From 08fe2e457ef2dbc37fa759a7fdebc42cb1a7cc4a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 04 2014 09:17:06 +0000 Subject: - Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 48aad36..77e2037 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -22720,7 +22720,7 @@ index 8274418..0069d82 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..115c533 100644 +index 6bf0ecc..0d55916 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -23704,7 +23704,7 @@ index 6bf0ecc..115c533 100644 ') ######################################## -@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -24331,6 +24331,25 @@ index 6bf0ecc..115c533 100644 + + dontaudit $1 xserver_log_t:dir search_dir_perms; +') ++ ++######################################## ++## ++## Manage keys for xdm. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_rw_xdm_keys',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:key { read write }; ++') ++ diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 8b40377..a02343f 100644 --- a/policy/modules/services/xserver.te @@ -27522,7 +27541,7 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 3f48d30..90a20cf 100644 +index 3f48d30..1fb0cde 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,9 +13,15 @@ role system_r types fsadm_t; @@ -27541,7 +27560,15 @@ index 3f48d30..90a20cf 100644 type swapfile_t; # customizable files_type(swapfile_t) -@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive }; +@@ -26,6 +32,7 @@ files_type(swapfile_t) + + # ipc_lock is for losetup + allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; ++dontaudit fsadm_t self:capability net_admin; + allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; + allow fsadm_t self:fd use; + allow fsadm_t self:fifo_file rw_fifo_file_perms; +@@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive }; can_exec(fsadm_t, fsadm_exec_t) @@ -27565,7 +27592,7 @@ index 3f48d30..90a20cf 100644 # log files allow fsadm_t fsadm_log_t:dir setattr; manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) -@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) +@@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) # Enable swapping to files allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -27573,7 +27600,7 @@ index 3f48d30..90a20cf 100644 kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) kernel_request_load_module(fsadm_t) -@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t) +@@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) @@ -27582,7 +27609,7 @@ index 3f48d30..90a20cf 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t) +@@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) fs_rw_ramfs_pipes(fsadm_t) @@ -27590,7 +27617,7 @@ index 3f48d30..90a20cf 100644 # remount file system to apply changes fs_remount_xattr_fs(fsadm_t) # for /dev/shm -@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -27600,7 +27627,7 @@ index 3f48d30..90a20cf 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +156,27 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -27630,7 +27657,7 @@ index 3f48d30..90a20cf 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +194,11 @@ optional_policy(` +@@ -166,6 +195,11 @@ optional_policy(` ') optional_policy(` @@ -27642,7 +27669,7 @@ index 3f48d30..90a20cf 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +212,10 @@ optional_policy(` +@@ -179,6 +213,10 @@ optional_policy(` ') optional_policy(` @@ -27653,7 +27680,7 @@ index 3f48d30..90a20cf 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +229,10 @@ optional_policy(` +@@ -192,6 +230,10 @@ optional_policy(` ') optional_policy(` @@ -28026,7 +28053,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..b822c29 100644 +index 79a45f6..89b43aa 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28413,7 +28440,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -743,22 +923,23 @@ interface(`init_write_initctl',` +@@ -743,22 +923,24 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; @@ -28438,6 +28465,7 @@ index 79a45f6..b822c29 100644 - ') + ps_process_pattern($1, init_t) + allow $1 init_t:process signal; ++ dontaudit $1 self:capability net_admin; + # upstart uses a datagram socket instead of initctl pipe + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; @@ -28446,7 +28474,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -787,7 +968,7 @@ interface(`init_rw_initctl',` +@@ -787,7 +969,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -28455,7 +28483,7 @@ index 79a45f6..b822c29 100644 ## ## # -@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',` +@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -28470,7 +28498,7 @@ index 79a45f6..b822c29 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',` +@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -28484,7 +28512,7 @@ index 79a45f6..b822c29 100644 ') ') -@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',` +@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -28530,7 +28558,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',` +@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -28545,7 +28573,7 @@ index 79a45f6..b822c29 100644 files_search_etc($1) ') -@@ -1012,6 +1221,42 @@ interface(`init_read_state',` +@@ -1012,6 +1222,42 @@ interface(`init_read_state',` ######################################## ## @@ -28588,7 +28616,7 @@ index 79a45f6..b822c29 100644 ## Ptrace init ## ## -@@ -1026,7 +1271,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1272,9 @@ interface(`init_ptrace',` type init_t; ') @@ -28599,7 +28627,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -28625,7 +28653,7 @@ index 79a45f6..b822c29 100644 ## Read all init script files. ## ## -@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -28650,7 +28678,7 @@ index 79a45f6..b822c29 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -28664,7 +28692,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -1314,7 +1593,7 @@ interface(`init_signal_script',` +@@ -1314,7 +1594,7 @@ interface(`init_signal_script',` ######################################## ## @@ -28673,7 +28701,7 @@ index 79a45f6..b822c29 100644 ## ## ## -@@ -1322,17 +1601,17 @@ interface(`init_signal_script',` +@@ -1322,17 +1602,17 @@ interface(`init_signal_script',` ## ## # @@ -28694,7 +28722,7 @@ index 79a45f6..b822c29 100644 ## ## ## -@@ -1340,17 +1619,17 @@ interface(`init_signull_script',` +@@ -1340,17 +1620,17 @@ interface(`init_signull_script',` ## ## # @@ -28715,7 +28743,7 @@ index 79a45f6..b822c29 100644 ## ## ## -@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',` +@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',` ## ## # @@ -28742,7 +28770,7 @@ index 79a45f6..b822c29 100644 refpolicywarn(`$0($*) has been deprecated.') ') -@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -28770,7 +28798,7 @@ index 79a45f6..b822c29 100644 ## init scripts over dbus. ## ## -@@ -1547,6 +1865,25 @@ interface(`init_getattr_script_status_files',` +@@ -1547,6 +1866,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -28796,7 +28824,7 @@ index 79a45f6..b822c29 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +1943,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -28821,7 +28849,7 @@ index 79a45f6..b822c29 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2033,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -28865,7 +28893,7 @@ index 79a45f6..b822c29 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2158,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -28874,7 +28902,7 @@ index 79a45f6..b822c29 100644 ') ######################################## -@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,6 +2199,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -29008,7 +29036,7 @@ index 79a45f6..b822c29 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2360,450 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -30837,7 +30865,7 @@ index 17eda24..e8e4114 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..05d25b0 100644 +index 662e79b..08589f8 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,14 +1,23 @@ @@ -30865,10 +30893,11 @@ index 662e79b..05d25b0 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +35,23 @@ +@@ -26,16 +35,24 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -32288,7 +32317,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..050a2ac 100644 +index 446fa99..6043534 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -32412,7 +32441,15 @@ index 446fa99..050a2ac 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -202,7 +198,7 @@ optional_policy(` +@@ -195,6 +191,7 @@ optional_policy(` + optional_policy(` + xserver_read_xdm_tmp_files(local_login_t) + xserver_rw_xdm_tmp_files(local_login_t) ++ xserver_rw_xdm_keys(local_login_t) + ') + + ################################# +@@ -202,7 +199,7 @@ optional_policy(` # Sulogin local policy # @@ -32421,7 +32458,7 @@ index 446fa99..050a2ac 100644 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; -@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -32449,7 +32486,7 @@ index 446fa99..050a2ac 100644 logging_send_syslog_msg(sulogin_t) -@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t) +@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) @@ -32480,7 +32517,7 @@ index 446fa99..050a2ac 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -39476,10 +39513,10 @@ index 0000000..8bca1d7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..4b0bb47 +index 0000000..e0c3372 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,636 @@ +@@ -0,0 +1,638 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39563,6 +39600,7 @@ index 0000000..4b0bb47 + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) +allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; ++allow systemd_logind_t self:capability2 block_suspend; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -39590,7 +39628,7 @@ index 0000000..4b0bb47 +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) -+dev_rw_inherited_dri(systemd_logind_t) ++dev_rw_dri(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_generic_usb_dev(systemd_logind_t) @@ -39696,7 +39734,7 @@ index 0000000..4b0bb47 +# Local policy +# + -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin }; ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + @@ -39740,7 +39778,7 @@ index 0000000..4b0bb47 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -40090,6 +40128,7 @@ index 0000000..4b0bb47 +# Common rules for systemd domains +# +allow systemd_domain self:process { setfscreate signal_perms }; ++dontaudit systemd_domain self:capability net_admin; + +dev_read_urand(systemd_domain) + @@ -46039,7 +46078,7 @@ index 9dc60c6..771d5b9 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..799a5cc 100644 +index f4ac38d..711759c 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -46128,7 +46167,7 @@ index f4ac38d..799a5cc 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,383 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -46188,6 +46227,7 @@ index f4ac38d..799a5cc 100644 + +allow userdomain userdomain:process signull; +allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms; ++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms; + +# Nautilus causes this avc +domain_dontaudit_access_check(unpriv_userdomain) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b9dfcdd..de2bffe 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -68,7 +68,7 @@ index 1a93dc5..40dda9e 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..70eb89d 100644 +index 058d908..1e5378d 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -344,7 +344,7 @@ index 058d908..70eb89d 100644 ## ## ## -@@ -288,39 +407,172 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +407,173 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -527,6 +527,7 @@ index 058d908..70eb89d 100644 + files_etc_filetrans($1, abrt_etc_t, dir, "abrt") + files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") + files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") ++ files_var_filetrans($1, abrt_var_cache_t, dir, "debug") + files_pid_filetrans($1, abrt_var_run_t, dir, "abrt") +') + @@ -10752,7 +10753,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..6f366b4 100644 +index 550b287..b988f57 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -10789,7 +10790,7 @@ index 550b287..6f366b4 100644 corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -10812,9 +10813,11 @@ index 550b287..6f366b4 100644 -files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) ++files_list_home(certmonger_t) fs_search_cgroup_dirs(certmonger_t) -@@ -70,16 +83,18 @@ init_getattr_all_script_files(certmonger_t) + +@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t) logging_send_syslog_msg(certmonger_t) @@ -10835,7 +10838,7 @@ index 550b287..6f366b4 100644 ') optional_policy(` -@@ -92,11 +107,47 @@ optional_policy(` +@@ -92,11 +108,47 @@ optional_policy(` ') optional_policy(` @@ -20127,7 +20130,7 @@ index 62d22cb..2d33fcd 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index c9998c8..163708f 100644 +index c9998c8..8b8b691 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -20250,7 +20253,7 @@ index c9998c8..163708f 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +121,160 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -20355,6 +20358,7 @@ index c9998c8..163708f 100644 +# system_bus_type rules # +role system_r types system_bus_type; ++dontaudit system_bus_type self:capability net_admin; + +fs_search_all(system_bus_type) + @@ -20424,7 +20428,7 @@ index c9998c8..163708f 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +283,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -20449,7 +20453,7 @@ index c9998c8..163708f 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +302,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -20457,7 +20461,7 @@ index c9998c8..163708f 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +311,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -20499,7 +20503,7 @@ index c9998c8..163708f 100644 ') ######################################## -@@ -244,5 +347,6 @@ optional_policy(` +@@ -244,5 +348,6 @@ optional_policy(` # Unconfined access to this module # @@ -33116,10 +33120,10 @@ index 0000000..9278f85 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..deb738f +index 0000000..70c67d3 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,21 @@ +@@ -0,0 +1,38 @@ +## Policy for IPA services. + +######################################## @@ -33141,6 +33145,23 @@ index 0000000..deb738f + domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t) +') + ++######################################## ++## ++## Connect to ipa-otpd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_stream_connect_otpd',` ++ gen_require(` ++ type ipa_otpd_t; ++ ') ++ allow $1 ipa_otpd_t:unix_stream_socket connectto; ++') ++ diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..0fd2678 @@ -36378,7 +36399,7 @@ index f6c00d8..c0946cf 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..ff53b77 100644 +index 8833d59..534f815 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -36582,7 +36603,7 @@ index 8833d59..ff53b77 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -201,56 +228,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) @@ -36653,7 +36674,14 @@ index 8833d59..ff53b77 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +289,11 @@ optional_policy(` + userdom_dontaudit_search_user_home_dirs(krb5kdc_t) + + optional_policy(` ++ ipa_stream_connect_otpd(krb5kdc_t) ++') ++ ++optional_policy(` + ldap_stream_connect(krb5kdc_t) ') optional_policy(` @@ -36667,7 +36695,7 @@ index 8833d59..ff53b77 100644 ') optional_policy(` -@@ -273,6 +301,10 @@ optional_policy(` +@@ -273,6 +305,10 @@ optional_policy(` ') optional_policy(` @@ -36678,7 +36706,7 @@ index 8833d59..ff53b77 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +313,12 @@ optional_policy(` +@@ -281,10 +317,12 @@ optional_policy(` # kpropd local policy # @@ -36694,7 +36722,7 @@ index 8833d59..ff53b77 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +337,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -38115,7 +38143,7 @@ index 3602712..fc7b071 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b111..6effd5f 100644 +index 4c2b111..deb2d7d 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -38137,7 +38165,18 @@ index 4c2b111..6effd5f 100644 allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:tcp_socket { accept listen }; -@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; + files_lock_filetrans(slapd_t, slapd_lock_t, file) + + manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) +-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t) ++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) + logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) + + manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -38145,7 +38184,7 @@ index 4c2b111..6effd5f 100644 corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) corenet_tcp_sendrecv_generic_node(slapd_t) -@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t) +@@ -115,15 +115,14 @@ fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) files_read_etc_runtime_files(slapd_t) @@ -38162,7 +38201,7 @@ index 4c2b111..6effd5f 100644 userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) -@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) +@@ -131,9 +130,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) optional_policy(` kerberos_manage_host_rcache(slapd_t) kerberos_read_keytab(slapd_t) @@ -39192,7 +39231,7 @@ index 2fb9b2e..08974e3 100644 /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/lpd.if b/lpd.if -index 6256371..7826e38 100644 +index 6256371..ce2acb8 100644 --- a/lpd.if +++ b/lpd.if @@ -1,44 +1,49 @@ @@ -39317,7 +39356,12 @@ index 6256371..7826e38 100644 ## ## ## -@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',` +@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',` + manage_dirs_pattern($1, print_spool_t, print_spool_t) + manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) ++ manage_fifo_files_pattern($1, print_spool_t, print_spool_t) + ') ######################################## ## @@ -39326,7 +39370,7 @@ index 6256371..7826e38 100644 ## ## ## -@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',` +@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',` ######################################## ## @@ -39335,7 +39379,7 @@ index 6256371..7826e38 100644 ## ## ## -@@ -200,12 +202,11 @@ interface(`lpd_read_config',` +@@ -200,12 +203,11 @@ interface(`lpd_read_config',` ## ## # @@ -39349,7 +39393,7 @@ index 6256371..7826e38 100644 domtrans_pattern($1, lpr_exec_t, lpr_t) ') -@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',` +@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',` ######################################## ## @@ -39359,7 +39403,7 @@ index 6256371..7826e38 100644 ## ## ## -@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',` +@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',` type lpr_exec_t; ') @@ -47493,10 +47537,10 @@ index b744fe3..900d083 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..16b96d0 100644 +index b708708..0deb9fa 100644 --- a/munin.te +++ b/munin.te -@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) +@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) munin_plugin_template(system) munin_plugin_template(unconfined) @@ -47513,7 +47557,14 @@ index b708708..16b96d0 100644 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; -@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; + + read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) + ++allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms; ++ + allow munin_plugin_domain munin_exec_t:file read_file_perms; + + allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) @@ -47538,7 +47589,7 @@ index b708708..16b96d0 100644 optional_policy(` nscd_use(munin_plugin_domain) -@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) @@ -47547,7 +47598,7 @@ index b708708..16b96d0 100644 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t) +@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) @@ -47555,7 +47606,7 @@ index b708708..16b96d0 100644 corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t) +@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) files_read_etc_runtime_files(munin_t) @@ -47563,7 +47614,7 @@ index b708708..16b96d0 100644 files_list_spool(munin_t) fs_getattr_all_fs(munin_t) -@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t) +@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -47571,7 +47622,7 @@ index b708708..16b96d0 100644 miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) -@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t) +@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) @@ -47585,7 +47636,7 @@ index b708708..16b96d0 100644 optional_policy(` cron_system_entry(munin_t, munin_exec_t) -@@ -217,7 +204,6 @@ optional_policy(` +@@ -217,7 +206,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -47593,7 +47644,7 @@ index b708708..16b96d0 100644 ') optional_policy(` -@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -47621,7 +47672,7 @@ index b708708..16b96d0 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -272,6 +260,10 @@ optional_policy(` +@@ -272,6 +262,10 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -47632,7 +47683,7 @@ index b708708..16b96d0 100644 #################################### # # Mail local policy -@@ -279,27 +271,36 @@ optional_policy(` +@@ -279,27 +273,36 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -47673,7 +47724,7 @@ index b708708..16b96d0 100644 ') optional_policy(` -@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t) +@@ -339,7 +342,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -47682,7 +47733,7 @@ index b708708..16b96d0 100644 ') optional_policy(` -@@ -361,7 +362,11 @@ optional_policy(` +@@ -361,7 +364,11 @@ optional_policy(` ') optional_policy(` @@ -47695,7 +47746,7 @@ index b708708..16b96d0 100644 ') optional_policy(` -@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -393,6 +400,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -47703,7 +47754,7 @@ index b708708..16b96d0 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +427,32 @@ optional_policy(` +@@ -421,3 +429,32 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -49873,7 +49924,7 @@ index 94b9734..bb9c83e 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..993ecf5 100644 +index 86dc29d..1cd0d0e 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -49953,28 +50004,10 @@ index 86dc29d..993ecf5 100644 ## ## ## -@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',` +@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',` + domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) + ') - ######################################## - ## --## Execute networkmanager scripts with --## an automatic domain transition to initrc. -+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc. - ## - ## - ## -@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',` - ## - ## - # -+interface(`networkmanager_NetworkManagerrc_domtrans',` -+ gen_require(` -+ type NetworkManager_NetworkManagerrc_exec_t; -+ ') -+ -+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t) -+') -+ +####################################### +## +## Execute NetworkManager scripts with an automatic domain transition to initrc. @@ -49985,7 +50018,7 @@ index 86dc29d..993ecf5 100644 +## +## +# - interface(`networkmanager_initrc_domtrans',` ++interface(`networkmanager_initrc_domtrans',` + gen_require(` + type NetworkManager_initrc_exec_t; + ') @@ -49993,16 +50026,19 @@ index 86dc29d..993ecf5 100644 + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + -+######################################## -+## + ######################################## + ## +-## Execute networkmanager scripts with +-## an automatic domain transition to initrc. +## Execute NetworkManager server in the NetworkManager domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# + ## + ## + ## +@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',` + ## + ## + # +-interface(`networkmanager_initrc_domtrans',` +interface(`networkmanager_systemctl',` gen_require(` - type NetworkManager_initrc_exec_t; @@ -50026,7 +50062,7 @@ index 86dc29d..993ecf5 100644 ## ## ## -@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',` +@@ -155,7 +180,29 @@ interface(`networkmanager_read_state',` ######################################## ## @@ -50057,7 +50093,7 @@ index 86dc29d..993ecf5 100644 ## ## ## -@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',` +@@ -211,9 +258,28 @@ interface(`networkmanager_read_lib_files',` read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ') @@ -50087,7 +50123,7 @@ index 86dc29d..993ecf5 100644 ## ## ## -@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',` +@@ -221,19 +287,18 @@ interface(`networkmanager_read_lib_files',` ## ## # @@ -50108,11 +50144,11 @@ index 86dc29d..993ecf5 100644 ######################################## ## -## Read networkmanager pid files. -+## Read NetworkManager PID files. ++## Manage NetworkManager PID files. ## ## ## -@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',` +@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',` ## ## # @@ -50128,23 +50164,43 @@ index 86dc29d..993ecf5 100644 ') #################################### -@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',` +@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',` ######################################## ## -## All of the rules required to -## administrate an networkmanager environment. -+## Execute NetworkManager in the NetworkManager domain, and -+## allow the specified role the NetworkManager domain. ++## Delete NetworkManager PID files. ## ## ## --## Domain allowed access. -+## Domain allowed to transition. + ## Domain allowed access. ## ## ++# ++interface(`networkmanager_delete_pid_files',` ++ gen_require(` ++ type NetworkManager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ++') ++ ++######################################## ++## ++## Execute NetworkManager in the NetworkManager domain, and ++## allow the specified role the NetworkManager domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ## -@@ -287,33 +370,132 @@ interface(`networkmanager_stream_connect',` + ## + ## Role allowed access. +@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',` ## ## # @@ -77644,7 +77700,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..413f4b8 100644 +index d32e1a2..a87ab50 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -77665,11 +77721,12 @@ index d32e1a2..413f4b8 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -52,23 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -52,23 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +corenet_tcp_connect_http_port(rhsmcertd_t) ++corenet_tcp_connect_squid_port(rhsmcertd_t) + corecmd_exec_bin(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t) @@ -80109,7 +80166,7 @@ index ef3b225..d248cd3 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..44f9739 100644 +index 6fc360e..1abda8b 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -80513,7 +80570,7 @@ index 6fc360e..44f9739 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +385,68 @@ ifdef(`distro_redhat',` +@@ -363,41 +385,69 @@ ifdef(`distro_redhat',` ') ') @@ -80552,6 +80609,7 @@ index 6fc360e..44f9739 100644 + optional_policy(` + systemd_dbus_chat_logind(rpm_script_t) + systemd_dbus_chat_timedated(rpm_script_t) ++ systemd_dbus_chat_localed(rpm_script_t) + ') +') + @@ -80593,7 +80651,7 @@ index 6fc360e..44f9739 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +458,6 @@ optional_policy(` +@@ -409,6 +459,6 @@ optional_policy(` ') optional_policy(` @@ -82560,7 +82618,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..3504791 100644 +index 2b7c441..e411600 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -82904,7 +82962,7 @@ index 2b7c441..3504791 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,20 +304,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -298,65 +304,64 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -82935,7 +82993,10 @@ index 2b7c441..3504791 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -321,42 +333,34 @@ kernel_read_kernel_sysctls(smbd_t) + kernel_read_network_state(smbd_t) + kernel_read_fs_sysctls(smbd_t) + kernel_read_kernel_sysctls(smbd_t) ++kernel_read_usermodehelper_state(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -82990,7 +83051,7 @@ index 2b7c441..3504791 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +370,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +371,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -83056,7 +83117,7 @@ index 2b7c441..3504791 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +433,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -83079,7 +83140,7 @@ index 2b7c441..3504791 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +445,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -83087,7 +83148,7 @@ index 2b7c441..3504791 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,17 +453,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -83105,7 +83166,7 @@ index 2b7c441..3504791 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +459,7 @@ optional_policy(` +@@ -466,6 +460,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -83113,7 +83174,7 @@ index 2b7c441..3504791 100644 ') optional_policy(` -@@ -479,6 +473,11 @@ optional_policy(` +@@ -479,6 +474,11 @@ optional_policy(` ') optional_policy(` @@ -83125,7 +83186,7 @@ index 2b7c441..3504791 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +487,10 @@ optional_policy(` +@@ -488,6 +488,10 @@ optional_policy(` ') optional_policy(` @@ -83136,7 +83197,7 @@ index 2b7c441..3504791 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +502,33 @@ optional_policy(` +@@ -499,9 +503,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -83171,7 +83232,7 @@ index 2b7c441..3504791 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +540,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -83186,7 +83247,7 @@ index 2b7c441..3504791 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +556,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -83210,7 +83271,7 @@ index 2b7c441..3504791 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +573,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -83277,7 +83338,7 @@ index 2b7c441..3504791 100644 ') optional_policy(` -@@ -606,16 +620,22 @@ optional_policy(` +@@ -606,16 +621,22 @@ optional_policy(` ######################################## # @@ -83304,7 +83365,7 @@ index 2b7c441..3504791 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +648,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -83322,7 +83383,7 @@ index 2b7c441..3504791 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +659,23 @@ optional_policy(` +@@ -644,22 +660,23 @@ optional_policy(` ######################################## # @@ -83354,7 +83415,7 @@ index 2b7c441..3504791 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -83390,7 +83451,7 @@ index 2b7c441..3504791 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -83482,7 +83543,7 @@ index 2b7c441..3504791 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -83506,7 +83567,7 @@ index 2b7c441..3504791 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -83549,7 +83610,7 @@ index 2b7c441..3504791 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -83563,7 +83624,7 @@ index 2b7c441..3504791 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +857,20 @@ optional_policy(` +@@ -840,17 +858,20 @@ optional_policy(` # Winbind local policy # @@ -83589,7 +83650,7 @@ index 2b7c441..3504791 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -83600,7 +83661,7 @@ index 2b7c441..3504791 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -83630,7 +83691,7 @@ index 2b7c441..3504791 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -83651,7 +83712,7 @@ index 2b7c441..3504791 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -83662,7 +83723,7 @@ index 2b7c441..3504791 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -83704,7 +83765,7 @@ index 2b7c441..3504791 100644 ') optional_policy(` -@@ -959,31 +988,29 @@ optional_policy(` +@@ -959,31 +989,29 @@ optional_policy(` # Winbind helper local policy # @@ -83742,7 +83803,7 @@ index 2b7c441..3504791 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1024,38 @@ optional_policy(` +@@ -997,25 +1025,38 @@ optional_policy(` ######################################## # @@ -101919,7 +101980,7 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 95b26d1..55557cb 100644 +index 95b26d1..28e0030 100644 --- a/vpn.te +++ b/vpn.te @@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) @@ -102023,14 +102084,16 @@ index 95b26d1..55557cb 100644 optional_policy(` dbus_system_bus_client(vpnc_t) -@@ -125,7 +122,3 @@ optional_policy(` +@@ -124,8 +121,5 @@ optional_policy(` + optional_policy(` networkmanager_attach_tun_iface(vpnc_t) - ') +-') - -optional_policy(` - seutil_use_newrole_fds(vpnc_t) --') ++ networkmanager_delete_pid_files(vpnc_t) + ') diff --git a/w3c.fc b/w3c.fc index 463c799..227feaf 100644 --- a/w3c.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 773dccb..6aed8b1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Mar 4 2014 Miroslav Grepl 3.13.1-30 +- Allow block_suspend cap2 for systemd-logind and rw dri device +- Add labeling for /usr/libexec/nm-libreswan-service +- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working +- Add xserver_rw_xdm_keys() +- Allow rpm_script_t to dbus chat also with systemd-located +- Fix ipa_stream_connect_otpd() +- update lpd_manage_spool() interface +- Allow krb5kdc to stream connect to ipa-otpd +- Add ipa_stream_connect_otpd() interface +- Allow vpnc to unlink NM pids +- Add networkmanager_delete_pid_files() +- Allow munin plugins to access unconfined plugins +- update abrt_filetrans_named_content to cover /var/spool/debug +- Label /var/spool/debug as abrt_var_cache_t +- Allow rhsmcertd to connect to squid port +- Make docker_transition_unconfined as optional boolean +- Allow certmonger to list home dirs + * Fri Feb 28 2014 Miroslav Grepl 3.13.1-29 - Make docker as permissive domain