From 062b36f481c5fb6d6338438b74fba3e11e6adadb Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 07 2014 21:58:35 +0000 Subject: * Fri Nov 07 2014 Lukas Vrabec 3.13.1-91 - Added interface userdom_dontaudit_manage_user_home_dirs - Fix unconfined_server_dbus_chat() interface. - Add unconfined_server_dbus_chat() inteface. - Allow login domains to create kernel keyring with different level. - Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) - Make tuned as unconfined domain. - Added support for linuxptp policy. BZ(1149693) - make zoneminder as dbus client by default. - Allow bluetooth read/write uhid devices. BZ (1161169) - Add fixes for hypervkvp daemon - Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. - Make plymouthd as nsswitch domain to make it working with sssd. - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index fcb5143..59592da 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6065,7 +6065,7 @@ index b31c054..872ff1b 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..d36451a 100644 +index 76f285e..0e6161d 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6566,7 +6566,7 @@ index 76f285e..d36451a 100644 ## ## ## -@@ -2043,7 +2285,101 @@ interface(`dev_getattr_framebuffer_dev',` +@@ -2043,7 +2285,99 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # @@ -6635,8 +6635,6 @@ index 76f285e..d36451a 100644 + rw_blk_files_pattern($1, device_t, infiniband_device_t) +') + -+ -+ +######################################## +## +## Get the attributes of the framebuffer device node. @@ -6669,7 +6667,7 @@ index 76f285e..d36451a 100644 gen_require(` type device_t, framebuf_device_t; ') -@@ -2402,7 +2738,97 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2736,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -6768,7 +6766,7 @@ index 76f285e..d36451a 100644 ## ## ## -@@ -2725,7 +3151,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6777,7 +6775,7 @@ index 76f285e..d36451a 100644 ## ## # -@@ -2811,6 +3237,78 @@ interface(`dev_rw_modem',` +@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',` ######################################## ## @@ -6856,7 +6854,7 @@ index 76f285e..d36451a 100644 ## Get the attributes of the mouse devices. ## ## -@@ -2903,20 +3401,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6881,7 +6879,7 @@ index 76f285e..d36451a 100644 ##

## ## -@@ -2925,43 +3423,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -6937,7 +6935,7 @@ index 76f285e..d36451a 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3459,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3457,13 @@ interface(`dev_write_mtrr',` ## ## # @@ -6954,7 +6952,7 @@ index 76f285e..d36451a 100644 ') ######################################## -@@ -3144,48 +3633,102 @@ interface(`dev_create_null_dev',` +@@ -3144,52 +3631,106 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7013,9 +7011,10 @@ index 76f285e..d36451a 100644 ## -## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`dev_getattr_printer_dev',` +interface(`dev_dontaudit_getattr_nvram_dev',` + gen_require(` + type nvram_device_t; @@ -7067,54 +7066,58 @@ index 76f285e..d36451a 100644 +## +## +## Domain allowed access. - ## - ## - # -@@ -3254,7 +3797,25 @@ interface(`dev_rw_printer',` ++## ++## ++# ++interface(`dev_getattr_printer_dev',` + gen_require(` + type device_t, printer_device_t; + ') +@@ -3254,7 +3795,7 @@ interface(`dev_rw_printer',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +## Relabel the printer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_printer',` -+ gen_require(` -+ type printer_device_t; -+ ') -+ -+ allow $1 printer_device_t:chr_file relabel_chr_file_perms; -+') -+ -+######################################## -+## -+## Read and write the printer device. ## ## ## -@@ -3262,12 +3823,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3803,31 @@ interface(`dev_rw_printer',` ## ## # -interface(`dev_read_printk',` -+interface(`dev_manage_printer',` ++interface(`dev_relabel_printer',` gen_require(` - type device_t, printk_device_t; -+ type device_t, printer_device_t; ++ type printer_device_t; ') - read_chr_files_pattern($1, device_t, printk_device_t) ++ allow $1 printer_device_t:chr_file relabel_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write the printer device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_printer',` ++ gen_require(` ++ type device_t, printer_device_t; ++ ') ++ + manage_chr_files_pattern($1, device_t, printer_device_t) + dev_filetrans_printer_named_dev($1) ') ######################################## -@@ -3399,7 +3961,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +3959,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7123,7 +7126,7 @@ index 76f285e..d36451a 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3975,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +3973,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7132,7 +7135,7 @@ index 76f285e..d36451a 100644 ') ######################################## -@@ -3855,6 +4417,96 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4415,96 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7229,7 +7232,7 @@ index 76f285e..d36451a 100644 ## Search the sysfs directories. ## ## -@@ -3904,6 +4556,7 @@ interface(`dev_list_sysfs',` +@@ -3904,6 +4554,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -7237,7 +7240,7 @@ index 76f285e..d36451a 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3946,23 +4599,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3946,23 +4597,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -7291,7 +7294,7 @@ index 76f285e..d36451a 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4695,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4693,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7354,7 +7357,7 @@ index 76f285e..d36451a 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4848,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4846,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7380,7 +7383,7 @@ index 76f285e..d36451a 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +4877,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +4875,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -7389,7 +7392,7 @@ index 76f285e..d36451a 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5163,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5161,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7401,7 +7404,7 @@ index 76f285e..d36451a 100644 ## ## ## -@@ -4419,17 +5173,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5171,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7424,7 +7427,7 @@ index 76f285e..d36451a 100644 ## ## ## -@@ -4437,12 +5191,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5189,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7440,7 +7443,7 @@ index 76f285e..d36451a 100644 ') ######################################## -@@ -4539,6 +5293,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5291,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7575,7 +7578,7 @@ index 76f285e..d36451a 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5439,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5437,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7600,7 +7603,7 @@ index 76f285e..d36451a 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5662,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5660,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7645,7 +7648,7 @@ index 76f285e..d36451a 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5789,948 @@ interface(`dev_unconfined',` +@@ -4851,3 +5787,966 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7725,6 +7728,24 @@ index 76f285e..d36451a 100644 + +######################################## +## ++## Read and write uhid devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_uhid_dev',` ++ gen_require(` ++ type device_t, uhid_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, uhid_device_t) ++') ++ ++######################################## ++## +## Create all named devices with the correct label +## +## @@ -27234,7 +27255,7 @@ index 2479587..890e1e2 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..12dca57 100644 +index 3efd5b6..9e85ea0 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -27296,7 +27317,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -95,48 +117,20 @@ interface(`auth_use_pam',` +@@ -95,69 +117,67 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -27350,7 +27371,10 @@ index 3efd5b6..12dca57 100644 mls_file_read_all_levels($1) mls_file_write_all_levels($1) -@@ -146,18 +140,43 @@ interface(`auth_login_pgm_domain',` + mls_file_upgrade($1) + mls_file_downgrade($1) + mls_process_set_level($1) ++ mls_process_write_to_clearance($1) mls_fd_share_all_levels($1) auth_use_pam($1) @@ -27402,7 +27426,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -231,6 +250,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -27428,7 +27452,7 @@ index 3efd5b6..12dca57 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -322,6 +360,24 @@ interface(`auth_rw_cache',` +@@ -322,6 +361,24 @@ interface(`auth_rw_cache',` ######################################## ## @@ -27453,7 +27477,7 @@ index 3efd5b6..12dca57 100644 ## Manage authentication cache ## ## -@@ -402,6 +458,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -27462,7 +27486,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -428,6 +486,24 @@ interface(`auth_domtrans_chkpwd',` +@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',` ######################################## ## @@ -27487,7 +27511,7 @@ index 3efd5b6..12dca57 100644 ## Execute chkpwd programs in the chkpwd domain. ## ## -@@ -448,6 +524,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -27513,7 +27537,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -467,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -27521,7 +27545,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -664,6 +758,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -27532,7 +27556,7 @@ index 3efd5b6..12dca57 100644 ') ####################################### -@@ -763,7 +861,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -27584,7 +27608,7 @@ index 3efd5b6..12dca57 100644 ') ####################################### -@@ -824,9 +965,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -27615,7 +27639,7 @@ index 3efd5b6..12dca57 100644 ## ## ## -@@ -834,12 +995,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -27646,7 +27670,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -854,15 +1030,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -27665,7 +27689,7 @@ index 3efd5b6..12dca57 100644 ## ## ## -@@ -875,13 +1051,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',` ## ## # @@ -27703,7 +27727,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -959,9 +1155,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -27737,7 +27761,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -1040,6 +1257,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -27748,7 +27772,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -1176,6 +1397,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -27756,7 +27780,7 @@ index 3efd5b6..12dca57 100644 ') ####################################### -@@ -1576,6 +1798,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -27782,7 +27806,7 @@ index 3efd5b6..12dca57 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1967,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -27808,7 +27832,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -1767,11 +1991,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -27825,7 +27849,7 @@ index 3efd5b6..12dca57 100644 ') ######################################## -@@ -1805,3 +2031,280 @@ interface(`auth_unconfined',` +@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -42476,7 +42500,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a9..e749152 100644 +index 5ca20a9..cf27c0a 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -42529,10 +42553,10 @@ index 5ca20a9..e749152 100644 + systemd_config_all_services($1) + + domain_mmap_low($1) -+ -+ ubac_process_exempt($1) - tunable_policy(`allow_execheap',` ++ ubac_process_exempt($1) ++ + tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; @@ -42587,7 +42611,7 @@ index 5ca20a9..e749152 100644 ') ######################################## -@@ -175,381 +185,12 @@ interface(`unconfined_alias_domain',` +@@ -175,361 +185,12 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -42941,26 +42965,32 @@ index 5ca20a9..e749152 100644 - ') - - allow $1 unconfined_t:key create; --') -- --######################################## --## ++ refpolicywarn(`$0() has been deprecated.') + ') + + ######################################## + ## -## Send messages to the unconfined domain over dbus. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -537,19 +198,19 @@ interface(`unconfined_create_keys',` + ## + ## + # -interface(`unconfined_dbus_send',` -- gen_require(` ++interface(`unconfined_server_stream_connect',` + gen_require(` - type unconfined_t; - class dbus send_msg; -- ') -- ++ type unconfined_service_t; + ') + - allow $1 unconfined_t:dbus send_msg; -+ refpolicywarn(`$0() has been deprecated.') ++ files_search_pids($1) ++ files_write_generic_pid_pipes($1) ++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ') ######################################## @@ -42971,12 +43001,12 @@ index 5ca20a9..e749152 100644 ## ## ## -@@ -557,20 +198,19 @@ interface(`unconfined_dbus_send',` +@@ -557,20 +218,17 @@ interface(`unconfined_dbus_send',` ## ## # -interface(`unconfined_dbus_chat',` -+interface(`unconfined_server_stream_connect',` ++interface(`unconfined_server_domtrans',` gen_require(` - type unconfined_t; - class dbus send_msg; @@ -42985,25 +43015,23 @@ index 5ca20a9..e749152 100644 - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; -+ files_search_pids($1) -+ files_write_generic_pid_pipes($1) -+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ++ corecmd_bin_domtrans($1, unconfined_service_t) ') ######################################## ## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -+## Connect to unconfined_server with a unix socket. ++## Allow caller domain to dbus chat unconfined_server. ## ## ## -@@ -578,11 +218,10 @@ interface(`unconfined_dbus_chat',` +@@ -578,11 +236,11 @@ interface(`unconfined_dbus_chat',` ## ## # -interface(`unconfined_dbus_connect',` -+interface(`unconfined_server_domtrans',` ++interface(`unconfined_server_dbus_chat',` gen_require(` - type unconfined_t; - class dbus acquire_svc; @@ -43011,7 +43039,8 @@ index 5ca20a9..e749152 100644 ') - allow $1 unconfined_t:dbus acquire_svc; -+ corecmd_bin_domtrans($1, unconfined_service_t) ++ allow $1 unconfined_service_t:dbus send_msg; ++ allow unconfined_service_t $1:dbus send_msg; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 5fe902d..a349d18 100644 @@ -43280,7 +43309,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..0bed312 100644 +index 9dc60c6..2861886 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -45054,7 +45083,32 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -1629,6 +2135,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1613,6 +2119,24 @@ interface(`userdom_manage_user_home_dirs',` + + ######################################## + ## ++## Create user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_manage_user_home_dirs',` ++ gen_require(` ++ type user_home_dir_t; ++ ') ++ ++ dontaudit $1 user_home_dir_t:dir manage_dir_perms; ++') ++ ++######################################## ++## + ## Relabel to user home directories. + ## + ## +@@ -1629,6 +2153,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45097,7 +45151,7 @@ index 9dc60c6..0bed312 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2250,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2268,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -45106,7 +45160,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -1741,10 +2285,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2303,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45121,7 +45175,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -1769,7 +2315,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2333,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -45130,7 +45184,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -1777,19 +2323,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2341,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -45154,7 +45208,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -1797,55 +2341,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2359,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -45225,7 +45279,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -1853,18 +2397,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2415,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -45253,7 +45307,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -1872,55 +2417,55 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,45 +2435,182 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -45311,59 +45365,48 @@ index 9dc60c6..0bed312 100644 # -interface(`userdom_dontaudit_append_user_home_content_files',` +interface(`userdom_relabel_user_tmp_dirs',` - gen_require(` -- type user_home_t; ++ gen_require(` + type user_tmp_t; - ') - -- dontaudit $1 user_home_t:file append_file_perms; ++ ') ++ + allow $1 user_tmp_t:dir relabel_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to write user home files. ++') ++ ++######################################## ++## +## Do not audit attempts to set the +## attributes of user home files. - ## - ## - ## -@@ -1928,32 +2473,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_write_user_home_content_files',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:file write_file_perms; ++ gen_require(` ++ type user_home_t; ++ ') ++ + dontaudit $1 user_home_t:file setattr_file_perms; - ') - - ######################################## - ## --## Delete all user home content files. ++') ++ ++######################################## ++## +## Set the attributes of all user home directories. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`userdom_delete_all_user_home_content_files',` ++# +interface(`userdom_setattr_all_user_home_content_dirs',` - gen_require(` -- attribute user_home_content_type; -- type user_home_dir_t; ++ gen_require(` + attribute user_home_type; - ') - -- userdom_search_user_home_content($1) -- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) ++ ') ++ + allow $1 user_home_type:dir setattr_dir_perms; +') + @@ -45460,51 +45503,45 @@ index 9dc60c6..0bed312 100644 +## +# +interface(`userdom_dontaudit_append_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file append_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to write user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file write_file_perms; - ') + gen_require(` + type user_home_t; + ') +@@ -1938,7 +2638,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## -@@ -1971,7 +2633,80 @@ interface(`userdom_delete_user_home_content_files',` - type user_home_t; + ## +-## Delete all user home content files. ++## Delete files in a user home subdirectory. + ## + ## + ## +@@ -1946,10 +2646,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` + ## + ## + # +-interface(`userdom_delete_all_user_home_content_files',` ++interface(`userdom_delete_user_home_content_files',` + gen_require(` +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; ') -- allow $1 user_home_t:file delete_file_perms; -+ userdom_search_user_home_content($1) -+ delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) -+') -+ -+######################################## -+## + userdom_search_user_home_content($1) +@@ -1958,7 +2657,7 @@ interface(`userdom_delete_all_user_home_content_files',` + + ######################################## + ## +-## Delete files in a user home subdirectory. +## Delete all files in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1966,12 +2665,66 @@ interface(`userdom_delete_all_user_home_content_files',` + ## + ## + # +-interface(`userdom_delete_user_home_content_files',` +interface(`userdom_delete_all_user_home_content_files',` + gen_require(` + attribute user_home_type; @@ -45524,10 +45561,11 @@ index 9dc60c6..0bed312 100644 +## +# +interface(`userdom_delete_user_home_content_sock_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ + gen_require(` + type user_home_t; + ') + +- allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; +') + @@ -45568,7 +45606,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2007,8 +2742,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2760,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45578,7 +45616,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2024,20 +2758,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2776,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45603,7 +45641,7 @@ index 9dc60c6..0bed312 100644 ######################################## ## -@@ -2120,7 +2848,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2866,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -45612,7 +45650,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2128,19 +2856,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2874,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -45636,7 +45674,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2148,12 +2874,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2892,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -45652,7 +45690,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2388,18 +3114,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3132,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -45710,7 +45748,7 @@ index 9dc60c6..0bed312 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3176,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3194,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45719,7 +45757,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2455,6 +3217,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3235,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -45745,7 +45783,7 @@ index 9dc60c6..0bed312 100644 ######################################## ## -@@ -2538,7 +3319,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3337,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -45754,7 +45792,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2546,19 +3327,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3345,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -45777,7 +45815,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2566,19 +3347,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3365,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -45800,7 +45838,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2586,27 +3367,68 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,12 +3385,53 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -45812,24 +45850,20 @@ index 9dc60c6..0bed312 100644 - manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) + allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp($1) - ') - ++ files_search_tmp($1) ++') + - ######################################## - ## --## Create objects in a user temporary directory --## with an automatic type transition to --## a specified private type. ++ ++######################################## ++## +## Create, read, write, and delete user +## temporary named pipes. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`userdom_manage_user_tmp_pipes',` + gen_require(` @@ -45857,25 +45891,10 @@ index 9dc60c6..0bed312 100644 + ') + + manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create objects in a user temporary directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - ## - ## The type of the object to create. - ## -@@ -2661,6 +3483,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` + files_search_tmp($1) + ') + +@@ -2661,6 +3501,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -45897,7 +45916,7 @@ index 9dc60c6..0bed312 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3509,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3527,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -45919,7 +45938,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2692,19 +3524,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3542,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -45942,7 +45961,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2713,13 +3539,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3557,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -46003,7 +46022,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2814,6 +3683,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3701,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -46028,7 +46047,7 @@ index 9dc60c6..0bed312 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3719,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3737,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -46071,7 +46090,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -2856,14 +3755,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3773,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -46109,7 +46128,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2882,8 +3800,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3818,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -46139,7 +46158,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -2955,69 +3892,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3910,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46240,7 +46259,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -3025,12 +3961,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3979,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46255,7 +46274,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -3094,7 +4030,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4048,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46264,7 +46283,7 @@ index 9dc60c6..0bed312 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4046,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4064,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46298,7 +46317,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -3214,7 +4134,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4152,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46325,7 +46344,7 @@ index 9dc60c6..0bed312 100644 ') ######################################## -@@ -3269,12 +4207,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4225,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46341,7 +46360,7 @@ index 9dc60c6..0bed312 100644 ## ## ## -@@ -3282,46 +4221,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4239,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -46399,8 +46418,9 @@ index 9dc60c6..0bed312 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + @@ -46474,10 +46494,13 @@ index 9dc60c6..0bed312 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') ++ ') ++ ++ allow $1 userdomain:process getattr; + ') - allow $1 userdomain:process getattr; -@@ -3382,6 +4397,42 @@ interface(`userdom_signal_all_users',` + ######################################## +@@ -3382,6 +4415,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46520,7 +46543,7 @@ index 9dc60c6..0bed312 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4453,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4471,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46581,7 +46604,7 @@ index 9dc60c6..0bed312 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4540,1686 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4558,1686 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 7d8b345..9cc8bac 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9707,7 +9707,7 @@ index c723a0a..3e8a553 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e..055c97c 100644 +index 851769e..a069dc3 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) @@ -9757,7 +9757,13 @@ index 851769e..055c97c 100644 dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) -@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t) +@@ -105,12 +119,12 @@ dev_rw_generic_usb_dev(bluetooth_t) + dev_read_urand(bluetooth_t) + dev_rw_input_dev(bluetooth_t) + dev_rw_wireless(bluetooth_t) ++dev_rw_uhid_dev(bluetooth_t) + + domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) @@ -9765,7 +9771,7 @@ index 851769e..055c97c 100644 fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) -@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t) +@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t) logging_send_syslog_msg(bluetooth_t) @@ -9773,7 +9779,7 @@ index 851769e..055c97c 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) @@ -9784,7 +9790,7 @@ index 851769e..055c97c 100644 optional_policy(` dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) -@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t) +@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) @@ -10317,15 +10323,23 @@ index 687d4c4..3c5a83a 100644 + unconfined_domain(boinc_project_t) +') diff --git a/brctl.te b/brctl.te -index c5a9113..6ad8ccb 100644 +index c5a9113..1919abd 100644 --- a/brctl.te +++ b/brctl.te -@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t) +@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; + allow brctl_t self:tcp_socket create_socket_perms; + + kernel_request_load_module(brctl_t) ++kernel_read_system_state(brctl_t) + kernel_read_network_state(brctl_t) + kernel_read_sysctl(brctl_t) + +@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t) domain_use_interactive_fds(brctl_t) -files_read_etc_files(brctl_t) - +- term_dontaudit_use_console(brctl_t) -miscfiles_read_localization(brctl_t) @@ -12488,7 +12502,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..e7c249d 100644 +index e5b621c..f975594 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -12519,7 +12533,7 @@ index e5b621c..e7c249d 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -12541,10 +12555,11 @@ index e5b621c..e7c249d 100644 optional_policy(` gpsd_rw_shm(chronyd_t) ') -- --optional_policy(` + + optional_policy(` - mta_send_mail(chronyd_t) --') ++ timemaster_stream_connect(chronyd_t) + ') diff --git a/cinder.fc b/cinder.fc new file mode 100644 index 0000000..4b318b7 @@ -15514,7 +15529,7 @@ index 0000000..54b4b04 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..ccff09f +index 0000000..4772f64 --- /dev/null +++ b/conman.te @@ -0,0 +1,55 @@ @@ -15557,7 +15572,7 @@ index 0000000..ccff09f +manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t) +files_pid_filetrans(conman_t, conman_var_run_t, file) + -+auth_read_passwd(conman_t) ++auth_use_nsswitch(conman_t) + +corenet_tcp_bind_generic_node(conman_t) +corenet_tcp_bind_conman_port(conman_t) @@ -20732,7 +20747,7 @@ index dda905b..ccd0ba9 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..e1b35aa 100644 +index 62d22cb..f8ab4af 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20858,7 +20873,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -103,91 +129,84 @@ template(`dbus_role_template',` +@@ -103,91 +129,88 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -20888,6 +20903,10 @@ index 62d22cb..e1b35aa 100644 stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) ++ ++ optional_policy(` ++ unconfined_server_dbus_chat($1) ++ ') ') ####################################### @@ -20984,7 +21003,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',` +@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',` ## ## # @@ -21009,7 +21028,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',` +@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',` ## ## # @@ -21081,7 +21100,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',` +@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',` ## ## # @@ -21107,7 +21126,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',` +@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',` ## ## # @@ -21174,7 +21193,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',` +@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',` ## ## # @@ -21198,7 +21217,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -349,20 +365,18 @@ interface(`dbus_read_config',` +@@ -349,20 +369,18 @@ interface(`dbus_read_config',` ## ## # @@ -21224,7 +21243,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',` +@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',` ## ## # @@ -21257,7 +21276,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',` +@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -21367,7 +21386,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',` +@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -21391,7 +21410,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +496,100 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -21535,7 +21554,7 @@ index 62d22cb..e1b35aa 100644 ## ## ## -@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +597,50 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -26210,7 +26229,7 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..6f78534 100644 +index f2516cc..70ddc24 100644 --- a/drbd.te +++ b/drbd.te @@ -18,17 +18,20 @@ files_type(drbd_var_lib_t) @@ -26247,7 +26266,7 @@ index f2516cc..6f78534 100644 kernel_read_system_state(drbd_t) -+auth_read_passwd(drbd_t) ++auth_use_nsswitch(drbd_t) + +can_exec(drbd_t, drbd_exec_t) + @@ -35169,10 +35188,10 @@ index 6517fad..b7ca833 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..6f859e1 100644 +index 4eb7041..ccb563e 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,72 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,81 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -35207,7 +35226,7 @@ index 4eb7041..6f859e1 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -35223,23 +35242,32 @@ index 4eb7041..6f859e1 100644 +######################################## # +# hypervkvp local policy -+# -+ + # + +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + ++domain_read_all_domains_state(hypervkvp_t) ++ +files_dontaudit_search_home(hypervkvp_t) + +logging_send_syslog_msg(hypervkvp_t) + +sysnet_dns_name_resolve(hypervkvp_t) - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++sysnet_domtrans_dhcpc(hypervkvp_t) ++ ++systemd_exec_systemctl(hypervkvp_t) ++ +userdom_dontaudit_search_admin_dir(hypervkvp_t) + +optional_policy(` ++ netutils_domtrans_ping(hypervkvp_t) ++') ++ ++optional_policy(` + sysnet_exec_ifconfig(hypervkvp_t) +') + @@ -35414,7 +35442,7 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..93445b7 100644 +index c6450df..a28aa13 100644 --- a/inetd.te +++ b/inetd.te @@ -37,9 +37,9 @@ ifdef(`enable_mcs',` @@ -35487,7 +35515,7 @@ index c6450df..93445b7 100644 ######################################## # # Child local policy -@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t) +@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) @@ -35499,10 +35527,12 @@ index c6450df..93445b7 100644 +corenet_tcp_sendrecv_all_ports(inetd_child_t) +corenet_udp_sendrecv_all_ports(inetd_child_t) + ++corecmd_bin_entry_type(inetd_child_t) ++ dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -41863,6 +41893,238 @@ index d8c2442..ef30d42 100644 corenet_sendrecv_generic_server_packets(srvsvcd_t) corenet_tcp_sendrecv_generic_if(srvsvcd_t) corenet_tcp_sendrecv_generic_node(srvsvcd_t) +diff --git a/linuxptp.fc b/linuxptp.fc +new file mode 100644 +index 0000000..d2061a9 +--- /dev/null ++++ b/linuxptp.fc +@@ -0,0 +1,11 @@ ++/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0) ++ ++/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0) ++ ++/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0) ++ ++/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0) ++/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0) ++/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0) ++ ++/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0) +diff --git a/linuxptp.if b/linuxptp.if +new file mode 100644 +index 0000000..8d6873f +--- /dev/null ++++ b/linuxptp.if +@@ -0,0 +1,59 @@ ++## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. ++ ++######################################## ++## ++## Execute domain in the phc2sys domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`linuxptp_domtrans_phc2sys',` ++ gen_require(` ++ type phc2sys_t, phc2sys_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, phc2sys_exec_t, phc2sys_t) ++') ++ ++######################################## ++## ++## Execute domain in the phc2sys domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`linuxptp_domtrans_ptp4l',` ++ gen_require(` ++ type ptp4l_t, ptp4l_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ptp4l_exec_t, ptp4l_t) ++') ++###################################### ++## ++## Connect to timemaster using a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`timemaster_stream_connect',` ++ gen_require(` ++ type timemaster_t, timemaster_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t) ++') ++ +diff --git a/linuxptp.te b/linuxptp.te +new file mode 100644 +index 0000000..5a1445c +--- /dev/null ++++ b/linuxptp.te +@@ -0,0 +1,144 @@ ++policy_module(linuxptp, 1.0.0) ++ ++ ++######################################## ++# ++# Declarations ++# ++ ++type timemaster_t; ++type timemaster_exec_t; ++init_daemon_domain(timemaster_t, timemaster_exec_t) ++ ++type timemaster_var_run_t; ++files_pid_file(timemaster_var_run_t) ++ ++type timemaster_unit_file_t; ++systemd_unit_file(timemaster_unit_file_t) ++ ++type phc2sys_t; ++type phc2sys_exec_t; ++init_daemon_domain(phc2sys_t, phc2sys_exec_t) ++ ++type phc2sys_unit_file_t; ++systemd_unit_file(phc2sys_unit_file_t) ++ ++type ptp4l_t; ++type ptp4l_exec_t; ++init_daemon_domain(ptp4l_t, ptp4l_exec_t) ++ ++type ptp4l_unit_file_t; ++systemd_unit_file(ptp4l_unit_file_t) ++ ++######################################## ++# ++# timemaster local policy ++# ++ ++allow timemaster_t self:process { signal_perms setcap}; ++allow timemaster_t self:fifo_file rw_fifo_file_perms; ++allow timemaster_t self:capability { setuid sys_time kill setgid }; ++allow timemaster_t self:unix_stream_socket create_stream_socket_perms; ++allow timemaster_t self:shm create_shm_perms; ++allow timemaster_t self:udp_socket create_socket_perms; ++ ++allow timemaster_t ptp4l_t:process signal; ++allow timemaster_t phc2sys_t:process signal; ++ ++manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) ++files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file }) ++ ++kernel_read_network_state(timemaster_t) ++ ++auth_use_nsswitch(timemaster_t) ++ ++corenet_udp_bind_generic_node(timemaster_t) ++corenet_udp_bind_ntp_port(timemaster_t) ++ ++logging_send_syslog_msg(timemaster_t) ++ ++sysnet_read_config(timemaster_t) ++ ++optional_policy(` ++ chronyd_domtrans(timemaster_t) ++ chronyd_rw_shm(timemaster_t) ++') ++ ++optional_policy(` ++ gpsd_rw_shm(timemaster_t) ++') ++ ++optional_policy(` ++ linuxptp_domtrans_ptp4l(timemaster_t) ++') ++ ++optional_policy(` ++ linuxptp_domtrans_phc2sys(timemaster_t) ++') ++ ++######################################## ++# ++# phc2sys local policy ++# ++ ++allow phc2sys_t self:capability sys_time; ++allow phc2sys_t self:fifo_file rw_fifo_file_perms; ++allow phc2sys_t self:unix_stream_socket create_stream_socket_perms; ++allow phc2sys_t self:shm create_shm_perms; ++allow phc2sys_t self:udp_socket create_socket_perms; ++ ++allow phc2sys_t ptp4l_t:unix_dgram_socket sendto; ++ ++manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) ++files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file }) ++ ++logging_send_syslog_msg(phc2sys_t) ++ ++optional_policy(` ++ chronyd_rw_shm(phc2sys_t) ++') ++ ++optional_policy(` ++ gpsd_rw_shm(phc2sys_t) ++') ++ ++optional_policy(` ++ ntp_rw_shm(phc2sys_t) ++') ++ ++######################################## ++# ++# ptp4l local policy ++# ++ ++allow ptp4l_t self:fifo_file rw_fifo_file_perms; ++allow ptp4l_t self:unix_stream_socket create_stream_socket_perms; ++allow ptp4l_t self:shm create_shm_perms; ++allow ptp4l_t self:udp_socket create_socket_perms; ++allow ptp4l_t self:capability { net_admin net_raw sys_time }; ++allow ptp4l_t self:netlink_route_socket { bind create getattr nlmsg_read }; ++ ++allow ptp4l_t phc2sys_t:unix_dgram_socket sendto; ++ ++manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) ++manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) ++files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file }) ++ ++corenet_udp_bind_generic_node(ptp4l_t) ++corenet_udp_bind_reserved_port(ptp4l_t) ++ ++logging_send_syslog_msg(ptp4l_t) ++ ++optional_policy(` ++ chronyd_rw_shm(ptp4l_t) ++') ++ ++optional_policy(` ++ gpsd_rw_shm(ptp4l_t) ++') ++ diff --git a/lircd.if b/lircd.if index dff21a7..b6981c8 100644 --- a/lircd.if @@ -58029,18 +58291,20 @@ index 8ec7859..719cffd 100644 fs_getattr_all_fs(ntop_t) fs_search_auto_mountpoints(ntop_t) diff --git a/ntp.fc b/ntp.fc -index af3c91e..6882a3f 100644 +index af3c91e..2d41c4c 100644 --- a/ntp.fc +++ b/ntp.fc -@@ -13,6 +13,8 @@ +@@ -13,7 +13,10 @@ /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if index e96a309..2bacc3f 100644 --- a/ntp.if @@ -58242,7 +58506,7 @@ index e96a309..2bacc3f 100644 + files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") ') diff --git a/ntp.te b/ntp.te -index f81b113..5c71385 100644 +index f81b113..6f94328 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -58255,15 +58519,16 @@ index f81b113..5c71385 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen }; +@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen }; manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) ++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp") +files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod") allow ntpd_t ntp_conf_t:file read_file_perms; -@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr_dir_perms; @@ -58274,7 +58539,7 @@ index f81b113..5c71385 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -58298,7 +58563,7 @@ index f81b113..5c71385 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -58315,7 +58580,7 @@ index f81b113..5c71385 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -61437,7 +61702,7 @@ index 0000000..776fda7 +') diff --git a/opensm.te b/opensm.te new file mode 100644 -index 0000000..32d1db4 +index 0000000..de03e94 --- /dev/null +++ b/opensm.te @@ -0,0 +1,45 @@ @@ -61478,7 +61743,7 @@ index 0000000..32d1db4 + +kernel_read_system_state(opensm_t) + -+auth_read_passwd(opensm_t) ++auth_use_nsswitch(opensm_t) + +corecmd_exec_bin(opensm_t) + @@ -66394,7 +66659,7 @@ index 30e751f..61feb3a 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..d2f68fa 100644 +index 3078ce9..18872dc 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -66451,7 +66716,7 @@ index 3078ce9..d2f68fa 100644 +logging_link_generic_logs(plymouthd_t) +logging_delete_generic_logs(plymouthd_t) + -+auth_read_passwd(plymouthd_t) ++auth_use_nsswitch(plymouthd_t) + miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) @@ -66836,7 +67101,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..6df7cf0 100644 +index ee91778..b00a474 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -67002,7 +67267,7 @@ index ee91778..6df7cf0 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,65 +159,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -67032,6 +67297,7 @@ index ee91778..6df7cf0 100644 userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_dontaudit_write_user_tmp_files(policykit_auth_t) ++userdom_dontaudit_manage_user_home_dirs(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) optional_policy(` @@ -67094,7 +67360,7 @@ index ee91778..6df7cf0 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +240,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -67121,7 +67387,7 @@ index ee91778..6df7cf0 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +260,28 @@ optional_policy(` +@@ -235,26 +261,28 @@ optional_policy(` ######################################## # @@ -67156,7 +67422,7 @@ index ee91778..6df7cf0 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +293,6 @@ optional_policy(` +@@ -266,6 +294,6 @@ optional_policy(` ') optional_policy(` @@ -87926,7 +88192,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..9c52c41 100644 +index 2b7c441..fdfd40f 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -88840,13 +89106,13 @@ index 2b7c441..9c52c41 100644 -allow swat_t { nmbd_t smbd_t }:process { signal signull }; +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; - --allow swat_t smbd_var_run_t:file read_file_perms; --allow swat_t smbd_var_run_t:file { lock delete_file_perms }; ++ +samba_domtrans_nmbd(swat_t) +allow swat_t nmbd_t:process { signal signull }; +allow nmbd_t swat_t:process signal; -+ + +-allow swat_t smbd_var_run_t:file read_file_perms; +-allow swat_t smbd_var_run_t:file { lock delete_file_perms }; +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + @@ -89110,7 +89376,7 @@ index 2b7c441..9c52c41 100644 ') optional_policy(` -@@ -959,31 +1017,29 @@ optional_policy(` +@@ -959,31 +1017,35 @@ optional_policy(` # Winbind helper local policy # @@ -89132,11 +89398,16 @@ index 2b7c441..9c52c41 100644 -domain_use_interactive_fds(winbind_helper_t) - -files_list_var_lib(winbind_helper_t) -- ++dev_read_urand(winbind_t) + term_list_ptys(winbind_helper_t) ++corecmd_exec_bin(winbind_helper_t) ++ +domain_use_interactive_fds(winbind_helper_t) + ++files_list_tmp(winbind_helper_t) ++ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -89148,7 +89419,7 @@ index 2b7c441..9c52c41 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1053,38 @@ optional_policy(` +@@ -997,25 +1059,38 @@ optional_policy(` ######################################## # @@ -101545,7 +101816,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..b500795 100644 +index 393a330..6893547 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -101623,22 +101894,22 @@ index 393a330..b500795 100644 files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) - --fs_getattr_xattr_fs(tuned_t) ++ +fs_getattr_all_fs(tuned_t) +fs_search_all(tuned_t) +fs_rw_hugetlbfs_files(tuned_t) -+ + +-fs_getattr_xattr_fs(tuned_t) +auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) +#bug in tuned +logging_manage_syslog_config(tuned_t) +logging_filetrans_named_conf(tuned_t) -+ -+mount_read_pid_files(tuned_t) -miscfiles_read_localization(tuned_t) ++mount_read_pid_files(tuned_t) ++ +modutils_domtrans_insmod(tuned_t) udev_read_pid_files(tuned_t) @@ -101675,6 +101946,14 @@ index 393a330..b500795 100644 optional_policy(` sysnet_domtrans_ifconfig(tuned_t) ') +@@ -96,3 +139,7 @@ optional_policy(` + optional_policy(` + unconfined_dbus_send(tuned_t) + ') ++ ++optional_policy(` ++ unconfined_domain(tuned_t) ++') diff --git a/tvtime.if b/tvtime.if index 1bb0f7c..372be2f 100644 --- a/tvtime.if @@ -105209,7 +105488,7 @@ index facdee8..c7a2d97 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..f960625 100644 +index f03dcf5..f3d6203 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -106214,7 +106493,7 @@ index f03dcf5..f960625 100644 +allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:shm create_shm_perms; -+allow virt_domain self:unix_stream_socket create_stream_socket_perms; ++allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; @@ -112178,7 +112457,7 @@ index 0000000..fb0519e + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..b66e76d +index 0000000..184e3d5 --- /dev/null +++ b/zoneminder.te @@ -0,0 +1,187 @@ @@ -112319,16 +112598,16 @@ index 0000000..b66e76d + +optional_policy(` + tunable_policy(`zoneminder_run_sudo',` -+ dbus_system_bus_client(zoneminder_t) ++ sudo_exec(zoneminder_t) ++ su_exec(zoneminder_t) + ') +') + +optional_policy(` -+ tunable_policy(`zoneminder_run_sudo',` -+ sudo_exec(zoneminder_t) -+ su_exec(zoneminder_t) -+ ') ++ dbus_system_bus_client(zoneminder_t) +') ++ ++ +optional_policy(` + mysql_stream_connect(zoneminder_t) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index 6674776..86271b7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 90%{?dist} +Release: 91%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Nov 07 2014 Lukas Vrabec 3.13.1-91 +- Added interface userdom_dontaudit_manage_user_home_dirs +- Fix unconfined_server_dbus_chat() interface. +- Add unconfined_server_dbus_chat() inteface. +- Allow login domains to create kernel keyring with different level. +- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) +- Make tuned as unconfined domain. +- Added support for linuxptp policy. BZ(1149693) +- make zoneminder as dbus client by default. +- Allow bluetooth read/write uhid devices. BZ (1161169) +- Add fixes for hypervkvp daemon +- Allow guest to connect to libvirt using unix_stream_socket. +- Allow all bus client domains to dbus chat with unconfined_service_t. +- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. +- Make opensm as nsswitch domain to make it working with sssd. +- Allow brctl to read meminfo. +- Allow winbind-helper to execute ntlm_auth in the caller domain. +- Make plymouthd as nsswitch domain to make it working with sssd. +- Make drbd as nsswitch domain to make it working with sssd. +- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. +- Add support for /var/lib/sntp directory. + * Mon Nov 03 2014 Lukas Vrabec 3.13.1-90 - Add support for /dev/nvme controllerdevice nodes created by nvme driver. - Add 15672 as amqp_port_t