commit: e81afa8e462fd625e95e7458332b1cff1724654f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e81afa8e
Network daemon patches from Russell Coker.
policy/modules/contrib/apache.fc | 4 +++
policy/modules/contrib/apache.if | 19 +++++++++++++
policy/modules/contrib/apache.te | 46 +++++++++++++++++++++-----------
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 6 ++++-
policy/modules/contrib/inetd.te | 3 ++-
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/iodine.te | 9 ++++++-
policy/modules/contrib/jabber.fc | 4 +++
policy/modules/contrib/jabber.te | 12 ++++++++-
policy/modules/contrib/nagios.te | 7 +++--
policy/modules/contrib/networkmanager.fc | 2 +-
policy/modules/contrib/networkmanager.te | 6 ++++-
policy/modules/contrib/ntp.if | 18 +++++++++++++
policy/modules/contrib/ntp.te | 3 ++-
policy/modules/contrib/openvpn.fc | 1 +
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++-
policy/modules/contrib/squid.fc | 8 +++---
policy/modules/contrib/squid.if | 19 +++++++++++++
policy/modules/contrib/squid.te | 15 ++++++++++-
21 files changed, 161 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index faa08802..5fded37a 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
gen_context(system_u:objec
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/cherokee --
gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
gen_context(system_u:objec
/usr/libexec/httpd-ssl-pass-dialog --
gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl --
gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? --
gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -110,6 +112,7 @@ ifdef(`distro_suse',`
/var/lib/cherokee(/.*)?
gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +127,7 @@ ifdef(`distro_suse',`
/var/lib/stickshift/.httpd.d(/.*)?
gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)?
gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 16539db5..91191ecc 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',`
########################################
## <summary>
+## Delete httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can delete the files
+## </summary>
+## </param>
+#
+interface(`apache_delete_lib_files',`
+ gen_require(`
+ type httpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+')
+
+########################################
+## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2f724b68..37af1e22 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.0)
+policy_module(apache, 2.12.1)
########################################
#
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t,
httpd_config_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t,
httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file
lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t,
httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t)
auth_use_nsswitch(httpd_t)
+init_rw_inherited_script_tmp_files(httpd_t)
+
libs_read_lib_files(httpd_t)
logging_send_syslog_msg(httpd_t)
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',`
tunable_policy(`httpd_enable_cgi',`
allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1217,11 @@ optional_policy(`
#
allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect
connected_socket_perms };
+
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file
read_lnk_file_perms;
kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
+
fs_search_auto_mountpoints(httpd_sys_script_t)
files_read_var_symlinks(httpd_sys_script_t)
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t)
auth_use_nsswitch(httpd_sys_script_t)
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+ init_search_pid_dirs(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_sendmail',`
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index c9619a4e..de596aed 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -28,6 +28,8 @@
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -53,5 +55,6 @@
/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid -s
gen_context(system_u:object_r:named_var_run_t,s0)
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfec7c74..25329fdb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.0)
+policy_module(bind, 1.18.1)
########################################
#
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
@@ -152,6 +154,7 @@ dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process signal_perms;
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 66c15680..70ecd1e5 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.0)
+policy_module(inetd, 1.14.1)
########################################
#
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index ca07a874..42a24aaf 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) --
gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
+/var/run/iodine(/.*)?
gen_context(system_u:object_r:iodined_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index c35fc069..11ef68f9 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.0)
+policy_module(iodine, 1.2.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
########################################
#
# Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid
setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
kernel_read_net_sysctls(iodined_t)
kernel_read_network_state(iodined_t)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index 96325be0..e31f56e8 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -2,6 +2,7 @@
/usr/bin/router --
gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
@@ -13,13 +14,16 @@
/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/ejabberd(/.*)?
gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/ejabberd/spool(/.*)?
gen_context(system_u:object_r:jabberd_spool_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/jabberd/pid(/.*)?
gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/ejabber\.pid --
gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/jabber\.pid --
gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/run/prosody(/.*)? --
gen_context(system_u:object_r:jabberd_var_run_t,s0)
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index fdea29d5..36f603c3 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.0)
+policy_module(jabber, 1.12.1)
########################################
#
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:tcp_socket create_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t,
jabberd_spool_t)
manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+domain_dontaudit_search_all_domains_state(jabberd_t)
+
kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
dev_read_rand(jabberd_t)
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t)
files_read_etc_files(jabberd_t)
files_read_etc_runtime_files(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_all_certs(jabberd_t)
+
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44c2abcd..de6a62cf 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.0)
+policy_module(nagios, 1.15.1)
########################################
#
@@ -216,12 +216,15 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
allow nrpe_t nagios_plugin_domain:process { signal sigkill };
read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
diff --git a/policy/modules/contrib/networkmanager.fc
b/policy/modules/contrib/networkmanager.fc
index fe5f8b4c..1e6d0f5b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
/etc/NetworkManager(/.*)?
gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf
gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)?
gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)?
gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? --
gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/dhcp/manager-settings\.conf --
gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/dhcp/wireless-settings\.conf --
gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
diff --git a/policy/modules/contrib/networkmanager.te
b/policy/modules/contrib/networkmanager.te
index cde12ad5..1e3237e5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.1)
+policy_module(networkmanager, 1.20.2)
########################################
#
@@ -241,6 +241,10 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(NetworkManager_t)
')
+
+ optional_policy(`
+ unconfined_dbus_send(NetworkManager_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index fa0a1839..8bbb2aa3 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -18,6 +18,24 @@ interface(`ntp_stub',`
########################################
## <summary>
+## Read ntp.conf
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b1969955..9af1ad5f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.1)
+policy_module(ntp, 1.16.2)
########################################
#
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
diff --git a/policy/modules/contrib/openvpn.fc
b/policy/modules/contrib/openvpn.fc
index 7703264d..00d176d3 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -1,5 +1,6 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/openvpn/ipp\.txt --
gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/openvpn/openvpn-status\.log.* --
gen_context(system_u:object_r:openvpn_status_t,s0)
/etc/rc\.d/init\.d/openvpn --
gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/openvpn.te
b/policy/modules/contrib/openvpn.te
index 465716f6..54170a62 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.0)
+policy_module(openvpn, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5123f079..0b9a71fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.1)
+policy_module(rpc, 1.19.2)
########################################
#
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
corecmd_exec_bin(rpcd_t)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index d6b5ba09..7051c3e1 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
/usr/lib/squid/cachemgr\.cgi --
gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-/run/squid\.pid --
gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 941cedf3..b5adfad3 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -191,6 +191,25 @@ interface(`squid_use',`
########################################
## <summary>
+## dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not be audited
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type squid_tmpfs_t;
+ ')
+
+ dontaudit $1 squid_tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an squid environment.
## </summary>
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 74fb3c23..f4fd15e8 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.0)
+policy_module(squid, 1.15.1)
########################################
#
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
## </desc>
gen_tunable(squid_use_tproxy, false)
+## <desc>
+## <p>
+## Determine whether squid can use the
+## pinger daemon (needs raw net access)
+## </p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_sendrecv_all_ports(squid_t)
')
+tunable_policy(`squid_use_pinger',`
+ allow squid_t self:rawip_socket connected_socket_perms;
+ allow squid_t self:capability net_raw;
+')
+
tunable_policy(`squid_use_tproxy',`
allow squid_t self:capability net_admin;
corenet_sendrecv_netport_server_packets(squid_t)
