From: russell@coker.com.au (Russell Coker)
Date: Fri, 24 Feb 2017 17:27:02 +1100
Subject: [refpolicy]  [PATCH] network daemon patches
Message-ID: <20170224062701.weengc4fpos3glnm@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Here are patches for apache, bind, inetd, iodine, jabber, nagios,
NetworkManager, ntp, openvpn, rpc, squid, corenetwork, ssh, iptables, and
sysnetwork.

Index: refpolicy-2.20170224/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.fc
+++ refpolicy-2.20170224/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
 /etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
 /usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cgi-wrapper	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -111,6 +113,7 @@ ifdef(`distro_suse',`
 /var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/glpi(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -125,6 +128,7 @@ ifdef(`distro_suse',`
 /var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/apache.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.if
+++ refpolicy-2.20170224/policy/modules/contrib/apache.if
@@ -1343,3 +1343,23 @@ interface(`apache_admin',`
 	apache_run_all_scripts($1, $2)
 	apache_run_helper($1, $2)
 ')
+
+########################################
+## <summary>
+##	Unlink httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can unlink the files
+##	</summary>
+## </param>
+#
+interface(`apache_unlink_var_lib',`
+	gen_require(`
+		type httpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 httpd_var_lib_t:dir { write remove_name };
+	allow $1 httpd_var_lib_t:file unlink;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170224/policy/modules/contrib/apache.te
@@ -282,6 +282,7 @@ type httpd_helper_t;
 type httpd_helper_exec_t;
 application_domain(httpd_helper_t, httpd_helper_exec_t)
 role httpd_helper_roles types httpd_helper_t;
+init_rw_inherited_script_tmp_files(httpd_t)
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
@@ -402,14 +403,12 @@ read_lnk_files_pattern(httpd_t, httpd_co
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
 allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
@@ -427,6 +426,8 @@ manage_lnk_files_pattern(httpd_t, httpd_
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +445,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +466,8 @@ domtrans_pattern(httpd_t, httpd_rotatelo
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
 kernel_read_system_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
@@ -590,6 +594,7 @@ tunable_policy(`httpd_builtin_scripting'
 tunable_policy(`httpd_enable_cgi',`
 	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
 	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+	allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +742,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1067,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1216,11 @@ optional_policy(`
 #
 
 allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
 
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
@@ -1225,6 +1231,7 @@ allow httpd_sys_script_t squirrelmail_sp
 allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
 
 kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
 
@@ -1236,6 +1243,12 @@ apache_domtrans_rotatelogs(httpd_sys_scr
 
 auth_use_nsswitch(httpd_sys_script_t)
 
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+	init_search_pid_dirs(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_can_sendmail',`
 	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
 	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1303,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
Index: refpolicy-2.20170224/policy/modules/contrib/bind.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/bind.fc
+++ refpolicy-2.20170224/policy/modules/contrib/bind.fc
@@ -27,6 +27,7 @@
 /var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
 
 /var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 
 /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
@@ -52,6 +53,7 @@
 /var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 
 /run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid	-s	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
 /run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/bind.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/bind.te
+++ refpolicy-2.20170224/policy/modules/contrib/bind.te
@@ -112,6 +112,9 @@ allow named_t named_zone_t:dir list_dir_
 read_files_pattern(named_t, named_zone_t, named_zone_t)
 read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 
+files_read_usr_files(named_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_vm_overcommit_sysctl(named_t)
 kernel_read_system_state(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process signal_perms;
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20170224/policy/modules/contrib/inetd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/inetd.te
+++ refpolicy-2.20170224/policy/modules/contrib/inetd.te
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
 kernel_tcp_recvfrom_unlabeled(inetd_t)
 
 corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
 
 corenet_all_recvfrom_unlabeled(inetd_t)
 corenet_all_recvfrom_netlabel(inetd_t)
Index: refpolicy-2.20170224/policy/modules/contrib/iodine.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.fc
+++ refpolicy-2.20170224/policy/modules/contrib/iodine.fc
@@ -1,3 +1,4 @@
 /etc/rc\.d/init\.d/((iodined)|(iodine-server))	--	gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
 
 /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
+/var/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/iodine.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.te
+++ refpolicy-2.20170224/policy/modules/contrib/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_ex
 type iodined_initrc_exec_t;
 init_script_file(iodined_initrc_exec_t)
 
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_ad
 allow iodined_t self:rawip_socket create_socket_perms;
 allow iodined_t self:tun_socket create_socket_perms;
 allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
 
 kernel_read_net_sysctls(iodined_t)
 kernel_read_network_state(iodined_t)
Index: refpolicy-2.20170224/policy/modules/contrib/jabber.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.fc
+++ refpolicy-2.20170224/policy/modules/contrib/jabber.fc
@@ -8,18 +8,22 @@
 /usr/sbin/ejabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/sbin/ejabberdctl	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/prosody	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 
 /var/lock/ejabberdctl(/.*)	gen_context(system_u:object_r:jabberd_lock_t,s0)
 
 /var/log/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/log/jabber(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 
 /var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/ejabberd/spool(/.*)?	gen_context(system_u:object_r:jabberd_spool_t,s0)
 /var/lib/jabber(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd/log(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/lib/jabberd/pid(/.*)?	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 
+/run/prosody(/.*)?	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/jabber.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.te
+++ refpolicy-2.20170224/policy/modules/contrib/jabber.te
@@ -73,21 +73,25 @@ allow jabberd_t self:capability dac_over
 dontaudit jabberd_t self:capability sys_tty_config;
 allow jabberd_t self:tcp_socket create_socket_perms;
 allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
 
 allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
 
 manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 
 manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+miscfiles_read_all_certs(jabberd_t)
+domain_dontaudit_search_all_domains_state(jabberd_t)
 
 kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
 
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)
@@ -96,6 +100,7 @@ corenet_tcp_sendrecv_jabber_client_port(
 corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
 
 dev_read_rand(jabberd_t)
 
Index: refpolicy-2.20170224/policy/modules/contrib/nagios.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/nagios.te
+++ refpolicy-2.20170224/policy/modules/contrib/nagios.te
@@ -216,12 +216,15 @@ optional_policy(`
 # Nrpe local policy
 #
 
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
 dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
 allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
 allow nrpe_t self:fifo_file rw_fifo_file_perms;
 allow nrpe_t self:tcp_socket { accept listen };
 
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
 allow nrpe_t nagios_plugin_domain:process { signal sigkill };
 
 read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.fc
+++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
 /etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
 /etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
 /etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)?	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /etc/dhcp/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 /etc/dhcp/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
@@ -236,6 +236,10 @@ optional_policy(`
 	optional_policy(`
 		xserver_dbus_chat_xdm(NetworkManager_t)
 	')
+
+	optional_policy(`
+		unconfined_dbus_send(NetworkManager_t)
+	')
 ')
 
 optional_policy(`
Index: refpolicy-2.20170224/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20170224/policy/modules/contrib/ntp.if
@@ -18,6 +18,23 @@ interface(`ntp_stub',`
 
 ########################################
 ## <summary>
+##	Read ntp.conf
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_conf',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+	allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170224/policy/modules/contrib/ntp.te
@@ -59,6 +59,8 @@ allow ntpd_t self:fifo_file rw_fifo_file
 allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:socket create;
 allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:socket create;
+allow ntpd_t self:unix_dgram_socket sendto;
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
 
@@ -72,9 +74,8 @@ read_lnk_files_pattern(ntpd_t, ntpd_key_
 allow ntpd_t ntpd_lock_t:file write_file_perms;
 
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
 manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
Index: refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/openvpn.fc
+++ refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
@@ -5,6 +5,7 @@
 
 /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
 
+/etc/openvpn/openvpn-status\.log.* --	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn-status\.log.*	--	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
 
Index: refpolicy-2.20170224/policy/modules/contrib/rpc.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/rpc.te
+++ refpolicy-2.20170224/policy/modules/contrib/rpc.te
@@ -162,6 +162,9 @@ kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
 kernel_signal(rpcd_t)
 
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
+
 corecmd_exec_bin(rpcd_t)
 
 files_manage_mounttab(rpcd_t)
Index: refpolicy-2.20170224/policy/modules/contrib/squid.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.fc
+++ refpolicy-2.20170224/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
 
 /usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 
-/usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* --	gen_context(system_u:object_r:squid_exec_t,s0)
 
 /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 
 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 
-/var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.*	gen_context(system_u:object_r:squid_log_t,s0)
 /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 
-/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.*		gen_context(system_u:object_r:squid_var_run_t,s0)
 
-/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.*	gen_context(system_u:object_r:squid_cache_t,s0)
 
 /var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/squid.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.if
+++ refpolicy-2.20170224/policy/modules/contrib/squid.if
@@ -236,3 +236,22 @@ interface(`squid_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, squid_tmp_t)
 ')
+
+########################################
+## <summary>
+##	dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not be audited
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_tmpfs',`
+	gen_require(`
+		type squid_tmpfs_t;
+	')
+
+	dontaudit $1 squid_tmpfs_t:file getattr;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/squid.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.te
+++ refpolicy-2.20170224/policy/modules/contrib/squid.te
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
 ## </desc>
 gen_tunable(squid_use_tproxy, false)
 
+## <desc>
+##	<p>
+##	Determine whether squid can use the
+##	pinger daemon (needs raw net access)
+##	</p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
 type squid_t;
 type squid_exec_t;
 init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
 	corenet_tcp_sendrecv_all_ports(squid_t)
 ')
 
+tunable_policy(`squid_use_pinger',`
+	allow squid_t self:rawip_socket connected_socket_perms;
+	allow squid_t self:capability net_raw;
+')
+
 tunable_policy(`squid_use_tproxy',`
 	allow squid_t self:capability net_admin;
 	corenet_sendrecv_netport_server_packets(squid_t)
Index: refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
@@ -213,7 +213,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -232,7 +232,7 @@ network_port(repository, tcp, 6363, s0)
 network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
 network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
Index: refpolicy-2.20170224/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170224/policy/modules/services/ssh.te
@@ -250,6 +250,8 @@ optional_policy(`
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
+allow sshd_t self:capability net_admin;
+
 allow sshd_t sshd_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
Index: refpolicy-2.20170224/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20170224/policy/modules/system/iptables.te
@@ -106,6 +106,10 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	permit_in_unconfined_r(iptables_t)
+')
+
+optional_policy(`
 	fail2ban_append_log(iptables_t)
 ')
 
@@ -153,4 +157,6 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(iptables_t)
+	# this is for iptables_t to inherit a file hande from xen vif-bridge
+	udev_manage_pid_files(iptables_t)
 ')
Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
 /var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
 /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
 
@@ -70,5 +71,6 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_debian',`
 /run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.* --	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.if
@@ -442,6 +442,31 @@ interface(`sysnet_etc_filetrans_config',
 
 #######################################
 ## <summary>
+##	Create directories in /var/run with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sysnet_var_run_dirtrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_pid_filetrans($1, net_conf_t, dir, $2)
+	allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
 ##	Create, read, write, and delete network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.te
@@ -242,6 +242,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
 ')
Description: Make systemd work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-05