Network daemon patches from Russell Coker.

author: Chris PeBenito <pebenito@ieee.org> 2017-02-25 11:20:03 -0500
committer: Jason Zaman <jason@perfinion.com> 2017-02-27 18:44:02 +0800
commit: e81afa8e462fd625e95e7458332b1cff1724654f (patch)
tree: a950df1c2d989ff0a2145c3df81c58f7225dedb8
parent: MTA fixes from Russell Coker. (diff)
download: hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.gz
hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.bz2
hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.zip
21 files changed, 161 insertions, 32 deletions
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index faa08802..5fded37a 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:objec
 /etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
 /etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:objec
 /usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
 /usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cgi-wrapper	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -110,6 +112,7 @@ ifdef(`distro_suse',`
 /var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/glpi(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +127,7 @@ ifdef(`distro_suse',`
 /var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 16539db5..91191ecc 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',`
 
 ########################################
 ## <summary>
+##	Delete httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can delete the files
+##	</summary>
+## </param>
+#
+interface(`apache_delete_lib_files',`
+	gen_require(`
+		type httpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+')
+
+########################################
+## <summary>
 ##	Execute CGI in the specified domain.
 ## </summary>
 ##	<desc>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2f724b68..37af1e22 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.0)
+policy_module(apache, 2.12.1)
 
 ########################################
 #
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
 allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
 kernel_read_system_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t)
 
 auth_use_nsswitch(httpd_t)
 
+init_rw_inherited_script_tmp_files(httpd_t)
+
 libs_read_lib_files(httpd_t)
 
 logging_send_syslog_msg(httpd_t)
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',`
 tunable_policy(`httpd_enable_cgi',`
 	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
 	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+	allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1217,11 @@ optional_policy(`
 #
 
 allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
 
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
 
 kernel_read_kernel_sysctls(httpd_sys_script_t)
 
+dev_read_sysfs(httpd_sys_script_t)
+
 fs_search_auto_mountpoints(httpd_sys_script_t)
 
 files_read_var_symlinks(httpd_sys_script_t)
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t)
 
 auth_use_nsswitch(httpd_sys_script_t)
 
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+	init_search_pid_dirs(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_can_sendmail',`
 	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
 	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index c9619a4e..de596aed 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -28,6 +28,8 @@
 
 /var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 
+/var/lib/unbound(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+
 /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
 /var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
@@ -53,5 +55,6 @@
 
 /run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid	-s	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfec7c74..25329fdb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.0)
+policy_module(bind, 1.18.1)
 
 ########################################
 #
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms;
 read_files_pattern(named_t, named_zone_t, named_zone_t)
 read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_vm_overcommit_sysctl(named_t)
 kernel_read_system_state(named_t)
@@ -152,6 +154,7 @@ dev_read_urand(named_t)
 domain_use_interactive_fds(named_t)
 
 files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
 
 fs_getattr_all_fs(named_t)
 fs_search_auto_mountpoints(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process signal_perms;
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 66c15680..70ecd1e5 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.0)
+policy_module(inetd, 1.14.1)
 
 ########################################
 #
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
 kernel_tcp_recvfrom_unlabeled(inetd_t)
 
 corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
 
 corenet_all_recvfrom_unlabeled(inetd_t)
 corenet_all_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index ca07a874..42a24aaf 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,3 +1,5 @@
 /etc/rc\.d/init\.d/((iodined)|(iodine-server))	--	gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
 
 /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
+
+/var/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index c35fc069..11ef68f9 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.0)
+policy_module(iodine, 1.2.1)
 
 ########################################
 #
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
 type iodined_initrc_exec_t;
 init_script_file(iodined_initrc_exec_t)
 
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
 allow iodined_t self:rawip_socket create_socket_perms;
 allow iodined_t self:tun_socket create_socket_perms;
 allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
 
 kernel_read_net_sysctls(iodined_t)
 kernel_read_network_state(iodined_t)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index 96325be0..e31f56e8 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -2,6 +2,7 @@
 
 /usr/bin/router	--	gen_context(system_u:object_r:jabberd_router_exec_t,s0)
 /usr/bin/c2s	--	gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/prosody	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/bin/s2s	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/bin/sm	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 
@@ -13,13 +14,16 @@
 
 /var/log/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/log/jabber(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 
 /var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/ejabberd/spool(/.*)?	gen_context(system_u:object_r:jabberd_spool_t,s0)
 /var/lib/jabber(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd/log(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/lib/jabberd/pid(/.*)?	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 
 /run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/run/prosody(/.*)?	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index fdea29d5..36f603c3 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.0)
+policy_module(jabber, 1.12.1)
 
 ########################################
 #
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override;
 dontaudit jabberd_t self:capability sys_tty_config;
 allow jabberd_t self:tcp_socket create_socket_perms;
 allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
 
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 
+domain_dontaudit_search_all_domains_state(jabberd_t)
+
 kernel_read_kernel_sysctls(jabberd_t)
 
+corecmd_exec_bin(jabberd_t)
+
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)
 corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
 corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
 
 dev_read_rand(jabberd_t)
 
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t)
 
 files_read_etc_files(jabberd_t)
 files_read_etc_runtime_files(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
 
 fs_search_auto_mountpoints(jabberd_t)
 
+miscfiles_read_all_certs(jabberd_t)
+
 sysnet_read_config(jabberd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44c2abcd..de6a62cf 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.0)
+policy_module(nagios, 1.15.1)
 
 ########################################
 #
@@ -216,12 +216,15 @@ optional_policy(`
 # Nrpe local policy
 #
 
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
 dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
 allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
 allow nrpe_t self:fifo_file rw_fifo_file_perms;
 allow nrpe_t self:tcp_socket { accept listen };
 
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
 allow nrpe_t nagios_plugin_domain:process { signal sigkill };
 
 read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index fe5f8b4c..1e6d0f5b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
 /etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
 /etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
 /etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)?	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /etc/dhcp/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 /etc/dhcp/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index cde12ad5..1e3237e5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.1)
+policy_module(networkmanager, 1.20.2)
 
 ########################################
 #
@@ -241,6 +241,10 @@ optional_policy(`
 	optional_policy(`
 		xserver_dbus_chat_xdm(NetworkManager_t)
 	')
+
+	optional_policy(`
+		unconfined_dbus_send(NetworkManager_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index fa0a1839..8bbb2aa3 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -18,6 +18,24 @@ interface(`ntp_stub',`
 
 ########################################
 ## <summary>
+##	Read ntp.conf
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_config',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b1969955..9af1ad5f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.1)
+policy_module(ntp, 1.16.2)
 
 ########################################
 #
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:socket create;
 allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:unix_dgram_socket sendto;
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
 
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 7703264d..00d176d3 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -1,5 +1,6 @@
 /etc/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_etc_t,s0)
 /etc/openvpn/ipp\.txt	--	gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/openvpn/openvpn-status\.log.* --	gen_context(system_u:object_r:openvpn_status_t,s0)
 
 /etc/rc\.d/init\.d/openvpn	--	gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
 
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 465716f6..54170a62 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.0)
+policy_module(openvpn, 1.15.1)
 
 ########################################
 #
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5123f079..0b9a71fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.1)
+policy_module(rpc, 1.19.2)
 
 ########################################
 #
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
 kernel_signal(rpcd_t)
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
 
 corecmd_exec_bin(rpcd_t)
 
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index d6b5ba09..7051c3e1 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
 
 /usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 
-/usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* --	gen_context(system_u:object_r:squid_exec_t,s0)
 
 /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 
 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 
-/var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.*	gen_context(system_u:object_r:squid_log_t,s0)
 /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 
-/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.*		gen_context(system_u:object_r:squid_var_run_t,s0)
 
-/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.*	gen_context(system_u:object_r:squid_cache_t,s0)
 
 /var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 941cedf3..b5adfad3 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -191,6 +191,25 @@ interface(`squid_use',`
 
 ########################################
 ## <summary>
+##	dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not be audited
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_read_tmpfs_files',`
+	gen_require(`
+		type squid_tmpfs_t;
+	')
+
+	dontaudit $1 squid_tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an squid environment.
 ## </summary>
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 74fb3c23..f4fd15e8 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.0)
+policy_module(squid, 1.15.1)
 
 ########################################
 #
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
 ## </desc>
 gen_tunable(squid_use_tproxy, false)
 
+## <desc>
+##	<p>
+##	Determine whether squid can use the
+##	pinger daemon (needs raw net access)
+##	</p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
 type squid_t;
 type squid_exec_t;
 init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
 	corenet_tcp_sendrecv_all_ports(squid_t)
 ')
 
+tunable_policy(`squid_use_pinger',`
+	allow squid_t self:rawip_socket connected_socket_perms;
+	allow squid_t self:capability net_raw;
+')
+
 tunable_policy(`squid_use_tproxy',`
 	allow squid_t self:capability net_admin;
 	corenet_sendrecv_netport_server_packets(squid_t)
author	Chris PeBenito <pebenito@ieee.org>	2017-02-25 11:20:03 -0500
committer	Jason Zaman <jason@perfinion.com>	2017-02-27 18:44:02 +0800
commit	e81afa8e462fd625e95e7458332b1cff1724654f (patch)
tree	a950df1c2d989ff0a2145c3df81c58f7225dedb8
parent	MTA fixes from Russell Coker. (diff)
download	hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.gz hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.bz2 hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.zip