_t) |
494 |
|
495 |
corecmd_exec_bin(fail2ban_t) |
496 |
corecmd_exec_shell(fail2ban_t) |
497 |
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t) |
498 |
auth_use_nsswitch(fail2ban_t) |
499 |
|
500 |
logging_read_all_logs(fail2ban_t) |
501 |
+logging_read_audit_log(fail2ban_t) |
502 |
logging_send_syslog_msg(fail2ban_t) |
503 |
|
504 |
miscfiles_read_localization(fail2ban_t) |
505 |
|
506 |
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te |
507 |
index 7d028b8d..06273d09 100644 |
508 |
--- a/policy/modules/services/jabber.te |
509 |
+++ b/policy/modules/services/jabber.te |
510 |
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t) |
511 |
# usr for lua modules |
512 |
files_read_usr_files(jabberd_t) |
513 |
|
514 |
+files_search_var_lib(jabberd_t) |
515 |
+ |
516 |
fs_search_auto_mountpoints(jabberd_t) |
517 |
|
518 |
+miscfiles_read_generic_tls_privkey(jabberd_t) |
519 |
miscfiles_read_all_certs(jabberd_t) |
520 |
|
521 |
sysnet_read_config(jabberd_t) |
522 |
|
523 |
diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te |
524 |
index 0fa4d8dd..6a429835 100644 |
525 |
--- a/policy/modules/services/l2tp.te |
526 |
+++ b/policy/modules/services/l2tp.te |
527 |
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_perms; |
528 |
allow l2tpd_t self:tcp_socket { accept listen }; |
529 |
allow l2tpd_t self:unix_dgram_socket sendto; |
530 |
allow l2tpd_t self:unix_stream_socket { accept listen }; |
531 |
+allow l2tpd_t self:pppox_socket create; |
532 |
|
533 |
read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) |
534 |
|
535 |
|
536 |
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te |
537 |
index 08f1b0a0..74a94b89 100644 |
538 |
--- a/policy/modules/services/mon.te |
539 |
+++ b/policy/modules/services/mon.te |
540 |
@@ -147,6 +147,10 @@ optional_policy(` |
541 |
bind_read_zone(mon_net_test_t) |
542 |
') |
543 |
|
544 |
+optional_policy(` |
545 |
+ mysql_stream_connect(mon_net_test_t) |
546 |
+') |
547 |
+ |
548 |
######################################## |
549 |
# |
550 |
# Local policy |
551 |
@@ -156,7 +160,8 @@ optional_policy(` |
552 |
# try not to use dontaudit rules for this |
553 |
# |
554 |
|
555 |
-allow mon_local_test_t self:capability sys_admin; |
556 |
+# sys_ptrace is for reading /proc/1/maps etc |
557 |
+allow mon_local_test_t self:capability { sys_ptrace sys_admin }; |
558 |
allow mon_local_test_t self:fifo_file rw_fifo_file_perms; |
559 |
allow mon_local_test_t self:process getsched; |
560 |
|
561 |
|
562 |
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc |
563 |
index 7739d36d..d23f2636 100644 |
564 |
--- a/policy/modules/services/mysql.fc |
565 |
+++ b/policy/modules/services/mysql.fc |
566 |
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) |
567 |
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
568 |
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) |
569 |
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
570 |
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) |
571 |
|
572 |
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) |
573 |
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) |
574 |
|
575 |
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te |
576 |
index f88f458b..5a264e2f 100644 |
577 |
--- a/policy/modules/services/mysql.te |
578 |
+++ b/policy/modules/services/mysql.te |
579 |
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime_t) |
580 |
# Local policy |
581 |
# |
582 |
|
583 |
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; |
584 |
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; |
585 |
dontaudit mysqld_t self:capability sys_tty_config; |
586 |
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; |
587 |
allow mysqld_t self:fifo_file rw_fifo_file_perms; |
588 |
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept listen }; |
589 |
|
590 |
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
591 |
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
592 |
+allow mysqld_t mysqld_db_t:file map; |
593 |
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
594 |
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) |
595 |
|
596 |
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) |
597 |
|
598 |
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
599 |
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
600 |
+allow mysqld_t mysqld_tmp_t:file map; |
601 |
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) |
602 |
|
603 |
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) |
604 |
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t) |
605 |
kernel_read_network_state(mysqld_t) |
606 |
kernel_read_system_state(mysqld_t) |
607 |
kernel_read_vm_sysctls(mysqld_t) |
608 |
+kernel_read_vm_overcommit_sysctl(mysqld_t) |
609 |
|
610 |
corenet_all_recvfrom_netlabel(mysqld_t) |
611 |
corenet_tcp_sendrecv_generic_if(mysqld_t) |
612 |
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t) |
613 |
|
614 |
fs_getattr_all_fs(mysqld_t) |
615 |
fs_search_auto_mountpoints(mysqld_t) |
616 |
+fs_search_tmpfs(mysqld_t) |
617 |
fs_rw_hugetlbfs_files(mysqld_t) |
618 |
|
619 |
files_read_etc_runtime_files(mysqld_t) |
620 |
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t) |
621 |
|
622 |
logging_send_syslog_msg(mysqld_t) |
623 |
|
624 |
+miscfiles_read_generic_certs(mysqld_t) |
625 |
miscfiles_read_localization(mysqld_t) |
626 |
|
627 |
userdom_search_user_home_dirs(mysqld_t) |
628 |
|
629 |
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te |
630 |
index 76bdae5a..9aa0afaf 100644 |
631 |
--- a/policy/modules/services/openvpn.te |
632 |
+++ b/policy/modules/services/openvpn.te |
633 |
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t) |
634 |
|
635 |
auth_use_pam(openvpn_t) |
636 |
|
637 |
+init_read_state(openvpn_t) |
638 |
+ |
639 |
miscfiles_read_localization(openvpn_t) |
640 |
miscfiles_read_all_certs(openvpn_t) |
641 |
|
642 |
@@ -162,6 +164,10 @@ optional_policy(` |
643 |
daemontools_service_domain(openvpn_t, openvpn_exec_t) |
644 |
') |
645 |
|
646 |
+optional_policy(` |
647 |
+ dpkg_script_rw_inherited_pipes(openvpn_t) |
648 |
+') |
649 |
+ |
650 |
optional_policy(` |
651 |
dbus_system_bus_client(openvpn_t) |
652 |
dbus_connect_system_bus(openvpn_t) |
653 |
@@ -174,3 +180,7 @@ optional_policy(` |
654 |
optional_policy(` |
655 |
systemd_use_passwd_agent(openvpn_t) |
656 |
') |
657 |
+ |
658 |
+optional_policy(` |
659 |
+ unconfined_use_fds(openvpn_t) |
660 |
+') |
661 |
|
662 |
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te |
663 |
index 169dab12..a96e9dd9 100644 |
664 |
--- a/policy/modules/services/postgrey.te |
665 |
+++ b/policy/modules/services/postgrey.te |
666 |
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
667 |
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
668 |
|
669 |
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) |
670 |
+allow postgrey_t postgrey_var_lib_t:file map; |
671 |
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) |
672 |
|
673 |
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) |
674 |
|
675 |
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te |
676 |
index 9e95d8dc..844a8038 100644 |
677 |
--- a/policy/modules/services/rpc.te |
678 |
+++ b/policy/modules/services/rpc.te |
679 |
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; |
680 |
|
681 |
kernel_read_network_state(nfsd_t) |
682 |
kernel_dontaudit_getattr_core_if(nfsd_t) |
683 |
+kernel_search_debugfs(nfsd_t) |
684 |
kernel_setsched(nfsd_t) |
685 |
kernel_request_load_module(nfsd_t) |
686 |
# kernel_mounton_proc(nfsd_t) |
687 |
|
688 |
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te |
689 |
index 2f0fefef..855d846d 100644 |
690 |
--- a/policy/modules/services/samba.te |
691 |
+++ b/policy/modules/services/samba.te |
692 |
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t) |
693 |
|
694 |
allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; |
695 |
allow samba_net_t self:capability2 block_suspend; |
696 |
-allow samba_net_t self:process { getsched setsched }; |
697 |
+allow samba_net_t self:process { sigkill getsched setsched }; |
698 |
allow samba_net_t self:unix_stream_socket { accept listen }; |
699 |
+allow samba_net_t self:fifo_file rw_file_perms; |
700 |
|
701 |
allow samba_net_t samba_etc_t:file read_file_perms; |
702 |
|
703 |
+allow samba_net_t samba_var_run_t:file { map read_file_perms }; |
704 |
+ |
705 |
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) |
706 |
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) |
707 |
|
708 |
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) |
709 |
|
710 |
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) |
711 |
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
712 |
+allow samba_net_t samba_var_t:file map; |
713 |
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
714 |
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") |
715 |
|
716 |
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem { getattr quotaget }; |
717 |
|
718 |
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) |
719 |
manage_files_pattern(smbd_t, samba_var_t, samba_var_t) |
720 |
+allow smbd_t samba_var_t:file map; |
721 |
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) |
722 |
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) |
723 |
files_var_filetrans(smbd_t, samba_var_t, dir, "samba") |
724 |
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) |
725 |
|
726 |
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
727 |
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
728 |
+allow smbd_t samba_runtime_t:file map; |
729 |
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
730 |
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) |
731 |
|
732 |
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file read_sock_file_perms; |
733 |
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t) |
734 |
|
735 |
stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t) |
736 |
+allow smbd_t nmbd_t:unix_dgram_socket sendto; |
737 |
|
738 |
kernel_getattr_core_if(smbd_t) |
739 |
kernel_getattr_message_if(smbd_t) |
740 |
@@ -479,6 +486,10 @@ optional_policy(` |
741 |
cups_stream_connect(smbd_t) |
742 |
') |
743 |
|
744 |
+optional_policy(` |
745 |
+ dbus_system_bus_client(smbd_t) |
746 |
+') |
747 |
+ |
748 |
optional_policy(` |
749 |
kerberos_read_keytab(smbd_t) |
750 |
kerberos_use(smbd_t) |
751 |
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { accept connectto listen }; |
752 |
|
753 |
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
754 |
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
755 |
+allow nmbd_t samba_runtime_t:file map; |
756 |
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
757 |
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) |
758 |
|
759 |
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
760 |
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
761 |
|
762 |
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
763 |
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
764 |
+allow nmbd_t samba_var_t:file map; |
765 |
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
766 |
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
767 |
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") |
768 |
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal signull }; |
769 |
|
770 |
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; |
771 |
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) |
772 |
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; |
773 |
+init_use_fds(smbcontrol_t) |
774 |
|
775 |
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) |
776 |
|
777 |
|
778 |
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te |
779 |
index fc3f9502..a6351969 100644 |
780 |
--- a/policy/modules/services/smartmon.te |
781 |
+++ b/policy/modules/services/smartmon.te |
782 |
@@ -38,7 +38,7 @@ ifdef(`enable_mls',` |
783 |
# Local policy |
784 |
# |
785 |
|
786 |
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; |
787 |
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio }; |
788 |
dontaudit fsdaemon_t self:capability sys_tty_config; |
789 |
allow fsdaemon_t self:process { getcap setcap signal_perms }; |
790 |
allow fsdaemon_t self:fifo_file rw_fifo_file_perms; |
791 |
|
792 |
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te |
793 |
index f7b3a5a3..f9890df1 100644 |
794 |
--- a/policy/modules/services/squid.te |
795 |
+++ b/policy/modules/services/squid.te |
796 |
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; |
797 |
allow squid_t self:unix_dgram_socket sendto; |
798 |
allow squid_t self:unix_stream_socket { accept connectto listen }; |
799 |
allow squid_t self:tcp_socket { accept listen }; |
800 |
+allow squid_t self:netlink_netfilter_socket create_socket_perms; |
801 |
|
802 |
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) |
803 |
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) |
804 |
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) |
805 |
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) |
806 |
|
807 |
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) |
808 |
+allow squid_t squid_tmpfs_t:file map; |
809 |
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) |
810 |
|
811 |
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) |
812 |
|
813 |
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te |
814 |
index 445ab87f..0da1a599 100644 |
815 |
--- a/policy/modules/services/tor.te |
816 |
+++ b/policy/modules/services/tor.te |
817 |
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runtime_t, { dir file sock_file }) |
818 |
kernel_read_kernel_sysctls(tor_t) |
819 |
kernel_read_net_sysctls(tor_t) |
820 |
kernel_read_system_state(tor_t) |
821 |
+kernel_read_vm_overcommit_sysctl(tor_t) |
822 |
|
823 |
corenet_all_recvfrom_netlabel(tor_t) |
824 |
corenet_tcp_sendrecv_generic_if(tor_t) |
825 |
|
826 |
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te |
827 |
index e1e9d9a9..4a677a3f 100644 |
828 |
--- a/policy/modules/services/watchdog.te |
829 |
+++ b/policy/modules/services/watchdog.te |
830 |
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t) |
831 |
|
832 |
logging_send_syslog_msg(watchdog_t) |
833 |
|
834 |
+mcs_killall(watchdog_t) |
835 |
+ |
836 |
miscfiles_read_localization(watchdog_t) |
837 |
|
838 |
sysnet_dns_name_resolve(watchdog_t) |
839 |
|
840 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
841 |
index 0e76767f..8ba496cd 100644 |
842 |
--- a/policy/modules/services/xserver.if |
843 |
+++ b/policy/modules/services/xserver.if |
844 |
@@ -1643,6 +1643,7 @@ interface(`xserver_rw_mesa_shader_cache',` |
845 |
|
846 |
rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) |
847 |
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) |
848 |
+ allow $1 mesa_shader_cache_t:file map; |
849 |
xdg_search_cache_dirs($1) |
850 |
') |