[refpolicy] [PATCH 00/13] Contrib updates from Gentoo

[refpolicy] [PATCH 00/13] Contrib updates from Gentoo

[Sven Vermeulen]

A set of contrib updates from Gentoo

Sven Vermeulen (13):
  Allow asterisk admins to execute asterisk binary directly
  Support tagfiles for consolekit
  ConsoleKit needs to read the dbus machine-id
  File context updates for courier-imap
  Allow reading /proc/self for fail2ban due to FAM support
  Allow IRC clients to read certificates
  Update on file contexts for OpenLDAP
  Update on file contexts for wpa_supplicant
  Postfix creates defer(red) queue locations
  Update file contexts for puppet
  Support ~/.tmux.conf as tmux configuration file
  Support tmux control socket
  Add setuid/setgid capability to ulogd_t

 asterisk.if       | 21 +++++++++++++++++++++
 consolekit.te     |  6 ++++++
 courier.fc        |  2 ++
 dbus.if           |  1 +
 fail2ban.te       |  3 +++
 irc.te            |  1 +
 ldap.fc           |  5 +++++
 networkmanager.fc |  1 +
 postfix.te        |  2 ++
 puppet.fc         |  4 ++++
 screen.fc         |  1 +
 screen.if         |  1 +
 screen.te         |  3 ++-
 ulogd.te          |  2 +-
 14 files changed, 51 insertions(+), 2 deletions(-)

-- 
1.8.1.5

[refpolicy] [PATCH 01/13] Allow asterisk admins to execute asterisk binary directly

[Sven Vermeulen]

Administrating Asterisk requires being able to run the asterisk binary (no
transition needed, it acts as a client). For instance
http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI
commands ran by administrators through the asterisk binary.

Thus add in asterisk_exec($1) into the asterisk_admin() definition.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/asterisk.if b/asterisk.if
index 7268a04..26c8621 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -113,6 +113,8 @@ interface(`asterisk_admin',`
 	role_transition $2 asterisk_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	asterisk_exec($1)
+
 	files_list_tmp($1)
 	admin_pattern($1, asterisk_tmp_t)
 
@@ -131,3 +133,22 @@ interface(`asterisk_admin',`
 	files_list_pids($1)
 	admin_pattern($1, asterisk_var_run_t)
 ')
+
+######################################
+## <summary>
+##	Execute asterisk is the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute asterisk
+##	</summary>
+## </param>
+#
+interface(`asterisk_exec',`
+	gen_require(`
+		type asterisk_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, asterisk_exec_t)
+')
-- 
1.8.1.5

[refpolicy] [PATCH 02/13] Support tagfiles for consolekit

[Sven Vermeulen]

Gentoo currently still uses the pam-foreground compatibility, which causes
ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
As /var/run is dynamic nowadays, ConsoleKit also creates the directory.

Allow ConsoleKit to create such directory with the right file transition in
place.

Debian also has this (already in policy) so duplicate settings for Gentoo. As
the policy includes a transition, I'm less inclined to make this a global policy
change as I have no idea what the impact would be on other distributions such as
Fedora/RedHat.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 consolekit.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/consolekit.te b/consolekit.te
index 5f0c793..aff2f51 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -92,6 +92,11 @@ ifdef(`distro_debian',`
 	auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
 ')
 
+ifdef(`distro_gentoo',`
+	auth_create_pam_console_data_dirs(consolekit_t)
+	auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+')
+
 optional_policy(`
 	dbus_system_domain(consolekit_t, consolekit_exec_t)
 
-- 
1.8.1.5

[refpolicy] [PATCH 03/13] ConsoleKit needs to read the dbus machine-id

[Sven Vermeulen]

The dbus integration in ConsoleKit reads in the machine-id as provided through
dbus (/var/lib/dbus/machine-id).

On Gentoo, this location is a symbolic link to /etc/machine-id however, so we
update the interface to support reading the symbolic link files too.

See also ConsoleKit's src/ck-manager.c function generate_session_cookie (calls
dbus_get_local_machine_id).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 consolekit.te | 1 +
 dbus.if       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/consolekit.te b/consolekit.te
index aff2f51..6874d9a 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -98,6 +98,7 @@ ifdef(`distro_gentoo',`
 ')
 
 optional_policy(`
+	dbus_read_lib_files(consolekit_t)
 	dbus_system_domain(consolekit_t, consolekit_exec_t)
 
 	optional_policy(`
diff --git a/dbus.if b/dbus.if
index afcf3a2..62d22cb 100644
--- a/dbus.if
+++ b/dbus.if
@@ -356,6 +356,7 @@ interface(`dbus_read_lib_files',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
 ########################################
-- 
1.8.1.5

[refpolicy] [PATCH 04/13] File context updates for courier-imap

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.fc b/courier.fc
index 8a4b596..69bdc68 100644
--- a/courier.fc
+++ b/courier.fc
@@ -4,9 +4,11 @@
 /usr/bin/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 
 /usr/sbin/authdaemond	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/sbin/courier-imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/sbin/courierlogger	--	gen_context(system_u:object_r:courier_exec_t,s0)
 /usr/sbin/courierldapaliasd	--	gen_context(system_u:object_r:courier_exec_t,s0)
 /usr/sbin/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/sbin/imaplogin	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 
 /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 /usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-- 
1.8.1.5

[refpolicy] [PATCH 05/13] Allow reading /proc/self for fail2ban due to FAM support

[Sven Vermeulen]

fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using
Gamin, fail2ban launches a gam_server which, through FAM support, reads in
/proc/self.

As this gam_server is only for the fail2ban activities and all permissions
(except for read access to the fail2ban_t /proc itself), allow this in the
fail2ban_t domain instead of creating a new domain for gam_server and
transitioning to it.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 fail2ban.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fail2ban.te b/fail2ban.te
index 0872e50..919358a 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
 
+# Needed for FAM support
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
 append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-- 
1.8.1.5

[refpolicy] [PATCH 06/13] Allow IRC clients to read certificates

[Sven Vermeulen]

To support IRC clients to connect to SSL-enabled IRC servers, allow irc clients
to read the generic certificates.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 irc.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/irc.te b/irc.te
index ecad9c7..ddf1595 100644
--- a/irc.te
+++ b/irc.te
@@ -106,6 +106,7 @@ auth_use_nsswitch(irc_t)
 init_read_utmp(irc_t)
 init_dontaudit_lock_utmp(irc_t)
 
+miscfiles_read_generic_certs(irc_t)
 miscfiles_read_localization(irc_t)
 
 userdom_use_user_terminals(irc_t)
-- 
1.8.1.5

[refpolicy] [PATCH 07/13] Update on file contexts for OpenLDAP

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 ldap.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ldap.fc b/ldap.fc
index bc25c95..b7e5679 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -6,11 +6,16 @@
 
 /usr/sbin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
+/usr/lib/openldap/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 /usr/lib/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
 /var/lib/ldap(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
 /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
 
+/var/lib/openldap-data(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-ldbm(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-slurpd(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+
 /var/lock/subsys/ldap	--	gen_context(system_u:object_r:slapd_lock_t,s0)
 /var/lock/subsys/slapd	--	gen_context(system_u:object_r:slapd_lock_t,s0)
 
-- 
1.8.1.5

[refpolicy] [PATCH 08/13] Update on file contexts for wpa_supplicant

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 networkmanager.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/networkmanager.fc b/networkmanager.fc
index a1fb3c3..94b9734 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -20,6 +20,7 @@
 /sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /usr/sbin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-- 
1.8.1.5

[refpolicy] [PATCH 09/13] Postfix creates defer(red) queue locations

[Sven Vermeulen]

At startup, the Postfix daemon will check if the defer and deferred queues are
available. If not, it will create them. Introduce the proper file transitions to
support this.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/postfix.te b/postfix.te
index 3f45a93..069bc2e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
 
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-- 
1.8.1.5

[refpolicy] [PATCH 10/13] Update file contexts for puppet

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 puppet.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/puppet.fc b/puppet.fc
index 4ecda09..d68e26d 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -3,6 +3,10 @@
 /etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 
+/usr/bin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
 /usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-- 
1.8.1.5

[refpolicy] [PATCH 11/13] Support ~/.tmux.conf as tmux configuration file

[Sven Vermeulen]

The tmux application is similar to screen, and already supported in the policy
as such. Include ~/.tmux.conf as screen_home_t and include the proper transition
when the file is created.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 screen.fc | 1 +
 screen.if | 1 +
 2 files changed, 2 insertions(+)

diff --git a/screen.fc b/screen.fc
index ac04d27..e7c2cf7 100644
--- a/screen.fc
+++ b/screen.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
 
 /usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)
 /usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/screen.if b/screen.if
index c21ddcc..be5cce2 100644
--- a/screen.if
+++ b/screen.if
@@ -65,6 +65,7 @@ template(`screen_role_template',`
 
 	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
 
 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
-- 
1.8.1.5

[refpolicy] [PATCH 12/13] Support tmux control socket

[Sven Vermeulen]

The tmux application places its control socket in /tmp/tmux-*. Introduce a
transition from screen_tmp_t (the /tmp/tmux-* directory) towards
screen_var_run_t for socket files.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 screen.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/screen.te b/screen.te
index f095081..75d538c 100644
--- a/screen.te
+++ b/screen.te
@@ -38,12 +38,13 @@ allow screen_domain self:process signal_perms;
 allow screen_domain self:fd use;
 allow screen_domain self:fifo_file rw_fifo_file_perms;
 allow screen_domain self:tcp_socket { accept listen };
-allow screen_domain self:unix_stream_socket connectto;
+allow screen_domain self:unix_stream_socket { accept connectto listen };
 
 manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
 
 manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
 manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-- 
1.8.1.5

[refpolicy] [PATCH 13/13] Add setuid/setgid capability to ulogd_t

[Sven Vermeulen]

The ulog daemon, when launched with the "-u" option, will change uid/gid after
it finished its root-required tasks. This is handled in src/ulogd.c. If we do
not allow setuid/setgid, the following errors are displayed and the start-up
fails.

Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245

Reported-by: vespian <vespian@o2.pl>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 ulogd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ulogd.te b/ulogd.te
index c6acbbe..d41c4b1 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
 # Local policy
 #
 
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
 allow ulogd_t self:process setsched;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 allow ulogd_t self:netlink_socket create_socket_perms;
-- 
1.8.1.5

[refpolicy] [PATCH 09/13] Postfix creates defer(red) queue locations

[Russell Coker]

On Thu, 11 Apr 2013, Sven Vermeulen <sven.vermeulen@siphos.be> wrote:
> At startup, the Postfix daemon will check if the defer and deferred queues
> are available. If not, it will create them. Introduce the proper file
> transitions to support this.

If you are going to assign a new type for the defer/deferred directories then 
is the maildrop name the correct one?  Those directories aren't for mail 
storage and the file contents are different to that which is used by programs 
such as maildrop.

It's always been postfix_spool_t for those directories, why do we need to 
change this?

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  postfix.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/postfix.te b/postfix.te
> index 3f45a93..069bc2e 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t,
> postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t,
> postfix_spool_maildrop_t) setattr_dirs_pattern(postfix_master_t,
> postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> +filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "defer")
> +filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "deferred")
> filetrans_pattern(postfix_master_t, postfix_spool_t,
> postfix_spool_maildrop_t, dir, "maildrop")
> 
>  create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 09/13] Postfix creates defer(red) queue locations

[Sven Vermeulen]

On Fri, Apr 12, 2013 at 01:39:15PM +1000, Russell Coker wrote:
> On Thu, 11 Apr 2013, Sven Vermeulen <sven.vermeulen@siphos.be> wrote:
> > At startup, the Postfix daemon will check if the defer and deferred queues
> > are available. If not, it will create them. Introduce the proper file
> > transitions to support this.
> 
> If you are going to assign a new type for the defer/deferred directories then 
> is the maildrop name the correct one?  Those directories aren't for mail 
> storage and the file contents are different to that which is used by programs 
> such as maildrop.
> 
> It's always been postfix_spool_t for those directories, why do we need to 
> change this?

Because they're not postfix_spool_t according to the file context def?

#v+
/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/defer(/.*)?       gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
#v-

What the patch does is streamline this so that we don't need restorecond or
a relabel operation. Also, the deferred queue only has the directory labeled
as such - mails that are moved between queues retain their label
(postfix_spool_t).

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 01/13] Allow asterisk admins to execute asterisk binary directly

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Administrating Asterisk requires being able to run the asterisk binary (no
> transition needed, it acts as a client). For instance
> http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI
> commands ran by administrators through the asterisk binary.
> 
> Thus add in asterisk_exec($1) into the asterisk_admin() definition.

Merged with changes, thanks

Moved asterisk exec to the right place and edited the interface xml
header

> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.if | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/asterisk.if b/asterisk.if
> index 7268a04..26c8621 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -113,6 +113,8 @@ interface(`asterisk_admin',`
>  	role_transition $2 asterisk_initrc_exec_t system_r;
>  	allow $2 system_r;
>  
> +	asterisk_exec($1)
> +
>  	files_list_tmp($1)
>  	admin_pattern($1, asterisk_tmp_t)
>  
> @@ -131,3 +133,22 @@ interface(`asterisk_admin',`
>  	files_list_pids($1)
>  	admin_pattern($1, asterisk_var_run_t)
>  ')
> +
> +######################################
> +## <summary>
> +##	Execute asterisk is the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to execute asterisk
> +##	</summary>
> +## </param>
> +#
> +interface(`asterisk_exec',`
> +	gen_require(`
> +		type asterisk_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, asterisk_exec_t)
> +')

[refpolicy] [PATCH 02/13] Support tagfiles for consolekit

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Gentoo currently still uses the pam-foreground compatibility, which causes
> ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
> As /var/run is dynamic nowadays, ConsoleKit also creates the directory.
> 
> Allow ConsoleKit to create such directory with the right file transition in
> place.
> 
> Debian also has this (already in policy) so duplicate settings for Gentoo. As
> the policy includes a transition, I'm less inclined to make this a global policy
> change as I have no idea what the impact would be on other distributions such as
> Fedora/RedHat.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged with changes, thanks

Made this unconditional as this does not seem to conflict with fedora
> ---
>  consolekit.te | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/consolekit.te b/consolekit.te
> index 5f0c793..aff2f51 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -92,6 +92,11 @@ ifdef(`distro_debian',`
>  	auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
>  ')
>  
> +ifdef(`distro_gentoo',`
> +	auth_create_pam_console_data_dirs(consolekit_t)
> +	auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
>  optional_policy(`
>  	dbus_system_domain(consolekit_t, consolekit_exec_t)
>  

[refpolicy] [PATCH 03/13] ConsoleKit needs to read the dbus machine-id

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The dbus integration in ConsoleKit reads in the machine-id as provided through
> dbus (/var/lib/dbus/machine-id).
> 
> On Gentoo, this location is a symbolic link to /etc/machine-id however, so we
> update the interface to support reading the symbolic link files too.
> 
> See also ConsoleKit's src/ck-manager.c function generate_session_cookie (calls
> dbus_get_local_machine_id).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  consolekit.te | 1 +
>  dbus.if       | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/consolekit.te b/consolekit.te
> index aff2f51..6874d9a 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -98,6 +98,7 @@ ifdef(`distro_gentoo',`
>  ')
>  
>  optional_policy(`
> +	dbus_read_lib_files(consolekit_t)
>  	dbus_system_domain(consolekit_t, consolekit_exec_t)
>  
>  	optional_policy(`
> diff --git a/dbus.if b/dbus.if
> index afcf3a2..62d22cb 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -356,6 +356,7 @@ interface(`dbus_read_lib_files',`
>  
>  	files_search_var_lib($1)
>  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
> +	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
>  ')
>  
>  ########################################

[refpolicy] [PATCH 04/13] File context updates for courier-imap

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged with changes, thanks

imaplogin is courier_pop_exec_t

> ---
>  courier.fc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/courier.fc b/courier.fc
> index 8a4b596..69bdc68 100644
> --- a/courier.fc
> +++ b/courier.fc
> @@ -4,9 +4,11 @@
>  /usr/bin/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
>  
>  /usr/sbin/authdaemond	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
> +/usr/sbin/courier-imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
>  /usr/sbin/courierlogger	--	gen_context(system_u:object_r:courier_exec_t,s0)
>  /usr/sbin/courierldapaliasd	--	gen_context(system_u:object_r:courier_exec_t,s0)
>  /usr/sbin/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
> +/usr/sbin/imaplogin	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
>  
>  /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
>  /usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)

[refpolicy] [PATCH 07/13] Update on file contexts for OpenLDAP

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks

> ---
>  ldap.fc | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/ldap.fc b/ldap.fc
> index bc25c95..b7e5679 100644
> --- a/ldap.fc
> +++ b/ldap.fc
> @@ -6,11 +6,16 @@
>  
>  /usr/sbin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
>  
> +/usr/lib/openldap/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
>  /usr/lib/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
>  
>  /var/lib/ldap(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
>  /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
>  
> +/var/lib/openldap-data(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
> +/var/lib/openldap-ldbm(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
> +/var/lib/openldap-slurpd(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
> +
>  /var/lock/subsys/ldap	--	gen_context(system_u:object_r:slapd_lock_t,s0)
>  /var/lock/subsys/slapd	--	gen_context(system_u:object_r:slapd_lock_t,s0)
>  

[refpolicy] [PATCH 08/13] Update on file contexts for wpa_supplicant

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  networkmanager.fc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/networkmanager.fc b/networkmanager.fc
> index a1fb3c3..94b9734 100644
> --- a/networkmanager.fc
> +++ b/networkmanager.fc
> @@ -20,6 +20,7 @@
>  /sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  
>  /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
>  /usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  
>  /usr/sbin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)

[refpolicy] [PATCH 06/13] Allow IRC clients to read certificates

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> To support IRC clients to connect to SSL-enabled IRC servers, allow irc clients
> to read the generic certificates.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  irc.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/irc.te b/irc.te
> index ecad9c7..ddf1595 100644
> --- a/irc.te
> +++ b/irc.te
> @@ -106,6 +106,7 @@ auth_use_nsswitch(irc_t)
>  init_read_utmp(irc_t)
>  init_dontaudit_lock_utmp(irc_t)
>  
> +miscfiles_read_generic_certs(irc_t)
>  miscfiles_read_localization(irc_t)
>  
>  userdom_use_user_terminals(irc_t)

[refpolicy] [PATCH 05/13] Allow reading /proc/self for fail2ban due to FAM support

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using
> Gamin, fail2ban launches a gam_server which, through FAM support, reads in
> /proc/self.
> 
> As this gam_server is only for the fail2ban activities and all permissions
> (except for read access to the fail2ban_t /proc itself), allow this in the
> fail2ban_t domain instead of creating a new domain for gam_server and
> transitioning to it.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks

You do not have to add in line comments as you have the git commit
messages

> ---
>  fail2ban.te | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fail2ban.te b/fail2ban.te
> index 0872e50..919358a 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
>  allow fail2ban_t self:unix_stream_socket { accept connectto listen };
>  allow fail2ban_t self:tcp_socket { accept listen };
>  
> +# Needed for FAM support
> +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
> +
>  append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
>  create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
>  setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)

[refpolicy] [PATCH 10/13] Update file contexts for puppet

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  puppet.fc | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/puppet.fc b/puppet.fc
> index 4ecda09..d68e26d 100644
> --- a/puppet.fc
> +++ b/puppet.fc
> @@ -3,6 +3,10 @@
>  /etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
>  
> +/usr/bin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
> +/usr/bin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
> +/usr/bin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> +
>  /usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
>  /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
>  /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)

[refpolicy] [PATCH 11/13] Support ~/.tmux.conf as tmux configuration file

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The tmux application is similar to screen, and already supported in the policy
> as such. Include ~/.tmux.conf as screen_home_t and include the proper transition
> when the file is created.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  screen.fc | 1 +
>  screen.if | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/screen.fc b/screen.fc
> index ac04d27..e7c2cf7 100644
> --- a/screen.fc
> +++ b/screen.fc
> @@ -1,5 +1,6 @@
>  HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
>  HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
> +HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
>  
>  /usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)
>  /usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)
> diff --git a/screen.if b/screen.if
> index c21ddcc..be5cce2 100644
> --- a/screen.if
> +++ b/screen.if
> @@ -65,6 +65,7 @@ template(`screen_role_template',`
>  
>  	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
>  	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
> +	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
>  
>  	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
>  	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)

[refpolicy] [PATCH 09/13] Postfix creates defer(red) queue locations

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> At startup, the Postfix daemon will check if the defer and deferred queues are
> available. If not, it will create them. Introduce the proper file transitions to
> support this.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  postfix.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/postfix.te b/postfix.te
> index 3f45a93..069bc2e 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
>  delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
>  rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
>  setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
> +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
> +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
>  filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
>  
>  create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)

[refpolicy] [PATCH 13/13] Add setuid/setgid capability to ulogd_t

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The ulog daemon, when launched with the "-u" option, will change uid/gid after
> it finished its root-required tasks. This is handled in src/ulogd.c. If we do
> not allow setuid/setgid, the following errors are displayed and the start-up
> fails.
> 
> Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
> Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245
> 
> Reported-by: vespian <vespian@o2.pl>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  ulogd.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ulogd.te b/ulogd.te
> index c6acbbe..d41c4b1 100644
> --- a/ulogd.te
> +++ b/ulogd.te
> @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
>  # Local policy
>  #
>  
> -allow ulogd_t self:capability { net_admin sys_nice };
> +allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
>  allow ulogd_t self:process setsched;
>  allow ulogd_t self:netlink_nflog_socket create_socket_perms;
>  allow ulogd_t self:netlink_socket create_socket_perms;

[refpolicy] [PATCH 12/13] Support tmux control socket

[Dominick Grift]

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The tmux application places its control socket in /tmp/tmux-*. Introduce a
> transition from screen_tmp_t (the /tmp/tmux-* directory) towards
> screen_var_run_t for socket files.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  screen.te | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/screen.te b/screen.te
> index f095081..75d538c 100644
> --- a/screen.te
> +++ b/screen.te
> @@ -38,12 +38,13 @@ allow screen_domain self:process signal_perms;
>  allow screen_domain self:fd use;
>  allow screen_domain self:fifo_file rw_fifo_file_perms;
>  allow screen_domain self:tcp_socket { accept listen };
> -allow screen_domain self:unix_stream_socket connectto;
> +allow screen_domain self:unix_stream_socket { accept connectto listen };
>  
>  manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
>  manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
>  manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
>  files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
> +filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
>  
>  manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
>  manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)