A set of contrib updates from Gentoo
Sven Vermeulen (13):
Allow asterisk admins to execute asterisk binary directly
Support tagfiles for consolekit
ConsoleKit needs to read the dbus machine-id
File context updates for courier-imap
Allow reading /proc/self for fail2ban due to FAM support
Allow IRC clients to read certificates
Update on file contexts for OpenLDAP
Update on file contexts for wpa_supplicant
Postfix creates defer(red) queue locations
Update file contexts for puppet
Support ~/.tmux.conf as tmux configuration file
Support tmux control socket
Add setuid/setgid capability to ulogd_t
asterisk.if | 21 +++++++++++++++++++++
consolekit.te | 6 ++++++
courier.fc | 2 ++
dbus.if | 1 +
fail2ban.te | 3 +++
irc.te | 1 +
ldap.fc | 5 +++++
networkmanager.fc | 1 +
postfix.te | 2 ++
puppet.fc | 4 ++++
screen.fc | 1 +
screen.if | 1 +
screen.te | 3 ++-
ulogd.te | 2 +-
14 files changed, 51 insertions(+), 2 deletions(-)
--
1.8.1.5
Administrating Asterisk requires being able to run the asterisk binary (no
transition needed, it acts as a client). For instance
http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI
commands ran by administrators through the asterisk binary.
Thus add in asterisk_exec($1) into the asterisk_admin() definition.
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/asterisk.if b/asterisk.if
index 7268a04..26c8621 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -113,6 +113,8 @@ interface(`asterisk_admin',`
role_transition $2 asterisk_initrc_exec_t system_r;
allow $2 system_r;
+ asterisk_exec($1)
+
files_list_tmp($1)
admin_pattern($1, asterisk_tmp_t)
@@ -131,3 +133,22 @@ interface(`asterisk_admin',`
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
')
+
+######################################
+## <summary>
+## Execute asterisk is the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute asterisk
+## </summary>
+## </param>
+#
+interface(`asterisk_exec',`
+ gen_require(`
+ type asterisk_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, asterisk_exec_t)
+')
--
1.8.1.5
Gentoo currently still uses the pam-foreground compatibility, which causes
ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
As /var/run is dynamic nowadays, ConsoleKit also creates the directory.
Allow ConsoleKit to create such directory with the right file transition in
place.
Debian also has this (already in policy) so duplicate settings for Gentoo. As
the policy includes a transition, I'm less inclined to make this a global policy
change as I have no idea what the impact would be on other distributions such as
Fedora/RedHat.
Signed-off-by: Sven Vermeulen <[email protected]>
---
consolekit.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/consolekit.te b/consolekit.te
index 5f0c793..aff2f51 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -92,6 +92,11 @@ ifdef(`distro_debian',`
auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
')
+ifdef(`distro_gentoo',`
+ auth_create_pam_console_data_dirs(consolekit_t)
+ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+')
+
optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
--
1.8.1.5
The dbus integration in ConsoleKit reads in the machine-id as provided through
dbus (/var/lib/dbus/machine-id).
On Gentoo, this location is a symbolic link to /etc/machine-id however, so we
update the interface to support reading the symbolic link files too.
See also ConsoleKit's src/ck-manager.c function generate_session_cookie (calls
dbus_get_local_machine_id).
Signed-off-by: Sven Vermeulen <[email protected]>
---
consolekit.te | 1 +
dbus.if | 1 +
2 files changed, 2 insertions(+)
diff --git a/consolekit.te b/consolekit.te
index aff2f51..6874d9a 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -98,6 +98,7 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
diff --git a/dbus.if b/dbus.if
index afcf3a2..62d22cb 100644
--- a/dbus.if
+++ b/dbus.if
@@ -356,6 +356,7 @@ interface(`dbus_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.fc b/courier.fc
index 8a4b596..69bdc68 100644
--- a/courier.fc
+++ b/courier.fc
@@ -4,9 +4,11 @@
/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
--
1.8.1.5
fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using
Gamin, fail2ban launches a gam_server which, through FAM support, reads in
/proc/self.
As this gam_server is only for the fail2ban activities and all permissions
(except for read access to the fail2ban_t /proc itself), allow this in the
fail2ban_t domain instead of creating a new domain for gam_server and
transitioning to it.
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fail2ban.te b/fail2ban.te
index 0872e50..919358a 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
+# Needed for FAM support
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
--
1.8.1.5
To support IRC clients to connect to SSL-enabled IRC servers, allow irc clients
to read the generic certificates.
Signed-off-by: Sven Vermeulen <[email protected]>
---
irc.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/irc.te b/irc.te
index ecad9c7..ddf1595 100644
--- a/irc.te
+++ b/irc.te
@@ -106,6 +106,7 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
+miscfiles_read_generic_certs(irc_t)
miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
ldap.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ldap.fc b/ldap.fc
index bc25c95..b7e5679 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -6,11 +6,16 @@
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
/var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0)
/var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
networkmanager.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/networkmanager.fc b/networkmanager.fc
index a1fb3c3..94b9734 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -20,6 +20,7 @@
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/puppet.fc b/puppet.fc
index 4ecda09..d68e26d 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -3,6 +3,10 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--
1.8.1.5
The tmux application is similar to screen, and already supported in the policy
as such. Include ~/.tmux.conf as screen_home_t and include the proper transition
when the file is created.
Signed-off-by: Sven Vermeulen <[email protected]>
---
screen.fc | 1 +
screen.if | 1 +
2 files changed, 2 insertions(+)
diff --git a/screen.fc b/screen.fc
index ac04d27..e7c2cf7 100644
--- a/screen.fc
+++ b/screen.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/screen.if b/screen.if
index c21ddcc..be5cce2 100644
--- a/screen.if
+++ b/screen.if
@@ -65,6 +65,7 @@ template(`screen_role_template',`
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+ userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
--
1.8.1.5
The tmux application places its control socket in /tmp/tmux-*. Introduce a
transition from screen_tmp_t (the /tmp/tmux-* directory) towards
screen_var_run_t for socket files.
Signed-off-by: Sven Vermeulen <[email protected]>
---
screen.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/screen.te b/screen.te
index f095081..75d538c 100644
--- a/screen.te
+++ b/screen.te
@@ -38,12 +38,13 @@ allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
allow screen_domain self:tcp_socket { accept listen };
-allow screen_domain self:unix_stream_socket connectto;
+allow screen_domain self:unix_stream_socket { accept connectto listen };
manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
--
1.8.1.5
At startup, the Postfix daemon will check if the defer and deferred queues are
available. If not, it will create them. Introduce the proper file transitions to
support this.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/postfix.te b/postfix.te
index 3f45a93..069bc2e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
--
1.8.1.5
The ulog daemon, when launched with the "-u" option, will change uid/gid after
it finished its root-required tasks. This is handled in src/ulogd.c. If we do
not allow setuid/setgid, the following errors are displayed and the start-up
fails.
Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245
Reported-by: vespian <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
ulogd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ulogd.te b/ulogd.te
index c6acbbe..d41c4b1 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
# Local policy
#
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
--
1.8.1.5
On Thu, 11 Apr 2013, Sven Vermeulen <[email protected]> wrote:
> At startup, the Postfix daemon will check if the defer and deferred queues
> are available. If not, it will create them. Introduce the proper file
> transitions to support this.
If you are going to assign a new type for the defer/deferred directories then
is the maildrop name the correct one? Those directories aren't for mail
storage and the file contents are different to that which is used by programs
such as maildrop.
It's always been postfix_spool_t for those directories, why do we need to
change this?
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> postfix.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/postfix.te b/postfix.te
> index 3f45a93..069bc2e 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t,
> postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t,
> postfix_spool_maildrop_t) setattr_dirs_pattern(postfix_master_t,
> postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> +filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "defer")
> +filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "deferred")
> filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "maildrop")
>
> create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Fri, Apr 12, 2013 at 01:39:15PM +1000, Russell Coker wrote:
> On Thu, 11 Apr 2013, Sven Vermeulen <[email protected]> wrote:
> > At startup, the Postfix daemon will check if the defer and deferred queues
> > are available. If not, it will create them. Introduce the proper file
> > transitions to support this.
>
> If you are going to assign a new type for the defer/deferred directories then
> is the maildrop name the correct one? Those directories aren't for mail
> storage and the file contents are different to that which is used by programs
> such as maildrop.
>
> It's always been postfix_spool_t for those directories, why do we need to
> change this?
Because they're not postfix_spool_t according to the file context def?
#v+
/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
#v-
What the patch does is streamline this so that we don't need restorecond or
a relabel operation. Also, the deferred queue only has the directory labeled
as such - mails that are moved between queues retain their label
(postfix_spool_t).
Wkr,
Sven Vermeulen
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Administrating Asterisk requires being able to run the asterisk binary (no
> transition needed, it acts as a client). For instance
> http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI
> commands ran by administrators through the asterisk binary.
>
> Thus add in asterisk_exec($1) into the asterisk_admin() definition.
Merged with changes, thanks
Moved asterisk exec to the right place and edited the interface xml
header
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.if | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/asterisk.if b/asterisk.if
> index 7268a04..26c8621 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -113,6 +113,8 @@ interface(`asterisk_admin',`
> role_transition $2 asterisk_initrc_exec_t system_r;
> allow $2 system_r;
>
> + asterisk_exec($1)
> +
> files_list_tmp($1)
> admin_pattern($1, asterisk_tmp_t)
>
> @@ -131,3 +133,22 @@ interface(`asterisk_admin',`
> files_list_pids($1)
> admin_pattern($1, asterisk_var_run_t)
> ')
> +
> +######################################
> +## <summary>
> +## Execute asterisk is the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to execute asterisk
> +## </summary>
> +## </param>
> +#
> +interface(`asterisk_exec',`
> + gen_require(`
> + type asterisk_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, asterisk_exec_t)
> +')
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Gentoo currently still uses the pam-foreground compatibility, which causes
> ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
> As /var/run is dynamic nowadays, ConsoleKit also creates the directory.
>
> Allow ConsoleKit to create such directory with the right file transition in
> place.
>
> Debian also has this (already in policy) so duplicate settings for Gentoo. As
> the policy includes a transition, I'm less inclined to make this a global policy
> change as I have no idea what the impact would be on other distributions such as
> Fedora/RedHat.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged with changes, thanks
Made this unconditional as this does not seem to conflict with fedora
> ---
> consolekit.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index 5f0c793..aff2f51 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -92,6 +92,11 @@ ifdef(`distro_debian',`
> auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> ')
>
> +ifdef(`distro_gentoo',`
> + auth_create_pam_console_data_dirs(consolekit_t)
> + auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
> optional_policy(`
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The dbus integration in ConsoleKit reads in the machine-id as provided through
> dbus (/var/lib/dbus/machine-id).
>
> On Gentoo, this location is a symbolic link to /etc/machine-id however, so we
> update the interface to support reading the symbolic link files too.
>
> See also ConsoleKit's src/ck-manager.c function generate_session_cookie (calls
> dbus_get_local_machine_id).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> consolekit.te | 1 +
> dbus.if | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index aff2f51..6874d9a 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -98,6 +98,7 @@ ifdef(`distro_gentoo',`
> ')
>
> optional_policy(`
> + dbus_read_lib_files(consolekit_t)
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
> optional_policy(`
> diff --git a/dbus.if b/dbus.if
> index afcf3a2..62d22cb 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -356,6 +356,7 @@ interface(`dbus_read_lib_files',`
>
> files_search_var_lib($1)
> read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
> + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
> ')
>
> ########################################
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged with changes, thanks
imaplogin is courier_pop_exec_t
> ---
> courier.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/courier.fc b/courier.fc
> index 8a4b596..69bdc68 100644
> --- a/courier.fc
> +++ b/courier.fc
> @@ -4,9 +4,11 @@
> /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
>
> /usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
> +/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
> /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
> /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
> /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
> +/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
>
> /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
> /usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> ldap.fc | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/ldap.fc b/ldap.fc
> index bc25c95..b7e5679 100644
> --- a/ldap.fc
> +++ b/ldap.fc
> @@ -6,11 +6,16 @@
>
> /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
>
> +/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
> /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
>
> /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
> /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
>
> +/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
> +/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
> +/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
> +
> /var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0)
> /var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0)
>
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> networkmanager.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.fc b/networkmanager.fc
> index a1fb3c3..94b9734 100644
> --- a/networkmanager.fc
> +++ b/networkmanager.fc
> @@ -20,6 +20,7 @@
> /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>
> /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
> /usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>
> /usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> To support IRC clients to connect to SSL-enabled IRC servers, allow irc clients
> to read the generic certificates.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> irc.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/irc.te b/irc.te
> index ecad9c7..ddf1595 100644
> --- a/irc.te
> +++ b/irc.te
> @@ -106,6 +106,7 @@ auth_use_nsswitch(irc_t)
> init_read_utmp(irc_t)
> init_dontaudit_lock_utmp(irc_t)
>
> +miscfiles_read_generic_certs(irc_t)
> miscfiles_read_localization(irc_t)
>
> userdom_use_user_terminals(irc_t)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using
> Gamin, fail2ban launches a gam_server which, through FAM support, reads in
> /proc/self.
>
> As this gam_server is only for the fail2ban activities and all permissions
> (except for read access to the fail2ban_t /proc itself), allow this in the
> fail2ban_t domain instead of creating a new domain for gam_server and
> transitioning to it.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
You do not have to add in line comments as you have the git commit
messages
> ---
> fail2ban.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fail2ban.te b/fail2ban.te
> index 0872e50..919358a 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
> allow fail2ban_t self:unix_stream_socket { accept connectto listen };
> allow fail2ban_t self:tcp_socket { accept listen };
>
> +# Needed for FAM support
> +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
> +
> append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
> create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
> setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> puppet.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/puppet.fc b/puppet.fc
> index 4ecda09..d68e26d 100644
> --- a/puppet.fc
> +++ b/puppet.fc
> @@ -3,6 +3,10 @@
> /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
>
> +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
> +/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> +
> /usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
> /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The tmux application is similar to screen, and already supported in the policy
> as such. Include ~/.tmux.conf as screen_home_t and include the proper transition
> when the file is created.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> screen.fc | 1 +
> screen.if | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/screen.fc b/screen.fc
> index ac04d27..e7c2cf7 100644
> --- a/screen.fc
> +++ b/screen.fc
> @@ -1,5 +1,6 @@
> HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
> HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
> +HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
>
> /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
> /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
> diff --git a/screen.if b/screen.if
> index c21ddcc..be5cce2 100644
> --- a/screen.if
> +++ b/screen.if
> @@ -65,6 +65,7 @@ template(`screen_role_template',`
>
> userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
> userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
> + userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
>
> manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
> manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> At startup, the Postfix daemon will check if the defer and deferred queues are
> available. If not, it will create them. Introduce the proper file transitions to
> support this.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> postfix.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/postfix.te b/postfix.te
> index 3f45a93..069bc2e 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
> delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
> +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
> filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
>
> create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The ulog daemon, when launched with the "-u" option, will change uid/gid after
> it finished its root-required tasks. This is handled in src/ulogd.c. If we do
> not allow setuid/setgid, the following errors are displayed and the start-up
> fails.
>
> Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
> Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245
>
> Reported-by: vespian <[email protected]>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> ulogd.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ulogd.te b/ulogd.te
> index c6acbbe..d41c4b1 100644
> --- a/ulogd.te
> +++ b/ulogd.te
> @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
> # Local policy
> #
>
> -allow ulogd_t self:capability { net_admin sys_nice };
> +allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
> allow ulogd_t self:process setsched;
> allow ulogd_t self:netlink_nflog_socket create_socket_perms;
> allow ulogd_t self:netlink_socket create_socket_perms;
On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The tmux application places its control socket in /tmp/tmux-*. Introduce a
> transition from screen_tmp_t (the /tmp/tmux-* directory) towards
> screen_var_run_t for socket files.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, thanks
> ---
> screen.te | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/screen.te b/screen.te
> index f095081..75d538c 100644
> --- a/screen.te
> +++ b/screen.te
> @@ -38,12 +38,13 @@ allow screen_domain self:process signal_perms;
> allow screen_domain self:fd use;
> allow screen_domain self:fifo_file rw_fifo_file_perms;
> allow screen_domain self:tcp_socket { accept listen };
> -allow screen_domain self:unix_stream_socket connectto;
> +allow screen_domain self:unix_stream_socket { accept connectto listen };
>
> manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
> manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
> manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
> files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
> +filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
>
> manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
> manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)