diff options
author | Chris PeBenito <pebenito@ieee.org> | 2017-02-25 11:20:03 -0500 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-02-27 18:44:02 +0800 |
commit | e81afa8e462fd625e95e7458332b1cff1724654f (patch) | |
tree | a950df1c2d989ff0a2145c3df81c58f7225dedb8 | |
parent | MTA fixes from Russell Coker. (diff) | |
download | hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.gz hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.tar.bz2 hardened-refpolicy-e81afa8e462fd625e95e7458332b1cff1724654f.zip |
Network daemon patches from Russell Coker.
-rw-r--r-- | policy/modules/contrib/apache.fc | 4 | ||||
-rw-r--r-- | policy/modules/contrib/apache.if | 19 | ||||
-rw-r--r-- | policy/modules/contrib/apache.te | 46 | ||||
-rw-r--r-- | policy/modules/contrib/bind.fc | 3 | ||||
-rw-r--r-- | policy/modules/contrib/bind.te | 6 | ||||
-rw-r--r-- | policy/modules/contrib/inetd.te | 3 | ||||
-rw-r--r-- | policy/modules/contrib/iodine.fc | 2 | ||||
-rw-r--r-- | policy/modules/contrib/iodine.te | 9 | ||||
-rw-r--r-- | policy/modules/contrib/jabber.fc | 4 | ||||
-rw-r--r-- | policy/modules/contrib/jabber.te | 12 | ||||
-rw-r--r-- | policy/modules/contrib/nagios.te | 7 | ||||
-rw-r--r-- | policy/modules/contrib/networkmanager.fc | 2 | ||||
-rw-r--r-- | policy/modules/contrib/networkmanager.te | 6 | ||||
-rw-r--r-- | policy/modules/contrib/ntp.if | 18 | ||||
-rw-r--r-- | policy/modules/contrib/ntp.te | 3 | ||||
-rw-r--r-- | policy/modules/contrib/openvpn.fc | 1 | ||||
-rw-r--r-- | policy/modules/contrib/openvpn.te | 2 | ||||
-rw-r--r-- | policy/modules/contrib/rpc.te | 4 | ||||
-rw-r--r-- | policy/modules/contrib/squid.fc | 8 | ||||
-rw-r--r-- | policy/modules/contrib/squid.if | 19 | ||||
-rw-r--r-- | policy/modules/contrib/squid.te | 15 |
21 files changed, 161 insertions, 32 deletions
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc index faa08802..5fded37a 100644 --- a/policy/modules/contrib/apache.fc +++ b/policy/modules/contrib/apache.fc @@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) @@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec /usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -110,6 +112,7 @@ ifdef(`distro_suse',` /var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -124,6 +127,7 @@ ifdef(`distro_suse',` /var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if index 16539db5..91191ecc 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',` ######################################## ## <summary> +## Delete httpd_var_lib_t files +## </summary> +## <param name="domain"> +## <summary> +## Domain that can delete the files +## </summary> +## </param> +# +interface(`apache_delete_lib_files',` + gen_require(` + type httpd_var_lib_t; + ') + + files_search_var_lib($1) + delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) +') + +######################################## +## <summary> ## Execute CGI in the specified domain. ## </summary> ## <desc> diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 2f724b68..37af1e22 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.12.0) +policy_module(apache, 2.12.1) ######################################## # @@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) allow httpd_t httpd_keytab_t:file read_file_perms; +allow httpd_t httpd_lock_t:dir manage_dir_perms; allow httpd_t httpd_lock_t:file manage_file_perms; -files_lock_filetrans(httpd_t, httpd_lock_t, file) +files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) -allow httpd_t httpd_log_t:dir setattr_dir_perms; -create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) +manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) logging_log_filetrans(httpd_t, httpd_log_t, file) @@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file read_file_perms; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +allow httpd_t httpd_sys_script_t:process signull; + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) @@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) kernel_read_kernel_sysctls(httpd_t) +kernel_read_vm_sysctls(httpd_t) +kernel_read_vm_overcommit_sysctl(httpd_t) kernel_read_network_state(httpd_t) kernel_read_system_state(httpd_t) kernel_search_network_sysctl(httpd_t) @@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t) auth_use_nsswitch(httpd_t) +init_rw_inherited_script_tmp_files(httpd_t) + libs_read_lib_files(httpd_t) logging_send_syslog_msg(httpd_t) @@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',` tunable_policy(`httpd_enable_cgi',` allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; allow httpd_t httpd_script_exec_type:dir list_dir_perms; + allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` @@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` tunable_policy(`httpd_use_nfs',` fs_list_auto_mountpoints(httpd_t) - fs_manage_nfs_dirs(httpd_t) - fs_manage_nfs_files(httpd_t) - fs_manage_nfs_symlinks(httpd_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) ') tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` @@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` tunable_policy(`httpd_use_nfs',` fs_list_auto_mountpoints(httpd_suexec_t) - fs_manage_nfs_dirs(httpd_suexec_t) - fs_manage_nfs_files(httpd_suexec_t) - fs_manage_nfs_symlinks(httpd_suexec_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) ') tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` @@ -1213,8 +1217,11 @@ optional_policy(` # allow httpd_sys_script_t self:tcp_socket { accept listen }; +allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms }; + allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl }; dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; kernel_read_kernel_sysctls(httpd_sys_script_t) +dev_read_sysfs(httpd_sys_script_t) + fs_search_auto_mountpoints(httpd_sys_script_t) files_read_var_symlinks(httpd_sys_script_t) @@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t) auth_use_nsswitch(httpd_sys_script_t) +logging_send_syslog_msg(httpd_sys_script_t) + +ifdef(`init_systemd', ` + init_search_pid_dirs(httpd_sys_script_t) +') + tunable_policy(`httpd_can_sendmail',` corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) corenet_tcp_connect_smtp_port(httpd_sys_script_t) @@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` tunable_policy(`httpd_use_nfs',` fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_nfs_dirs(httpd_sys_script_t) - fs_manage_nfs_files(httpd_sys_script_t) - fs_manage_nfs_symlinks(httpd_sys_script_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) ') tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc index c9619a4e..de596aed 100644 --- a/policy/modules/contrib/bind.fc +++ b/policy/modules/contrib/bind.fc @@ -28,6 +28,8 @@ /var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -53,5 +55,6 @@ /run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) /run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0) /run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) /run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te index bfec7c74..25329fdb 100644 --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.18.0) +policy_module(bind, 1.18.1) ######################################## # @@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms; read_files_pattern(named_t, named_zone_t, named_zone_t) read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) +kernel_read_net_sysctls(named_t) +kernel_read_vm_sysctls(named_t) kernel_read_kernel_sysctls(named_t) kernel_read_vm_overcommit_sysctl(named_t) kernel_read_system_state(named_t) @@ -152,6 +154,7 @@ dev_read_urand(named_t) domain_use_interactive_fds(named_t) files_read_etc_runtime_files(named_t) +files_read_usr_files(named_t) fs_getattr_all_fs(named_t) fs_search_auto_mountpoints(named_t) @@ -219,6 +222,7 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability2 block_suspend; allow ndc_t self:process signal_perms; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te index 66c15680..70ecd1e5 100644 --- a/policy/modules/contrib/inetd.te +++ b/policy/modules/contrib/inetd.te @@ -1,4 +1,4 @@ -policy_module(inetd, 1.14.0) +policy_module(inetd, 1.14.1) ######################################## # @@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) kernel_tcp_recvfrom_unlabeled(inetd_t) corecmd_bin_domtrans(inetd_t, inetd_child_t) +corecmd_bin_entry_type(inetd_child_t) corenet_all_recvfrom_unlabeled(inetd_t) corenet_all_recvfrom_netlabel(inetd_t) diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc index ca07a874..42a24aaf 100644 --- a/policy/modules/contrib/iodine.fc +++ b/policy/modules/contrib/iodine.fc @@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) + +/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te index c35fc069..11ef68f9 100644 --- a/policy/modules/contrib/iodine.te +++ b/policy/modules/contrib/iodine.te @@ -1,4 +1,4 @@ -policy_module(iodine, 1.2.0) +policy_module(iodine, 1.2.1) ######################################## # @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) type iodined_initrc_exec_t; init_script_file(iodined_initrc_exec_t) +type iodined_var_run_t; +files_pid_file(iodined_var_run_t) + ######################################## # # Local policy @@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot }; allow iodined_t self:rawip_socket create_socket_perms; allow iodined_t self:tun_socket create_socket_perms; allow iodined_t self:udp_socket connected_socket_perms; +allow iodined_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) +manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) kernel_read_net_sysctls(iodined_t) kernel_read_network_state(iodined_t) diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc index 96325be0..e31f56e8 100644 --- a/policy/modules/contrib/jabber.fc +++ b/policy/modules/contrib/jabber.fc @@ -2,6 +2,7 @@ /usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) /usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0) /usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) /usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) @@ -13,13 +14,16 @@ /var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) /var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) /var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) /run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) /run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0) diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te index fdea29d5..36f603c3 100644 --- a/policy/modules/contrib/jabber.te +++ b/policy/modules/contrib/jabber.te @@ -1,4 +1,4 @@ -policy_module(jabber, 1.12.0) +policy_module(jabber, 1.12.1) ######################################## # @@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override; dontaudit jabberd_t self:capability sys_tty_config; allow jabberd_t self:tcp_socket create_socket_perms; allow jabberd_t self:udp_socket create_socket_perms; +allow jabberd_t self:netlink_route_socket r_netlink_socket_perms; manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) @@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +domain_dontaudit_search_all_domains_state(jabberd_t) + kernel_read_kernel_sysctls(jabberd_t) +corecmd_exec_bin(jabberd_t) + corenet_sendrecv_jabber_client_server_packets(jabberd_t) corenet_tcp_bind_jabber_client_port(jabberd_t) corenet_tcp_sendrecv_jabber_client_port(jabberd_t) @@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t) corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) corenet_tcp_bind_jabber_interserver_port(jabberd_t) corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_interserver_port(jabberd_t) dev_read_rand(jabberd_t) @@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t) files_read_etc_files(jabberd_t) files_read_etc_runtime_files(jabberd_t) +# usr for lua modules +files_read_usr_files(jabberd_t) fs_search_auto_mountpoints(jabberd_t) +miscfiles_read_all_certs(jabberd_t) + sysnet_read_config(jabberd_t) userdom_dontaudit_use_unpriv_user_fds(jabberd_t) diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te index 44c2abcd..de6a62cf 100644 --- a/policy/modules/contrib/nagios.te +++ b/policy/modules/contrib/nagios.te @@ -1,4 +1,4 @@ -policy_module(nagios, 1.15.0) +policy_module(nagios, 1.15.1) ######################################## # @@ -216,12 +216,15 @@ optional_policy(` # Nrpe local policy # -allow nrpe_t self:capability { setgid setuid }; +allow nrpe_t self:capability { dac_override setgid setuid }; dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t self:tcp_socket { accept listen }; +allow nrpe_t nagios_etc_t:dir list_dir_perms; +allow nrpe_t nagios_etc_t:file read_file_perms; + allow nrpe_t nagios_plugin_domain:process { signal sigkill }; read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc index fe5f8b4c..1e6d0f5b 100644 --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -3,7 +3,7 @@ /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) /etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index cde12ad5..1e3237e5 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -1,4 +1,4 @@ -policy_module(networkmanager, 1.20.1) +policy_module(networkmanager, 1.20.2) ######################################## # @@ -241,6 +241,10 @@ optional_policy(` optional_policy(` xserver_dbus_chat_xdm(NetworkManager_t) ') + + optional_policy(` + unconfined_dbus_send(NetworkManager_t) + ') ') optional_policy(` diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if index fa0a1839..8bbb2aa3 100644 --- a/policy/modules/contrib/ntp.if +++ b/policy/modules/contrib/ntp.if @@ -18,6 +18,24 @@ interface(`ntp_stub',` ######################################## ## <summary> +## Read ntp.conf +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_config',` + gen_require(` + type ntp_conf_t; + ') + + allow $1 ntp_conf_t:file read_file_perms; +') + +######################################## +## <summary> ## Execute ntp server in the ntpd domain. ## </summary> ## <param name="domain"> diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te index b1969955..9af1ad5f 100644 --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -1,4 +1,4 @@ -policy_module(ntp, 1.16.1) +policy_module(ntp, 1.16.2) ######################################## # @@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:socket create; allow ntpd_t self:tcp_socket { accept listen }; +allow ntpd_t self:unix_dgram_socket sendto; allow ntpd_t ntp_conf_t:file read_file_perms; diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc index 7703264d..00d176d3 100644 --- a/policy/modules/contrib/openvpn.fc +++ b/policy/modules/contrib/openvpn.fc @@ -1,5 +1,6 @@ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) +/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te index 465716f6..54170a62 100644 --- a/policy/modules/contrib/openvpn.te +++ b/policy/modules/contrib/openvpn.te @@ -1,4 +1,4 @@ -policy_module(openvpn, 1.15.0) +policy_module(openvpn, 1.15.1) ######################################## # diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 5123f079..0b9a71fc 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -1,4 +1,4 @@ -policy_module(rpc, 1.19.1) +policy_module(rpc, 1.19.2) ######################################## # @@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) kernel_signal(rpcd_t) +# for /proc/fs/lockd/nlm_end_grace +kernel_write_proc_files(rpcd_t) corecmd_exec_bin(rpcd_t) diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc index d6b5ba09..7051c3e1 100644 --- a/policy/modules/contrib/squid.fc +++ b/policy/modules/contrib/squid.fc @@ -4,17 +4,17 @@ /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) +/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) +/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0) /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0) -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0) /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if index 941cedf3..b5adfad3 100644 --- a/policy/modules/contrib/squid.if +++ b/policy/modules/contrib/squid.if @@ -191,6 +191,25 @@ interface(`squid_use',` ######################################## ## <summary> +## dontaudit statting tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not be audited +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_read_tmpfs_files',` + gen_require(` + type squid_tmpfs_t; + ') + + dontaudit $1 squid_tmpfs_t:file getattr; +') + +######################################## +## <summary> ## All of the rules required to ## administrate an squid environment. ## </summary> diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index 74fb3c23..f4fd15e8 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -1,4 +1,4 @@ -policy_module(squid, 1.15.0) +policy_module(squid, 1.15.1) ######################################## # @@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false) ## </desc> gen_tunable(squid_use_tproxy, false) +## <desc> +## <p> +## Determine whether squid can use the +## pinger daemon (needs raw net access) +## </p> +## </desc> +gen_tunable(squid_use_pinger, true) + type squid_t; type squid_exec_t; init_daemon_domain(squid_t, squid_exec_t) @@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',` corenet_tcp_sendrecv_all_ports(squid_t) ') +tunable_policy(`squid_use_pinger',` + allow squid_t self:rawip_socket connected_socket_perms; + allow squid_t self:capability net_raw; +') + tunable_policy(`squid_use_tproxy',` allow squid_t self:capability net_admin; corenet_sendrecv_netport_server_packets(squid_t) |