From 0ababf8492dfb94dd50b2104d0f4d6efcb6c82bc Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 21 2011 17:24:28 +0000 Subject: - nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy --- diff --git a/policy-F15.patch b/policy-F15.patch index fd599d3..f667cb2 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -2408,11 +2408,71 @@ index 0000000..0852151 + fs_read_inherited_cifs_files(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') +diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if +index ed94975..e43186f 100644 +--- a/policy/modules/apps/cpufreqselector.if ++++ b/policy/modules/apps/cpufreqselector.if +@@ -1 +1,42 @@ + ## Command-line CPU frequency settings. ++ ++######################################## ++## ++## Send a dbus message to ++## cpufreq-selector. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cpufreqselector_dbus_send',` ++ gen_require(` ++ type cpufreqselector_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 cpufreqselector_t:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## cpufreq-selector over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cpufreqselector_dbus_chat',` ++ gen_require(` ++ type cpufreqselector_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 cpufreqselector_t:dbus send_msg; ++ allow cpufreqselector_t $1:dbus send_msg; ++') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te -index 0457de1..f702cfe 100644 +index 0457de1..b440acb 100644 --- a/policy/modules/apps/cpufreqselector.te +++ b/policy/modules/apps/cpufreqselector.te -@@ -27,7 +27,7 @@ dev_rw_sysfs(cpufreqselector_t) +@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) + + allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; + allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; ++allow cpufreqselector_t self:process getsched; + + files_read_etc_files(cpufreqselector_t) + files_read_usr_files(cpufreqselector_t) +@@ -24,10 +25,12 @@ corecmd_search_bin(cpufreqselector_t) + + dev_rw_sysfs(cpufreqselector_t) + ++kernel_read_system_state(cpufreqselector_t) ++ miscfiles_read_localization(cpufreqselector_t) userdom_read_all_users_state(cpufreqselector_t) @@ -2421,6 +2481,14 @@ index 0457de1..f702cfe 100644 optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) +@@ -50,3 +53,7 @@ optional_policy(` + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) + ') ++ ++optional_policy(` ++ xserver_dbus_chat_xdm(cpufreqselector_t) ++') diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 index 0000000..09f0673 @@ -2737,13 +2805,14 @@ index 0000000..0bbd523 +') + diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc -index 00a19e3..1aaa958 100644 +index 00a19e3..638c4cf 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc -@@ -1,9 +1,33 @@ +@@ -1,9 +1,34 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) @@ -2777,7 +2846,7 @@ index 00a19e3..1aaa958 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..60258d1 100644 +index f5afe78..509c4c3 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,24 +1,29 @@ @@ -3349,7 +3418,7 @@ index f5afe78..60258d1 100644 ') ######################################## -@@ -151,40 +568,257 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +568,258 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -3514,6 +3583,7 @@ index f5afe78..60258d1 100644 + + list_dirs_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t) ++ read_lnk_files_pattern($1, config_home_t, config_home_t) +') + +######################################## @@ -3618,7 +3688,7 @@ index f5afe78..60258d1 100644 userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..8e83829 100644 +index 2505654..10c3341 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,25 @@ policy_module(gnome, 2.1.0) @@ -3796,9 +3866,9 @@ index 2505654..8e83829 100644 +manage_files_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) +filetrans_pattern(gkeyringd_t, gnome_home_t, gkeyringd_gnome_home_t, dir) + -+manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) -+manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) -+files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir) ++#manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) ++#manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) ++#files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir) + +kernel_read_crypto_sysctls(gkeyringd_t) + @@ -3914,7 +3984,7 @@ index 40e0a2a..f4a103c 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..8af881a 100644 +index 9050e8c..504280f 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -4031,7 +4101,16 @@ index 9050e8c..8af881a 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -347,6 +372,12 @@ optional_policy(` +@@ -342,11 +367,21 @@ tunable_policy(`use_samba_home_dirs',` + ') + + optional_policy(` ++ gnome_read_home_config(gpg_pinentry_t) ++') ++ ++optional_policy(` + dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) ') optional_policy(` @@ -4044,7 +4123,7 @@ index 9050e8c..8af881a 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +387,28 @@ optional_policy(` +@@ -356,4 +391,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -7368,32 +7447,35 @@ index 0000000..5259647 +') + diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc -index 1f2cde4..7bb3047 100644 +index 1f2cde4..7227631 100644 --- a/policy/modules/apps/screen.fc +++ b/policy/modules/apps/screen.fc -@@ -2,6 +2,7 @@ +@@ -2,6 +2,9 @@ # /home # HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) ++ ++/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) # # /usr diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..174ca5e 100644 +index 320df26..0e4ead0 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if -@@ -64,6 +64,9 @@ template(`screen_role_template',` +@@ -64,6 +64,10 @@ template(`screen_role_template',` files_pid_filetrans($1_screen_t, screen_var_run_t, dir) allow $1_screen_t screen_home_t:dir list_dir_perms; + manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) + manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) + userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) ++ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir) read_files_pattern($1_screen_t, screen_home_t, screen_home_t) read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) -@@ -73,6 +76,7 @@ template(`screen_role_template',` +@@ -73,6 +77,7 @@ template(`screen_role_template',` allow $3 $1_screen_t:process { signal sigchld }; allow $1_screen_t $3:process signal; @@ -7401,7 +7483,7 @@ index 320df26..174ca5e 100644 manage_dirs_pattern($3, screen_home_t, screen_home_t) manage_files_pattern($3, screen_home_t, screen_home_t) manage_lnk_files_pattern($3, screen_home_t, screen_home_t) -@@ -81,8 +85,6 @@ template(`screen_role_template',` +@@ -81,8 +86,6 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -7410,7 +7492,7 @@ index 320df26..174ca5e 100644 manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) kernel_read_system_state($1_screen_t) -@@ -112,6 +114,7 @@ template(`screen_role_template',` +@@ -112,6 +115,7 @@ template(`screen_role_template',` # for SSP dev_read_urand($1_screen_t) @@ -9555,7 +9637,7 @@ index bc534c1..778d512 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 3517db2..ebf38e4 100644 +index 3517db2..f798a69 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9660,7 +9742,7 @@ index 3517db2..ebf38e4 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -+/usr/lib/debug <> ++/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index ed203b2..d38c240 100644 --- a/policy/modules/kernel/files.if @@ -12145,7 +12227,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..dd62b91 100644 +index 2be17d2..b7c4d13 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) @@ -12338,6 +12420,15 @@ index 2be17d2..dd62b91 100644 spamassassin_role(staff_r, staff_t) ') +@@ -172,3 +291,8 @@ ifndef(`distro_redhat',` + wireshark_role(staff_r, staff_t) + ') + ') ++ ++tunable_policy(`allow_execmod',` ++ userdom_execmod_user_home_files(staff_usertype) ++') ++ diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4a8d146..a0a91fe 100644 --- a/policy/modules/roles/sysadm.te @@ -13864,15 +13955,19 @@ index 0000000..ec21f9a + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..60cc0d5 100644 +index e5bfdd4..0c84965 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,55 @@ role user_r; +@@ -12,15 +12,59 @@ role user_r; userdom_unpriv_user_template(user) +fs_exec_noxattr(user_t) + ++tunable_policy(`allow_execmod',` ++ userdom_execmod_user_home_files(user_usertype) ++') ++ optional_policy(` apache_role(user_r, user_t) ') @@ -13923,7 +14018,7 @@ index e5bfdd4..60cc0d5 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +102,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +106,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -13934,7 +14029,7 @@ index e5bfdd4..60cc0d5 100644 gpg_role(user_r, user_t) ') -@@ -118,7 +154,7 @@ ifndef(`distro_redhat',` +@@ -118,7 +158,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -13943,7 +14038,7 @@ index e5bfdd4..60cc0d5 100644 ') optional_policy(` -@@ -157,3 +193,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +197,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -20340,10 +20435,18 @@ index f35b243..c6b63be 100644 ') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc -index 1b492ed..286ec9e 100644 +index 1b492ed..3d09c0e 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc -@@ -71,3 +71,9 @@ +@@ -56,6 +56,7 @@ + + /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) + + /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) + +@@ -71,3 +72,9 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -20883,7 +20986,7 @@ index 0d5711c..bbc1a8f 100644 + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 98e5af6..61bb74a 100644 +index 98e5af6..3c13628 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) @@ -20898,7 +21001,16 @@ index 98e5af6..61bb74a 100644 kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) -@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t) +@@ -111,6 +112,8 @@ auth_read_pam_console_data(system_dbusd_t) + corecmd_list_bin(system_dbusd_t) + corecmd_read_bin_pipes(system_dbusd_t) + corecmd_read_bin_sockets(system_dbusd_t) ++# needed for system-tools-backends ++corecmd_exec_shell(system_dbusd_t) + + domain_use_interactive_fds(system_dbusd_t) + domain_read_all_domains_state(system_dbusd_t) +@@ -121,7 +124,9 @@ files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -20908,7 +21020,7 @@ index 98e5af6..61bb74a 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,6 +144,14 @@ optional_policy(` +@@ -141,6 +146,14 @@ optional_policy(` ') optional_policy(` @@ -20923,7 +21035,7 @@ index 98e5af6..61bb74a 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -158,5 +169,12 @@ optional_policy(` +@@ -158,5 +171,12 @@ optional_policy(` # # Unconfined access to this module # @@ -21996,10 +22108,10 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..5df774f +index 0000000..d28639e --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,171 @@ +@@ -0,0 +1,173 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -22110,6 +22222,8 @@ index 0000000..5df774f + +fs_getattr_all_fs(dirsrv_t) + ++logging_send_syslog_msg(dirsrv_t) ++ +miscfiles_read_localization(dirsrv_t) + +sysnet_dns_name_resolve(dirsrv_t) @@ -25336,7 +25450,7 @@ index 604f67b..31a6075 100644 + files_tmp_filetrans($1, krb5_host_rcache_t, file) +') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..245d4ec 100644 +index 8edc29b..09dac65 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) @@ -25406,7 +25520,7 @@ index 8edc29b..245d4ec 100644 dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) -@@ -149,6 +152,7 @@ selinux_validate_context(kadmind_t) +@@ -149,17 +152,25 @@ selinux_validate_context(kadmind_t) logging_send_syslog_msg(kadmind_t) @@ -25414,7 +25528,26 @@ index 8edc29b..245d4ec 100644 miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) -@@ -193,13 +197,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) + +-sysnet_read_config(kadmind_t) + sysnet_use_ldap(kadmind_t) + + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) + userdom_dontaudit_search_user_home_dirs(kadmind_t) + + optional_policy(` ++ ldap_stream_connect(kadmind_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(kadmind_t) ++') ++ ++optional_policy(` + nis_use_ypbind(kadmind_t) + ') + +@@ -193,13 +204,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -25430,7 +25563,7 @@ index 8edc29b..245d4ec 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -249,6 +252,7 @@ selinux_validate_context(krb5kdc_t) +@@ -249,17 +259,25 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) @@ -25438,6 +25571,25 @@ index 8edc29b..245d4ec 100644 miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) + +-sysnet_read_config(krb5kdc_t) + sysnet_use_ldap(krb5kdc_t) + + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) + userdom_dontaudit_search_user_home_dirs(krb5kdc_t) + + optional_policy(` ++ ldap_stream_connect(krb5kdc_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(krb5kdc_t) ++') ++ ++optional_policy(` + nis_use_ypbind(krb5kdc_t) + ') + diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if index 835b16b..dd32883 100644 --- a/policy/modules/services/kerneloops.if @@ -25811,7 +25963,7 @@ index 771e04b..81d98b3 100644 manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, file) diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te -index 3acbf1d..ef07a0e 100644 +index 3acbf1d..ed036d1 100644 --- a/policy/modules/services/likewise.te +++ b/policy/modules/services/likewise.te @@ -17,7 +17,7 @@ type likewise_var_lib_t; @@ -25823,6 +25975,15 @@ index 3acbf1d..ef07a0e 100644 type likewise_krb5_ad_t; files_type(likewise_krb5_ad_t) +@@ -137,7 +137,7 @@ selinux_validate_context(lsassd_t) + seutil_read_config(lsassd_t) + seutil_read_default_contexts(lsassd_t) + seutil_read_file_contexts(lsassd_t) +-seutil_run_semanage(lsassd_t, lsassd_t) ++seutil_run_semanage(lsassd_t, system_r) + + sysnet_use_ldap(lsassd_t) + sysnet_read_config(lsassd_t) @@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ # Likewise DC location service local policy # @@ -27208,12 +27369,12 @@ index 0000000..0b9257a + xserver_dontaudit_read_xdm_pid(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc -index 256166a..c526ce8 100644 +index 256166a..15daf47 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,5 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) ++HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -29008,7 +29169,7 @@ index 23c769c..be5a5b4 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te -index 4e28d58..01faaef 100644 +index 4e28d58..08ca30e 100644 --- a/policy/modules/services/nslcd.te +++ b/policy/modules/services/nslcd.te @@ -16,7 +16,7 @@ type nslcd_var_run_t; @@ -29020,6 +29181,23 @@ index 4e28d58..01faaef 100644 ######################################## # +@@ -24,7 +24,7 @@ files_type(nslcd_conf_t) + # + + allow nslcd_t self:capability { setgid setuid dac_override }; +-allow nslcd_t self:process signal; ++allow nslcd_t self:process { setsched signal }; + allow nslcd_t self:unix_stream_socket create_stream_socket_perms; + + allow nslcd_t nslcd_conf_t:file read_file_perms; +@@ -37,6 +37,7 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + kernel_read_system_state(nslcd_t) + + files_read_etc_files(nslcd_t) ++files_read_usr_symlinks(nslcd_t) + + auth_use_nsswitch(nslcd_t) + diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index ded9fb6..9d1e60a 100644 --- a/policy/modules/services/ntop.te @@ -30574,7 +30752,7 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index fb8dc84..ef11559 100644 +index fb8dc84..57fcfe1 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -19,6 +19,9 @@ files_type(plymouthd_spool_t) @@ -30598,7 +30776,7 @@ index fb8dc84..ef11559 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +67,20 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +67,22 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -30616,10 +30794,12 @@ index fb8dc84..ef11559 100644 + xserver_xdm_manage_spool(plymouthd_t) +') + ++term_use_unallocated_ttys(plymouthd_t) ++ ######################################## # # Plymouth private policy -@@ -74,6 +91,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +93,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -30627,7 +30807,7 @@ index fb8dc84..ef11559 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +105,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +107,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -31336,7 +31516,7 @@ index 46bee12..b87375e 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..5a4973e 100644 +index 06e37d4..a069aae 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -31484,7 +31664,7 @@ index 06e37d4..5a4973e 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +307,14 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +307,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -31495,6 +31675,7 @@ index 06e37d4..5a4973e 100644 -# Might be a leak, but I need a postfix expert to explain -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +userdom_read_user_home_content_files(postfix_local_t) ++userdom_exec_user_bin_files(postfix_local_t) + +tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) @@ -31502,7 +31683,7 @@ index 06e37d4..5a4973e 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -304,9 +329,18 @@ optional_policy(` +@@ -304,9 +330,18 @@ optional_policy(` ') optional_policy(` @@ -31521,7 +31702,7 @@ index 06e37d4..5a4973e 100644 ######################################## # # Postfix map local policy -@@ -390,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m +@@ -390,8 +425,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m # Postfix pipe local policy # @@ -31531,7 +31712,7 @@ index 06e37d4..5a4973e 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +435,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +436,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -31540,7 +31721,7 @@ index 06e37d4..5a4973e 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +456,7 @@ optional_policy(` +@@ -420,6 +457,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -31548,7 +31729,7 @@ index 06e37d4..5a4973e 100644 ') optional_policy(` -@@ -436,6 +473,9 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,6 +474,9 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -31558,7 +31739,7 @@ index 06e37d4..5a4973e 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) postfix_list_spool(postfix_postdrop_t) -@@ -519,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +560,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -31567,7 +31748,7 @@ index 06e37d4..5a4973e 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +579,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +580,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -31576,7 +31757,7 @@ index 06e37d4..5a4973e 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +628,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +629,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -31593,7 +31774,7 @@ index 06e37d4..5a4973e 100644 ') optional_policy(` -@@ -611,8 +657,8 @@ optional_policy(` +@@ -611,8 +658,8 @@ optional_policy(` # Postfix virtual local policy # @@ -31603,7 +31784,7 @@ index 06e37d4..5a4973e 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +676,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +677,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41107,7 +41288,7 @@ index da2601a..06e7dd4 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..bfb9c7a 100644 +index 145fc4b..9a7611b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -41749,7 +41930,7 @@ index 145fc4b..bfb9c7a 100644 ') optional_policy(` -@@ -516,12 +737,50 @@ optional_policy(` +@@ -516,12 +737,54 @@ optional_policy(` ') optional_policy(` @@ -41768,6 +41949,10 @@ index 145fc4b..bfb9c7a 100644 + bluetooth_dbus_chat(xdm_t) + ') + ++ optional_policy(` ++ cpufreqselector_dbus_send(xdm_t) ++ ') ++ + optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) @@ -41800,7 +41985,7 @@ index 145fc4b..bfb9c7a 100644 hostname_exec(xdm_t) ') -@@ -539,28 +798,64 @@ optional_policy(` +@@ -539,28 +802,64 @@ optional_policy(` ') optional_policy(` @@ -41874,7 +42059,7 @@ index 145fc4b..bfb9c7a 100644 ') optional_policy(` -@@ -572,6 +867,10 @@ optional_policy(` +@@ -572,6 +871,10 @@ optional_policy(` ') optional_policy(` @@ -41885,7 +42070,7 @@ index 145fc4b..bfb9c7a 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +895,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +899,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -41894,7 +42079,7 @@ index 145fc4b..bfb9c7a 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +909,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +913,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -41909,7 +42094,7 @@ index 145fc4b..bfb9c7a 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +936,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +940,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -41931,7 +42116,7 @@ index 145fc4b..bfb9c7a 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +956,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +960,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -41939,7 +42124,7 @@ index 145fc4b..bfb9c7a 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +983,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +987,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -41947,7 +42132,7 @@ index 145fc4b..bfb9c7a 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +992,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +996,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -41965,7 +42150,7 @@ index 145fc4b..bfb9c7a 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1013,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1017,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -41979,7 +42164,7 @@ index 145fc4b..bfb9c7a 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1041,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1045,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -41994,7 +42179,7 @@ index 145fc4b..bfb9c7a 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1101,28 @@ optional_policy(` +@@ -773,12 +1105,28 @@ optional_policy(` ') optional_policy(` @@ -42024,7 +42209,7 @@ index 145fc4b..bfb9c7a 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1131,10 @@ optional_policy(` +@@ -787,6 +1135,10 @@ optional_policy(` ') optional_policy(` @@ -42035,7 +42220,7 @@ index 145fc4b..bfb9c7a 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1150,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1154,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -42049,7 +42234,7 @@ index 145fc4b..bfb9c7a 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1161,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1165,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -42058,7 +42243,7 @@ index 145fc4b..bfb9c7a 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1174,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1178,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -42068,7 +42253,7 @@ index 145fc4b..bfb9c7a 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1184,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1188,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -42080,7 +42265,7 @@ index 145fc4b..bfb9c7a 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1197,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1201,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -42097,7 +42282,7 @@ index 145fc4b..bfb9c7a 100644 ') optional_policy(` -@@ -853,6 +1212,10 @@ optional_policy(` +@@ -853,6 +1216,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -42108,7 +42293,7 @@ index 145fc4b..bfb9c7a 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -42117,7 +42302,7 @@ index 145fc4b..bfb9c7a 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1313,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1317,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -42149,7 +42334,7 @@ index 145fc4b..bfb9c7a 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1359,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1363,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -46572,19 +46757,23 @@ index 74a4466..9061149 100644 dev_rw_xserver_misc(insmod_t) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..e3d06fd 100644 +index 72c746e..3d0bc28 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,4 +1,10 @@ +@@ -1,4 +1,14 @@ ++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++ +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++ +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) - --/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++ +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if @@ -46821,7 +47010,7 @@ index 8b5c196..83107f9 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..6ee04e2 100644 +index 15832c7..dd4dc03 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -46840,7 +47029,7 @@ index 15832c7..6ee04e2 100644 type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -28,6 +35,17 @@ files_tmp_file(mount_tmp_t) +@@ -28,6 +35,18 @@ files_tmp_file(mount_tmp_t) # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -46848,6 +47037,7 @@ index 15832c7..6ee04e2 100644 + +type mount_var_run_t; +files_pid_file(mount_var_run_t) ++dev_associate(mount_var_run_t) + +# showmount - show mount information for an NFS server + @@ -46858,7 +47048,7 @@ index 15832c7..6ee04e2 100644 ######################################## # -@@ -35,7 +53,11 @@ application_domain(unconfined_mount_t, mount_exec_t) +@@ -35,7 +54,11 @@ application_domain(unconfined_mount_t, mount_exec_t) # # setuid/setgid needed to mount cifs @@ -46871,7 +47061,7 @@ index 15832c7..6ee04e2 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,9 +68,23 @@ can_exec(mount_t, mount_exec_t) +@@ -46,9 +69,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -46879,6 +47069,7 @@ index 15832c7..6ee04e2 100644 +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) +files_pid_filetrans(mount_t,mount_var_run_t,dir) +files_var_filetrans(mount_t,mount_var_run_t,dir) ++dev_filetrans(mount_t, mount_var_run_t, dir) + +# In order to mount reiserfs_t +kernel_dontaudit_getattr_core_if(mount_t) @@ -46896,7 +47087,7 @@ index 15832c7..6ee04e2 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,50 +93,73 @@ kernel_request_load_module(mount_t) +@@ -57,50 +95,73 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -46978,7 +47169,7 @@ index 15832c7..6ee04e2 100644 selinux_get_enforce_mode(mount_t) -@@ -108,6 +167,7 @@ storage_raw_read_fixed_disk(mount_t) +@@ -108,6 +169,7 @@ storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -46986,7 +47177,7 @@ index 15832c7..6ee04e2 100644 term_use_all_terms(mount_t) -@@ -116,6 +176,8 @@ auth_use_nsswitch(mount_t) +@@ -116,6 +178,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -46995,7 +47186,7 @@ index 15832c7..6ee04e2 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +188,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +190,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -47008,7 +47199,7 @@ index 15832c7..6ee04e2 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,10 +209,17 @@ ifdef(`distro_ubuntu',` +@@ -141,10 +211,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -47026,7 +47217,7 @@ index 15832c7..6ee04e2 100644 ') optional_policy(` -@@ -174,6 +249,8 @@ optional_policy(` +@@ -174,6 +251,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -47035,7 +47226,7 @@ index 15832c7..6ee04e2 100644 ') optional_policy(` -@@ -181,6 +258,28 @@ optional_policy(` +@@ -181,6 +260,28 @@ optional_policy(` ') optional_policy(` @@ -47064,7 +47255,7 @@ index 15832c7..6ee04e2 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +287,44 @@ optional_policy(` +@@ -188,13 +289,44 @@ optional_policy(` ') ') @@ -47109,7 +47300,7 @@ index 15832c7..6ee04e2 100644 ') ######################################## -@@ -203,6 +333,42 @@ optional_policy(` +@@ -203,6 +335,42 @@ optional_policy(` # optional_policy(` @@ -47154,18 +47345,23 @@ index 15832c7..6ee04e2 100644 + +userdom_use_user_terminals(showmount_t) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc -index ed9c70d..42d3890 100644 +index ed9c70d..b961d53 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc -@@ -1,4 +1,5 @@ +@@ -1,4 +1,10 @@ -/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) +/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) +/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) ++ ++#669402 ++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index 09845c4..6500830 100644 +index 09845c4..a49121b 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -47182,9 +47378,11 @@ index 09845c4..6500830 100644 ######################################## # -@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config; +@@ -25,13 +23,13 @@ allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; + dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; ++allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; -# create .mdadm files in /dev -allow mdadm_t mdadm_map_t:file manage_file_perms; @@ -47199,7 +47397,7 @@ index 09845c4..6500830 100644 kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) -@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) @@ -47217,6 +47415,14 @@ index 09845c4..6500830 100644 fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) +@@ -68,6 +69,7 @@ mls_file_write_all_levels(mdadm_t) + storage_manage_fixed_disk(mdadm_t) + storage_dev_filetrans_fixed_disk(mdadm_t) + storage_read_scsi_generic(mdadm_t) ++storage_write_scsi_generic(mdadm_t) + + term_dontaudit_list_ptys(mdadm_t) + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 2cc4bda..9e81136 100644 --- a/policy/modules/system/selinuxutil.fc @@ -47669,7 +47875,7 @@ index 170e2c7..d95624d 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..ad1d4ca 100644 +index 7ed9819..d6a6763 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -47767,7 +47973,15 @@ index 7ed9819..ad1d4ca 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -260,25 +274,25 @@ term_relabel_all_ptys(newrole_t) +@@ -233,6 +247,7 @@ domain_use_interactive_fds(newrole_t) + # for when the user types "exec newrole" at the command line: + domain_sigchld_interactive_fds(newrole_t) + ++files_list_var(newrole_t) + files_read_etc_files(newrole_t) + files_read_var_files(newrole_t) + files_read_var_symlinks(newrole_t) +@@ -260,25 +275,30 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -47792,6 +48006,11 @@ index 7ed9819..ad1d4ca 100644 userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) ++# need to talk with dbus ++optional_policy(` ++ dbus_system_bus_client(newrole_t) ++') ++ +optional_policy(` + xserver_dontaudit_exec_xauth(newrole_t) +') @@ -47799,7 +48018,7 @@ index 7ed9819..ad1d4ca 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +326,8 @@ kernel_use_fds(restorecond_t) +@@ -312,6 +332,8 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -47808,7 +48027,7 @@ index 7ed9819..ad1d4ca 100644 fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +351,8 @@ miscfiles_read_localization(restorecond_t) +@@ -335,6 +357,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -47817,7 +48036,7 @@ index 7ed9819..ad1d4ca 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +371,7 @@ optional_policy(` +@@ -353,7 +377,7 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -47826,7 +48045,7 @@ index 7ed9819..ad1d4ca 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -380,6 +398,8 @@ selinux_compute_create_context(run_init_t) +@@ -380,6 +404,8 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -47835,10 +48054,15 @@ index 7ed9819..ad1d4ca 100644 auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -405,6 +425,10 @@ ifndef(`direct_sysadm_daemon',` +@@ -405,6 +431,15 @@ ifndef(`direct_sysadm_daemon',` ') ') ++# need to talk with dbus ++optional_policy(` ++ dbus_system_bus_client(run_init_t) ++') ++ +optional_policy(` + rpm_domtrans(run_init_t) +') @@ -47846,7 +48070,7 @@ index 7ed9819..ad1d4ca 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +444,22 @@ optional_policy(` +@@ -420,61 +455,22 @@ optional_policy(` # semodule local policy # @@ -47860,20 +48084,20 @@ index 7ed9819..ad1d4ca 100644 -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; - +- -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - +- -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -domain_use_interactive_fds(semanage_t) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -47916,7 +48140,7 @@ index 7ed9819..ad1d4ca 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +472,64 @@ ifdef(`distro_debian',` +@@ -487,118 +483,64 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -47976,18 +48200,12 @@ index 7ed9819..ad1d4ca 100644 -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) -fs_relabelfrom_noxattr_fs(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - +- -mls_file_read_all_levels(setfiles_t) -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) - +- -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) @@ -48007,9 +48225,15 @@ index 7ed9819..ad1d4ca 100644 -init_exec_script_files(setfiles_t) - -logging_send_syslog_msg(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -miscfiles_read_localization(setfiles_t) -- ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_config(setsebool_t) + -seutil_libselinux_linked(setfiles_t) +######################################## +# @@ -49744,7 +49968,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..4a3297c 100644 +index 28b88de..1af5d77 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -50193,7 +50417,7 @@ index 28b88de..4a3297c 100644 ############################## # -@@ -500,73 +567,78 @@ template(`userdom_common_user_template',` +@@ -500,73 +567,79 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -50208,6 +50432,7 @@ index 28b88de..4a3297c 100644 - kernel_read_net_sysctls($1_t) + kernel_read_system_state($1_usertype) + kernel_read_network_state($1_usertype) ++ kernel_read_software_raid_state($1_usertype) + kernel_read_net_sysctls($1_usertype) # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) @@ -50311,7 +50536,7 @@ index 28b88de..4a3297c 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +646,110 @@ template(`userdom_common_user_template',` +@@ -574,67 +647,110 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -50440,7 +50665,7 @@ index 28b88de..4a3297c 100644 ') optional_policy(` -@@ -650,41 +765,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +766,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -50502,7 +50727,7 @@ index 28b88de..4a3297c 100644 ') ####################################### -@@ -712,13 +836,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +837,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -50534,7 +50759,7 @@ index 28b88de..4a3297c 100644 userdom_change_password_template($1) -@@ -736,72 +873,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +874,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -50643,7 +50868,7 @@ index 28b88de..4a3297c 100644 ') ') -@@ -833,6 +969,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -50653,7 +50878,7 @@ index 28b88de..4a3297c 100644 ############################## # # Local policy -@@ -874,45 +1013,107 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -50772,7 +50997,7 @@ index 28b88de..4a3297c 100644 ') ') -@@ -947,7 +1148,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -50781,7 +51006,7 @@ index 28b88de..4a3297c 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1157,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -50889,7 +51114,7 @@ index 28b88de..4a3297c 100644 ') ') -@@ -1039,7 +1263,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -50898,7 +51123,7 @@ index 28b88de..4a3297c 100644 ') ############################## -@@ -1074,6 +1298,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -50908,7 +51133,7 @@ index 28b88de..4a3297c 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1315,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -50916,7 +51141,7 @@ index 28b88de..4a3297c 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1119,10 +1347,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -50930,7 +51155,7 @@ index 28b88de..4a3297c 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1142,6 +1373,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -50938,7 +51163,7 @@ index 28b88de..4a3297c 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1442,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -50947,7 +51172,7 @@ index 28b88de..4a3297c 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1237,6 +1471,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -50955,7 +51180,7 @@ index 28b88de..4a3297c 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1514,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -50993,7 +51218,7 @@ index 28b88de..4a3297c 100644 ubac_constrained($1) ') -@@ -1395,6 +1656,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -51001,7 +51226,7 @@ index 28b88de..4a3297c 100644 files_search_home($1) ') -@@ -1441,6 +1703,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -51016,7 +51241,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1456,9 +1726,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -51028,7 +51253,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1515,6 +1787,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -51071,7 +51296,7 @@ index 28b88de..4a3297c 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +1897,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -51080,7 +51305,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1603,10 +1913,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -51095,7 +51320,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1649,6 +1961,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -51121,7 +51346,7 @@ index 28b88de..4a3297c 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2031,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -51154,7 +51379,7 @@ index 28b88de..4a3297c 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2067,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -51172,7 +51397,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1810,8 +2164,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -51182,7 +51407,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -1827,20 +2180,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -51207,7 +51432,7 @@ index 28b88de..4a3297c 100644 ######################################## ## -@@ -2182,7 +2529,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -51216,7 +51441,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -2435,13 +2782,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -51232,7 +51457,7 @@ index 28b88de..4a3297c 100644 ## ## ## -@@ -2462,26 +2810,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -51259,7 +51484,7 @@ index 28b88de..4a3297c 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3143,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -51268,7 +51493,7 @@ index 28b88de..4a3297c 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3159,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -51284,7 +51509,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -2917,7 +3247,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -51293,7 +51518,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -2972,7 +3302,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -51340,7 +51565,7 @@ index 28b88de..4a3297c 100644 ') ######################################## -@@ -3009,6 +3377,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -51348,7 +51573,7 @@ index 28b88de..4a3297c 100644 kernel_search_proc($1) ') -@@ -3139,3 +3508,1041 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3509,1041 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 6412873..cfc84d3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.13 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,16 @@ exit 0 %endif %changelog +* Fri Jan 21 2011 Miroslav Grepl 3.9.13-4 +- nslcd needs setsched and to read /usr/tmp +- Invalid call in likewise policy ends up creating a bogus role +- Cannon puts content into /var/lib/bjlib that cups needs to be able to write +- Allow screen to create screen_home_t in /root +- dirsrv sends syslog messages +- pinentry reads stuff in .kde directory +- Add labels for .kde directory in homedir +- Treat irpinit, iprupdate, iprdump services with raid policy + * Wed Jan 19 2011 Miroslav Grepl 3.9.13-3 - NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead