From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 25 Feb 2017 10:16:37 -0500
Subject: [refpolicy] [PATCH] network daemon patches
In-Reply-To: <20170224062701.weengc4fpos3glnm@athena.coker.com.au>
References: <20170224062701.weengc4fpos3glnm@athena.coker.com.au>
Message-ID: <1c6fc70c-a743-6eb4-9d85-ae8dea6bd548@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/24/17 01:27, Russell Coker via refpolicy wrote:
> Here are patches for apache, bind, inetd, iodine, jabber, nagios,
> NetworkManager, ntp, openvpn, rpc, squid, corenetwork, ssh, iptables, and
> sysnetwork.

Merged, though I made some minor revisions.


> Index: refpolicy-2.20170224/policy/modules/contrib/apache.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.fc
> @@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
>  /etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
>  /etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/postfixadmin(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
>  /etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> @@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
>  /usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
>
>  /usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache(2)?ctl	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/cgi-wrapper	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
> @@ -111,6 +113,7 @@ ifdef(`distro_suse',`
>  /var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php5(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/lib/glpi(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
> @@ -125,6 +128,7 @@ ifdef(`distro_suse',`
>  /var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
>  /var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/wordpress(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
>  /var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/apache.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.if
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.if
> @@ -1343,3 +1343,23 @@ interface(`apache_admin',`
>  	apache_run_all_scripts($1, $2)
>  	apache_run_helper($1, $2)
>  ')
> +
> +########################################
> +## <summary>
> +##	Unlink httpd_var_lib_t files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain that can unlink the files
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_unlink_var_lib',`
> +	gen_require(`
> +		type httpd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +	allow $1 httpd_var_lib_t:dir { write remove_name };
> +	allow $1 httpd_var_lib_t:file unlink;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/apache.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.te
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.te
> @@ -282,6 +282,7 @@ type httpd_helper_t;
>  type httpd_helper_exec_t;
>  application_domain(httpd_helper_t, httpd_helper_exec_t)
>  role httpd_helper_roles types httpd_helper_t;
> +init_rw_inherited_script_tmp_files(httpd_t)
>
>  type httpd_initrc_exec_t;
>  init_script_file(httpd_initrc_exec_t)
> @@ -402,14 +403,12 @@ read_lnk_files_pattern(httpd_t, httpd_co
>
>  allow httpd_t httpd_keytab_t:file read_file_perms;
>
> +allow httpd_t httpd_lock_t:dir manage_dir_perms;
>  allow httpd_t httpd_lock_t:file manage_file_perms;
> -files_lock_filetrans(httpd_t, httpd_lock_t, file)
> +files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> -allow httpd_t httpd_log_t:dir setattr_dir_perms;
> -create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
>  read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
>  logging_log_filetrans(httpd_t, httpd_log_t, file)
>
> @@ -427,6 +426,8 @@ manage_lnk_files_pattern(httpd_t, httpd_
>  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
>
>  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
> +allow httpd_t httpd_sys_script_t:process signull;
> +
>
>  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
>  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> @@ -444,6 +445,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
>
>  manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
>  manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> +manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
>  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
>
>  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
> @@ -464,6 +466,8 @@ domtrans_pattern(httpd_t, httpd_rotatelo
>  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
>
>  kernel_read_kernel_sysctls(httpd_t)
> +kernel_read_vm_sysctls(httpd_t)
> +kernel_read_vm_overcommit_sysctl(httpd_t)
>  kernel_read_network_state(httpd_t)
>  kernel_read_system_state(httpd_t)
>  kernel_search_network_sysctl(httpd_t)
> @@ -590,6 +594,7 @@ tunable_policy(`httpd_builtin_scripting'
>  tunable_policy(`httpd_enable_cgi',`
>  	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
>  	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
> +	allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
>  ')
>
>  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
> @@ -737,9 +742,8 @@ tunable_policy(`httpd_use_fusefs && http
>
>  tunable_policy(`httpd_use_nfs',`
>  	fs_list_auto_mountpoints(httpd_t)
> -	fs_manage_nfs_dirs(httpd_t)
> -	fs_manage_nfs_files(httpd_t)
> -	fs_manage_nfs_symlinks(httpd_t)
> +	rpc_manage_nfs_rw_content(httpd_t)
> +	rpc_read_nfs_content(httpd_t)
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1063,9 +1067,8 @@ tunable_policy(`httpd_use_fusefs && http
>
>  tunable_policy(`httpd_use_nfs',`
>  	fs_list_auto_mountpoints(httpd_suexec_t)
> -	fs_manage_nfs_dirs(httpd_suexec_t)
> -	fs_manage_nfs_files(httpd_suexec_t)
> -	fs_manage_nfs_symlinks(httpd_suexec_t)
> +	rpc_manage_nfs_rw_content(httpd_t)
> +	rpc_read_nfs_content(httpd_t)
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1213,8 +1216,11 @@ optional_policy(`
>  #
>
>  allow httpd_sys_script_t self:tcp_socket { accept listen };
> +allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
> +
>
>  allow httpd_sys_script_t httpd_t:tcp_socket { read write };
> +allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
>
>  dontaudit httpd_sys_script_t httpd_config_t:dir search;
>
> @@ -1225,6 +1231,7 @@ allow httpd_sys_script_t squirrelmail_sp
>  allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
>
>  kernel_read_kernel_sysctls(httpd_sys_script_t)
> +dev_read_sysfs(httpd_sys_script_t)
>
>  fs_search_auto_mountpoints(httpd_sys_script_t)
>
> @@ -1236,6 +1243,12 @@ apache_domtrans_rotatelogs(httpd_sys_scr
>
>  auth_use_nsswitch(httpd_sys_script_t)
>
> +logging_send_syslog_msg(httpd_sys_script_t)
> +
> +ifdef(`init_systemd', `
> +	init_search_pid_dirs(httpd_sys_script_t)
> +')
> +
>  tunable_policy(`httpd_can_sendmail',`
>  	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
>  	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
> @@ -1290,9 +1303,8 @@ tunable_policy(`httpd_use_fusefs && http
>
>  tunable_policy(`httpd_use_nfs',`
>  	fs_list_auto_mountpoints(httpd_sys_script_t)
> -	fs_manage_nfs_dirs(httpd_sys_script_t)
> -	fs_manage_nfs_files(httpd_sys_script_t)
> -	fs_manage_nfs_symlinks(httpd_sys_script_t)
> +	rpc_manage_nfs_rw_content(httpd_t)
> +	rpc_read_nfs_content(httpd_t)
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> Index: refpolicy-2.20170224/policy/modules/contrib/bind.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/bind.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/bind.fc
> @@ -27,6 +27,7 @@
>  /var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
>
>  /var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
> +/var/lib/unbound(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
>
>  /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
>
> @@ -52,6 +53,7 @@
>  /var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
>
>  /run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
> +/run/lwresd/lwresd\.pid	-s	gen_context(system_u:object_r:named_var_run_t,s0)
>  /run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
>  /run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
>  /run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/bind.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/bind.te
> +++ refpolicy-2.20170224/policy/modules/contrib/bind.te
> @@ -112,6 +112,9 @@ allow named_t named_zone_t:dir list_dir_
>  read_files_pattern(named_t, named_zone_t, named_zone_t)
>  read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
>
> +files_read_usr_files(named_t)
> +kernel_read_net_sysctls(named_t)
> +kernel_read_vm_sysctls(named_t)
>  kernel_read_kernel_sysctls(named_t)
>  kernel_read_vm_overcommit_sysctl(named_t)
>  kernel_read_system_state(named_t)
> @@ -219,6 +222,7 @@ optional_policy(`
>  #
>
>  allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability2 block_suspend;
>  allow ndc_t self:process signal_perms;
>  allow ndc_t self:fifo_file rw_fifo_file_perms;
>  allow ndc_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20170224/policy/modules/contrib/inetd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/inetd.te
> +++ refpolicy-2.20170224/policy/modules/contrib/inetd.te
> @@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
>  kernel_tcp_recvfrom_unlabeled(inetd_t)
>
>  corecmd_bin_domtrans(inetd_t, inetd_child_t)
> +corecmd_bin_entry_type(inetd_child_t)
>
>  corenet_all_recvfrom_unlabeled(inetd_t)
>  corenet_all_recvfrom_netlabel(inetd_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/iodine.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/iodine.fc
> @@ -1,3 +1,4 @@
>  /etc/rc\.d/init\.d/((iodined)|(iodine-server))	--	gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
>
>  /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
> +/var/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/iodine.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.te
> +++ refpolicy-2.20170224/policy/modules/contrib/iodine.te
> @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_ex
>  type iodined_initrc_exec_t;
>  init_script_file(iodined_initrc_exec_t)
>
> +type iodined_var_run_t;
> +files_pid_file(iodined_var_run_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -21,6 +24,10 @@ allow iodined_t self:capability { net_ad
>  allow iodined_t self:rawip_socket create_socket_perms;
>  allow iodined_t self:tun_socket create_socket_perms;
>  allow iodined_t self:udp_socket connected_socket_perms;
> +allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
> +manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
>
>  kernel_read_net_sysctls(iodined_t)
>  kernel_read_network_state(iodined_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/jabber.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/jabber.fc
> @@ -8,18 +8,22 @@
>  /usr/sbin/ejabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
>  /usr/sbin/ejabberdctl	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
>  /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
> +/usr/bin/prosody	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
>
>  /var/lock/ejabberdctl(/.*)	gen_context(system_u:object_r:jabberd_lock_t,s0)
>
>  /var/log/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
>  /var/log/jabber(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
> +/var/log/prosody(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
>
>  /var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
>  /var/lib/ejabberd/spool(/.*)?	gen_context(system_u:object_r:jabberd_spool_t,s0)
>  /var/lib/jabber(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
>  /var/lib/jabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
> +/var/lib/prosody(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
>  /var/lib/jabberd/log(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
>  /var/lib/jabberd/pid(/.*)?	gen_context(system_u:object_r:jabberd_var_run_t,s0)
>
> +/run/prosody(/.*)?	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
>  /run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
>  /run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/jabber.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.te
> +++ refpolicy-2.20170224/policy/modules/contrib/jabber.te
> @@ -73,21 +73,25 @@ allow jabberd_t self:capability dac_over
>  dontaudit jabberd_t self:capability sys_tty_config;
>  allow jabberd_t self:tcp_socket create_socket_perms;
>  allow jabberd_t self:udp_socket create_socket_perms;
> +allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
>
>  manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
>
>  allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
> -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> +manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
>  logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
>
>  manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
>
>  manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
>  files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
> +miscfiles_read_all_certs(jabberd_t)
> +domain_dontaudit_search_all_domains_state(jabberd_t)
>
>  kernel_read_kernel_sysctls(jabberd_t)
> +corecmd_exec_bin(jabberd_t)
> +# usr for lua modules
> +files_read_usr_files(jabberd_t)
>
>  corenet_sendrecv_jabber_client_server_packets(jabberd_t)
>  corenet_tcp_bind_jabber_client_port(jabberd_t)
> @@ -96,6 +100,7 @@ corenet_tcp_sendrecv_jabber_client_port(
>  corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
>  corenet_tcp_bind_jabber_interserver_port(jabberd_t)
>  corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
> +corenet_tcp_connect_jabber_interserver_port(jabberd_t)
>
>  dev_read_rand(jabberd_t)
>
> Index: refpolicy-2.20170224/policy/modules/contrib/nagios.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/nagios.te
> +++ refpolicy-2.20170224/policy/modules/contrib/nagios.te
> @@ -216,12 +216,15 @@ optional_policy(`
>  # Nrpe local policy
>  #
>
> -allow nrpe_t self:capability { setgid setuid };
> +allow nrpe_t self:capability { dac_override setgid setuid };
>  dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
>  allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
>  allow nrpe_t self:fifo_file rw_fifo_file_perms;
>  allow nrpe_t self:tcp_socket { accept listen };
>
> +allow nrpe_t nagios_etc_t:dir list_dir_perms;
> +allow nrpe_t nagios_etc_t:file read_file_perms;
> +
>  allow nrpe_t nagios_plugin_domain:process { signal sigkill };
>
>  read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
> @@ -3,7 +3,7 @@
>  /etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
>  /etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
>  /etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
> -/etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
> +/etc/NetworkManager/dispatcher\.d(/.*)?	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>
>  /etc/dhcp/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
>  /etc/dhcp/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.te
> +++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
> @@ -236,6 +236,10 @@ optional_policy(`
>  	optional_policy(`
>  		xserver_dbus_chat_xdm(NetworkManager_t)
>  	')
> +
> +	optional_policy(`
> +		unconfined_dbus_send(NetworkManager_t)
> +	')
>  ')
>
>  optional_policy(`
> Index: refpolicy-2.20170224/policy/modules/contrib/ntp.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.if
> +++ refpolicy-2.20170224/policy/modules/contrib/ntp.if
> @@ -18,6 +18,23 @@ interface(`ntp_stub',`
>
>  ########################################
>  ## <summary>
> +##	Read ntp.conf
> +## </summary>
> +## <param name="domain" unused="true">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`ntp_read_conf',`
> +	gen_require(`
> +		type ntp_conf_t;
> +	')
> +	allow $1 ntp_conf_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute ntp server in the ntpd domain.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170224/policy/modules/contrib/ntp.te
> @@ -59,6 +59,8 @@ allow ntpd_t self:fifo_file rw_fifo_file
>  allow ntpd_t self:shm create_shm_perms;
>  allow ntpd_t self:socket create;
>  allow ntpd_t self:tcp_socket { accept listen };
> +allow ntpd_t self:socket create;
> +allow ntpd_t self:unix_dgram_socket sendto;
>
>  allow ntpd_t ntp_conf_t:file read_file_perms;
>
> @@ -72,9 +74,8 @@ read_lnk_files_pattern(ntpd_t, ntpd_key_
>  allow ntpd_t ntpd_lock_t:file write_file_perms;
>
>  allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> -append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> -create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> -setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> +manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> +manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
>  logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
>
>  manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/openvpn.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
> @@ -5,6 +5,7 @@
>
>  /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
>
> +/etc/openvpn/openvpn-status\.log.* --	gen_context(system_u:object_r:openvpn_status_t,s0)
>  /var/log/openvpn-status\.log.*	--	gen_context(system_u:object_r:openvpn_status_t,s0)
>  /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
>
> Index: refpolicy-2.20170224/policy/modules/contrib/rpc.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/rpc.te
> +++ refpolicy-2.20170224/policy/modules/contrib/rpc.te
> @@ -162,6 +162,9 @@ kernel_rw_fs_sysctls(rpcd_t)
>  kernel_dontaudit_getattr_core_if(rpcd_t)
>  kernel_signal(rpcd_t)
>
> +# for /proc/fs/lockd/nlm_end_grace
> +kernel_write_proc_files(rpcd_t)
> +
>  corecmd_exec_bin(rpcd_t)
>
>  files_manage_mounttab(rpcd_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.fc
> @@ -4,17 +4,17 @@
>
>  /usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
>
> -/usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
> +/usr/sbin/squid.* --	gen_context(system_u:object_r:squid_exec_t,s0)
>
>  /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
>
>  /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
>
> -/var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
> +/var/log/squid.*	gen_context(system_u:object_r:squid_log_t,s0)
>  /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
>
> -/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
> +/run/squid3.*		gen_context(system_u:object_r:squid_var_run_t,s0)
>
> -/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
> +/var/spool/squid.*	gen_context(system_u:object_r:squid_cache_t,s0)
>
>  /var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.if
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.if
> @@ -236,3 +236,22 @@ interface(`squid_admin',`
>  	files_list_tmp($1)
>  	admin_pattern($1, squid_tmp_t)
>  ')
> +
> +########################################
> +## <summary>
> +##	dontaudit statting tmpfs files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not be audited
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`squid_dontaudit_tmpfs',`
> +	gen_require(`
> +		type squid_tmpfs_t;
> +	')
> +
> +	dontaudit $1 squid_tmpfs_t:file getattr;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.te
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.te
> @@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
>  ## </desc>
>  gen_tunable(squid_use_tproxy, false)
>
> +## <desc>
> +##	<p>
> +##	Determine whether squid can use the
> +##	pinger daemon (needs raw net access)
> +##	</p>
> +## </desc>
> +gen_tunable(squid_use_pinger, true)
> +
>  type squid_t;
>  type squid_exec_t;
>  init_daemon_domain(squid_t, squid_exec_t)
> @@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
>  	corenet_tcp_sendrecv_all_ports(squid_t)
>  ')
>
> +tunable_policy(`squid_use_pinger',`
> +	allow squid_t self:rawip_socket connected_socket_perms;
> +	allow squid_t self:capability net_raw;
> +')
> +
>  tunable_policy(`squid_use_tproxy',`
>  	allow squid_t self:capability net_admin;
>  	corenet_sendrecv_netport_server_packets(squid_t)
> Index: refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
> @@ -213,7 +213,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0
>  network_port(portmap, udp,111,s0, tcp,111,s0)
>  network_port(postfix_policyd, tcp,10031,s0)
>  network_port(postgresql, tcp,5432,s0)
> -network_port(postgrey, tcp,60000,s0)
> +network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
>  network_port(pptp, tcp,1723,s0, udp,1723,s0)
>  network_port(prelude, tcp,4690,s0, udp,4690,s0)
>  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
> @@ -232,7 +232,7 @@ network_port(repository, tcp, 6363, s0)
>  network_port(ricci, tcp,11111,s0, udp,11111,s0)
>  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
>  network_port(rlogind, tcp,513,s0)
> -network_port(rndc, tcp,953,s0, udp,953,s0)
> +network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
>  network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
> Index: refpolicy-2.20170224/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20170224/policy/modules/services/ssh.te
> @@ -250,6 +250,8 @@ optional_policy(`
>  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
>  allow sshd_t self:key { search link write };
>
> +allow sshd_t self:capability net_admin;
> +
>  allow sshd_t sshd_keytab_t:file read_file_perms;
>
>  manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> Index: refpolicy-2.20170224/policy/modules/system/iptables.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/iptables.te
> +++ refpolicy-2.20170224/policy/modules/system/iptables.te
> @@ -106,6 +106,10 @@ ifdef(`hide_broken_symptoms',`
>  ')
>
>  optional_policy(`
> +	permit_in_unconfined_r(iptables_t)
> +')
> +
> +optional_policy(`
>  	fail2ban_append_log(iptables_t)
>  ')
>
> @@ -153,4 +157,6 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(iptables_t)
> +	# this is for iptables_t to inherit a file hande from xen vif-bridge
> +	udev_manage_pid_files(iptables_t)
>  ')
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
> @@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
>  /var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
>  /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
>  /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
> +/var/lib/dhcpv6(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
>  /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
>  /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
>
> @@ -70,5 +71,6 @@ ifdef(`distro_gentoo',`
>
>  ifdef(`distro_debian',`
>  /run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +/var/run/resolvconf/.* --	gen_context(system_u:object_r:net_conf_t,s0)
>  ')
>
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.if
> @@ -442,6 +442,31 @@ interface(`sysnet_etc_filetrans_config',
>
>  #######################################
>  ## <summary>
> +##	Create directories in /var/run with the type used for
> +##	the network config files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_var_run_dirtrans_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_pid_filetrans($1, net_conf_t, dir, $2)
> +	allow $1 net_conf_t:dir create_dir_perms;
> +')
> +
> +#######################################
> +## <summary>
>  ##	Create, read, write, and delete network config files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.te
> @@ -242,6 +242,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	samba_manage_config(dhcpc_t)
> +')
> +
> +optional_policy(`
>  	seutil_sigchld_newrole(dhcpc_t)
>  	seutil_dontaudit_search_config(dhcpc_t)
>  ')
> Description: Make systemd work
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-02-05
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito