From 12fd9044f961f6a6590dafa89d87a97117ad1e5f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 22 2017 12:15:27 +0000 Subject: * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288 - Remove all unnecessary dac_override capability in SELinux modules --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 1fbd717..1eb1b31 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4b91b04..98ad5a3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1791,7 +1791,7 @@ index cc8df9d7d..90467f3af 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 0fd5c5f2e..a14addb41 100644 +index 0fd5c5f2e..7ee6ec7a3 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -20,13 +20,20 @@ type bootloader_t; @@ -1821,7 +1821,7 @@ index 0fd5c5f2e..a14addb41 100644 # -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; -+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; ++allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; @@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c3592a..cba535365 100644 +index c44c3592a..2a3a90bf4 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2222,8 +2222,9 @@ index c44c3592a..cba535365 100644 # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; +-dontaudit netutils_t self:capability { dac_override sys_tty_config }; +allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; - dontaudit netutils_t self:capability { dac_override sys_tty_config }; ++dontaudit netutils_t self:capability { sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; @@ -2419,7 +2420,7 @@ index 688abc2ae..3d89250a6 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5cafe..1e3ace4cf 100644 +index 03ec5cafe..f483a97a6 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` @@ -2427,7 +2428,7 @@ index 03ec5cafe..1e3ace4cf 100644 allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; -+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; ++ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; @@ -2615,7 +2616,7 @@ index 03ec5cafe..1e3ace4cf 100644 ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te -index 85bb77e05..a4302332a 100644 +index 85bb77e05..fdd7b656c 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -9,3 +9,82 @@ attribute su_domain_type; @@ -2623,7 +2624,7 @@ index 85bb77e05..a4302332a 100644 type su_exec_t; corecmd_executable_file(su_exec_t) + -+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; ++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource }; +dontaudit su_domain_type self:capability sys_tty_config; +allow su_domain_type self:process { setexec setsched setrlimit }; +allow su_domain_type self:fifo_file rw_fifo_file_perms; @@ -3189,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..7e03673be 100644 +index 1d732f1e7..9823c5a68 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3229,7 +3230,7 @@ index 1d732f1e7..7e03673be 100644 # -allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; ++allow chfn_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource }; allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; @@ -3316,7 +3317,7 @@ index 1d732f1e7..7e03673be 100644 # -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; -+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; ++allow groupadd_t self:capability { dac_read_search chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; @@ -3375,7 +3376,7 @@ index 1d732f1e7..7e03673be 100644 # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; ++allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; @@ -3474,7 +3475,7 @@ index 1d732f1e7..7e03673be 100644 # -allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; ++allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource }; allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; @@ -3518,7 +3519,7 @@ index 1d732f1e7..7e03673be 100644 -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -dontaudit useradd_t self:capability sys_tty_config; -+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; ++allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + +dontaudit useradd_t self:capability { net_admin sys_tty_config }; +dontaudit useradd_t self:cap_userns { sys_ptrace }; @@ -3764,7 +3765,7 @@ index 1dc7a85d3..e4f6fc227 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 759016583..f50f79935 100644 +index 759016583..1b9a61d18 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) @@ -3781,7 +3782,7 @@ index 759016583..f50f79935 100644 # # seunshare local policy # -+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setgid setuid dac_read_search setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; @@ -12602,7 +12603,7 @@ index b876c48ad..2e591a538 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76ad..f2b8e4558 100644 +index f962f76ad..bb8b58852 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13481,7 +13482,7 @@ index f962f76ad..f2b8e4558 100644 - type root_t; + attribute mountpoint; ') -+ dontaudit $1 self:capability { dac_read_search dac_override }; ++ dontaudit $1 self:capability { dac_read_search }; - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; @@ -25364,10 +25365,10 @@ index 000000000..48caabc7e +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065de..ff9369756 100644 +index 834a065de..404a5c677 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te -@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) +@@ -7,14 +7,14 @@ policy_module(auditadm, 2.2.0) role auditadm_r; role system_r; @@ -25376,6 +25377,14 @@ index 834a065de..ff9369756 100644 ######################################## # + # Local policy + # + +-allow auditadm_t self:capability { dac_read_search dac_override }; ++allow auditadm_t self:capability { dac_read_search }; + + kernel_read_ring_buffer(auditadm_t) + @@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) domain_kill_all_domains(auditadm_t) @@ -25401,7 +25410,7 @@ index 834a065de..ff9369756 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te -index 3a45a3ef0..7499f24b5 100644 +index 3a45a3ef0..f31d79957 100644 --- a/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te @@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) @@ -25418,13 +25427,13 @@ index 3a45a3ef0..7499f24b5 100644 -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - -+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; ++allow logadm_t self:capability { dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da111206f..621ec5afc 100644 +index da111206f..a5ac38465 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te -@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) +@@ -7,19 +7,25 @@ policy_module(secadm, 2.4.0) role secadm_r; @@ -25438,12 +25447,14 @@ index da111206f..621ec5afc 100644 ######################################## # -@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) - - allow secadm_t self:capability { dac_read_search dac_override }; + # Local policy + # -+kernel_read_system_state(secadm_t) +-allow secadm_t self:capability { dac_read_search dac_override }; ++allow secadm_t self:capability { dac_read_search }; + ++kernel_read_system_state(secadm_t) + corecmd_exec_shell(secadm_t) dev_relabel_all_dev_nodes(secadm_t) @@ -25909,7 +25920,7 @@ index ff9243078..36740eab3 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6c0..7aeed7254 100644 +index 2522ca6c0..c8ef8c8e4 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1) @@ -26335,7 +26346,7 @@ index 2522ca6c0..7aeed7254 100644 optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) -+ allow sysadm_screen_t self:capability { dac_read_search dac_override }; ++ allow sysadm_screen_t self:capability { dac_read_search }; ') optional_policy(` @@ -28342,7 +28353,7 @@ index 9d2f31168..2d782e051 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 03061349c..e30703d3c 100644 +index 03061349c..bb764b3d0 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -28394,6 +28405,15 @@ index 03061349c..e30703d3c 100644 type postgresql_lock_t; files_lock_file(postgresql_lock_t) +@@ -224,7 +234,7 @@ postgresql_view_object(user_sepgsql_view_t) + # + # postgresql Local policy + # +-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; ++allow postgresql_t self:capability { kill dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; + dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; + allow postgresql_t self:process signal_perms; + allow postgresql_t self:fifo_file rw_fifo_file_perms; @@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -28624,7 +28644,7 @@ index 76d9f66ec..7528851ad 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c68272..79d568a54 100644 +index fe0c68272..f0a61f830 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -28640,7 +28660,7 @@ index fe0c68272..79d568a54 100644 ') ############################## -@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` +@@ -47,16 +48,12 @@ template(`ssh_basic_client_template',` application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; @@ -28651,6 +28671,13 @@ index fe0c68272..79d568a54 100644 ############################## # # Client local policy + # + +- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; ++ allow $1_ssh_t self:capability { setuid setgid dac_read_search }; + allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_ssh_t self:fd use; + allow $1_ssh_t self:fifo_file rw_fifo_file_perms; @@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` # or "regular" (not special like sshd_extern_t) servers allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; @@ -28755,7 +28782,7 @@ index fe0c68272..79d568a54 100644 files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; @@ -29357,7 +29384,7 @@ index fe0c68272..79d568a54 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7b0..b14a28d5c 100644 +index cc877c7b0..296d9c7dd 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -29444,7 +29471,7 @@ index cc877c7b0..b14a28d5c 100644 type ssh_t; type ssh_exec_t; -@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) +@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; @@ -29465,7 +29492,11 @@ index cc877c7b0..b14a28d5c 100644 ############################## # -@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; + # SSH client local policy + # + +-allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; ++allow ssh_t self:capability { setuid setgid dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -29839,7 +29870,7 @@ index cc877c7b0..b14a28d5c 100644 # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t -+allow ssh_keygen_t self:capability { dac_read_search dac_override }; ++allow ssh_keygen_t self:capability { dac_read_search }; dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - @@ -31986,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..af9ee8070 100644 +index 8b403774f..fe21bfc46 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32246,7 +32277,7 @@ index 8b403774f..af9ee8070 100644 # Xauth local policy # -+allow xauth_t self:capability { dac_read_search dac_override }; ++allow xauth_t self:capability { dac_read_search }; allow xauth_t self:process signal; +allow xauth_t self:shm create_shm_perms; allow xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -32351,7 +32382,7 @@ index 8b403774f..af9ee8070 100644 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; ++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability2 { block_suspend }; +allow xdm_t self:cap_userns { kill }; +dontaudit xdm_t self:capability sys_admin; @@ -33025,7 +33056,7 @@ index 8b403774f..af9ee8070 100644 # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++allow xserver_t self:capability { sys_ptrace dac_read_search fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; +#allow xserver_t self:capability2 compromise_kernel; @@ -34736,7 +34767,7 @@ index 3efd5b669..a8cb6df3d 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..2d255df93 100644 +index 09b791dcc..598dd5ed1 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -34825,7 +34856,7 @@ index 09b791dcc..2d255df93 100644 # -allow chkpwd_t self:capability { dac_override setuid }; -+allow chkpwd_t self:capability { dac_read_search dac_override setuid }; ++allow chkpwd_t self:capability { dac_read_search setuid }; dontaudit chkpwd_t self:capability sys_tty_config; allow chkpwd_t self:process { getattr signal }; @@ -34947,7 +34978,7 @@ index 09b791dcc..2d255df93 100644 # -allow updpwd_t self:capability { chown dac_override }; -+allow updpwd_t self:capability { chown dac_read_search dac_override }; ++allow updpwd_t self:capability { chown dac_read_search }; allow updpwd_t self:process setfscreate; allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; @@ -35294,15 +35325,18 @@ index d475c2deb..55305d5f3 100644 + files_etc_filetrans($1, adjtime_t, file, "adjtime" ) +') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index edece47dc..2e7b81176 100644 +index edece47dc..d71651f31 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te -@@ -20,7 +20,7 @@ role system_r types hwclock_t; +@@ -18,9 +18,9 @@ role system_r types hwclock_t; + # Local policy + # - # Give hwclock the capabilities it requires. dac_override is a surprise, +-# Give hwclock the capabilities it requires. dac_override is a surprise, ++# Give hwclock the capabilities it requires. is a surprise, # but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; -+allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config }; ++allow hwclock_t self:capability { dac_read_search sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; allow hwclock_t self:fifo_file rw_fifo_file_perms; @@ -35461,7 +35495,7 @@ index 016a770b9..3fce820a5 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 3f48d300a..cb4f966c0 100644 +index 3f48d300a..cf67cf714 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,9 +13,15 @@ role system_r types fsadm_t; @@ -35480,10 +35514,12 @@ index 3f48d300a..cb4f966c0 100644 type swapfile_t; # customizable files_type(swapfile_t) -@@ -26,6 +32,7 @@ files_type(swapfile_t) +@@ -25,7 +31,8 @@ files_type(swapfile_t) + # # ipc_lock is for losetup - allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; +-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; ++allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_read_search }; +dontaudit fsadm_t self:capability net_admin; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; @@ -35686,7 +35722,7 @@ index e4376aa98..2c98c5647 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea19..ef08ff3cf 100644 +index f6743ea19..abcc39a8c 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -35711,7 +35747,7 @@ index f6743ea19..ef08ff3cf 100644 # Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; -+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; ++allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; @@ -35888,18 +35924,21 @@ index 40eb10c60..2a0a32c2d 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index b2097e743..0a49e14ba 100644 +index b2097e743..8d66956d0 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te -@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) +@@ -23,9 +23,9 @@ files_pid_file(hotplug_var_run_t) # allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit hotplug_t self:capability { dac_override dac_read_search }; +-dontaudit hotplug_t self:capability { dac_override dac_read_search }; ++dontaudit hotplug_t self:capability { dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; + allow hotplug_t self:fifo_file rw_file_perms; + allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; @@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) files_read_kernel_modules(hotplug_t) @@ -39655,7 +39694,7 @@ index 0d4c8d35e..537aa4274 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd0417..56961b493 100644 +index 312cd0417..27a5d0650 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -39685,7 +39724,7 @@ index 312cd0417..56961b493 100644 -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; -+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; ++allow ipsec_t self:capability { net_admin dac_read_search setpcap sys_nice net_raw setuid setgid }; +dontaudit ipsec_t self:capability sys_tty_config; +allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill }; allow ipsec_t self:tcp_socket create_stream_socket_perms; @@ -39827,7 +39866,7 @@ index 312cd0417..56961b493 100644 -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; ++allow ipsec_mgmt_t self:capability { dac_read_search net_admin setpcap sys_nice sys_ptrace }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; +allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -40140,10 +40179,10 @@ index c42fbc329..bf211dbee 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e6c..73e51f7ef 100644 +index be8ed1e6c..1afb965b8 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -16,15 +16,21 @@ role iptables_roles types iptables_t; +@@ -16,44 +16,61 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -40168,7 +40207,11 @@ index be8ed1e6c..73e51f7ef 100644 ######################################## # # Iptables local policy -@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config; + # + +-allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; ++allow iptables_t self:capability { dac_read_search net_admin net_raw }; + dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; @@ -40928,7 +40971,7 @@ index 808ba93eb..b717d9709 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5c8..e14ec857c 100644 +index 54f8fa5c8..7a660a06c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -40953,7 +40996,7 @@ index 54f8fa5c8..e14ec857c 100644 # -allow ldconfig_t self:capability { dac_override sys_chroot }; -+allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot }; ++allow ldconfig_t self:capability { dac_read_search sys_chroot }; +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) @@ -41130,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa9908..fcf08acb2 100644 +index 446fa9908..a0d1b1ff7 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -41165,7 +41208,7 @@ index 446fa9908..fcf08acb2 100644 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; -+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; ++allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; @@ -41267,7 +41310,7 @@ index 446fa9908..fcf08acb2 100644 # -allow sulogin_t self:capability dac_override; -+allow sulogin_t self:capability { dac_read_search dac_override sys_admin }; ++allow sulogin_t self:capability { dac_read_search sys_admin }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; @@ -42138,7 +42181,7 @@ index 4e9488463..2db173f77 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..ba742cd03 100644 +index 59b04c1a2..6ae1e2663 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -42221,8 +42264,12 @@ index 59b04c1a2..ba742cd03 100644 ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) -@@ -94,8 +129,11 @@ ifdef(`enable_mls',` - allow auditctl_t self:capability { fsetid dac_read_search dac_override }; +@@ -91,11 +126,14 @@ ifdef(`enable_mls',` + # Auditctl local policy + # + +-allow auditctl_t self:capability { fsetid dac_read_search dac_override }; ++allow auditctl_t self:capability { fsetid dac_read_search }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; +allow auditctl_t self:process getcap; @@ -42304,7 +42351,7 @@ index 59b04c1a2..ba742cd03 100644 # -allow audisp_t self:capability { dac_override setpcap sys_nice }; -+allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice }; ++allow audisp_t self:capability { dac_read_search setpcap sys_nice }; allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; @@ -42393,7 +42440,7 @@ index 59b04c1a2..ba742cd03 100644 # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; ++allow syslogd_t self:capability { sys_ptrace dac_read_search sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:cap_userns sys_ptrace; +allow syslogd_t self:capability2 { syslog block_suspend }; @@ -43095,7 +43142,7 @@ index 58bc27f22..90f567300 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c410..924fa2e75 100644 +index 79048c410..d404d6528 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -43184,7 +43231,7 @@ index 79048c410..924fa2e75 100644 # rawio needed for dmraid # net_admin for multipath -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; -+allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; ++allow lvm_t self:capability { dac_read_search fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. @@ -44006,7 +44053,7 @@ index 7449974f6..b79290062 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8b2..3a6ded940 100644 +index 7a363b8b2..69463d732 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -44112,7 +44159,7 @@ index 7a363b8b2..3a6ded940 100644 # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; -+allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; ++allow insmod_t self:capability { dac_read_search mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -44687,7 +44734,7 @@ index 4584457b1..8f676d0c8 100644 ') + diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 459a0efbc..ed4756edc 100644 +index 459a0efbc..816066d07 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) @@ -44749,7 +44796,7 @@ index 459a0efbc..ed4756edc 100644 -# setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +# setuid/setgid needed to mount cifs -+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; ++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_read_search chown sys_tty_config setuid setgid sys_nice }; +allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; @@ -46088,7 +46135,7 @@ index 38220721d..abac74231 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc4642022..0e7086c60 100644 +index dc4642022..5b26b2de2 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -46233,7 +46280,7 @@ index dc4642022..0e7086c60 100644 # -allow checkpolicy_t self:capability dac_override; -+allow checkpolicy_t self:capability { dac_read_search dac_override }; ++allow checkpolicy_t self:capability { dac_read_search }; # able to create and modify binary policy files manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) @@ -46259,7 +46306,7 @@ index dc4642022..0e7086c60 100644 # -allow load_policy_t self:capability dac_override; -+allow load_policy_t self:capability { dac_read_search dac_override }; ++allow load_policy_t self:capability { dac_read_search }; # only allow read of policy config files read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) @@ -46311,7 +46358,7 @@ index dc4642022..0e7086c60 100644 # -allow newrole_t self:capability { fowner setuid setgid dac_override }; -+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override }; ++allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; @@ -46383,6 +46430,15 @@ index dc4642022..0e7086c60 100644 files_polyinstantiate_all(newrole_t) ') +@@ -318,7 +362,7 @@ tunable_policy(`allow_polyinstantiation',` + # Restorecond local policy + # + +-allow restorecond_t self:capability { dac_override dac_read_search fowner }; ++allow restorecond_t self:capability { dac_read_search fowner }; + allow restorecond_t self:fifo_file rw_fifo_file_perms; + + allow restorecond_t restorecond_var_run_t:file manage_file_perms; @@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -46434,10 +46490,11 @@ index dc4642022..0e7086c60 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory - dontaudit run_init_t self:capability { dac_override dac_read_search }; - -+kernel_dontaudit_getattr_core_if(run_init_t) +-dontaudit run_init_t self:capability { dac_override dac_read_search }; ++dontaudit run_init_t self:capability { dac_read_search }; + ++kernel_dontaudit_getattr_core_if(run_init_t) + corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) @@ -46763,7 +46820,7 @@ index dc4642022..0e7086c60 100644 +# +# Setfiles common policy +# -+allow setfiles_domain self:capability { dac_override dac_read_search fowner }; ++allow setfiles_domain self:capability { dac_read_search fowner }; +dontaudit setfiles_domain self:capability sys_tty_config; +allow setfiles_domain self:fifo_file rw_file_perms; +dontaudit setfiles_domain self:dir relabelfrom; @@ -46875,7 +46932,7 @@ index dc4642022..0e7086c60 100644 + dbus_read_pid_files(setfiles_domain) ') -+allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource }; ++allow policy_manager_domain self:capability { dac_read_search sys_nice sys_resource }; +dontaudit policy_manager_domain self:capability sys_tty_config; +allow policy_manager_domain self:process { signal setsched }; +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; @@ -47651,7 +47708,7 @@ index 2cea692c0..e3cb4f2ef 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4bc..95c64150b 100644 +index a392fc4bc..d29b7f6fb 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -47699,7 +47756,7 @@ index a392fc4bc..95c64150b 100644 # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; -+allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; ++allow dhcpc_t self:capability { dac_read_search fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; @@ -50034,7 +50091,7 @@ index 000000000..634d9596a +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..1927b4fc0 +index 000000000..3660fe1c4 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,1025 @@ @@ -50195,7 +50252,7 @@ index 000000000..1927b4fc0 +# Systemd_logind local policy +# + -+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) ++# is for /run/user/$USER ($USER ownership is $USER:$USER) +allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin }; +allow systemd_logind_t self:capability2 block_suspend; +allow systemd_logind_t self:process getcap; @@ -50363,7 +50420,7 @@ index 000000000..1927b4fc0 +# systemd_machined local policy +# + -+allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill }; ++allow systemd_machined_t self:capability { dac_read_search setgid sys_admin sys_chroot sys_ptrace kill }; +allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms; + @@ -50481,7 +50538,7 @@ index 000000000..1927b4fc0 +# Local policy +# + -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override }; ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + @@ -50525,7 +50582,7 @@ index 000000000..1927b4fc0 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin }; ++allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -50796,7 +50853,7 @@ index 000000000..1927b4fc0 +# Timedated policy +# + -+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override }; ++allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search }; +allow systemd_timedated_t self:process { getattr getsched setfscreate }; +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; @@ -51361,7 +51418,7 @@ index 9a1650d37..d7e8a0193 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f68..a313a7d1a 100644 +index 39f185f68..815aada78 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -51390,7 +51447,7 @@ index 39f185f68..a313a7d1a 100644 # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; -+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; ++allow udev_t self:capability { chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability2 { block_suspend wake_alarm }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; @@ -52479,7 +52536,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..6a26bba87 100644 +index 9dc60c6c0..1d1213e00 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -54094,15 +54151,17 @@ index 9dc60c6c0..6a26bba87 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',` +@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',` ## ## # -template(`userdom_security_admin_template',` +- allow $1 self:capability { dac_read_search dac_override }; +template(`userdom_security_admin',` - allow $1 self:capability { dac_read_search dac_override }; ++ allow $1 self:capability { dac_read_search }; corecmd_exec_shell($1) + @@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) @@ -57575,7 +57634,7 @@ index 9dc60c6c0..6a26bba87 100644 +## +# +template(`userdom_security_admin_template',` -+ allow $1 self:capability { dac_read_search dac_override }; ++ allow $1 self:capability { dac_read_search }; + + corecmd_exec_shell($1) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e27883e..a5dfd76 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..5c05075a4 100644 +index eb50f070f..aa5b1112e 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -718,7 +718,7 @@ index eb50f070f..5c05075a4 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -1082,7 +1082,7 @@ index eb50f070f..5c05075a4 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid }; ++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search setuid setgid }; +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:process {setfscreate setcap}; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; @@ -1184,7 +1184,7 @@ index eb50f070f..5c05075a4 100644 # Upload watch local policy # -+allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid }; ++allow abrt_upload_watch_t self:capability { dac_read_search chown fsetid }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1300,7 +1300,7 @@ index bd5ec9ab0..554177cd2 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510d8..7c13845fd 100644 +index 3593510d8..15ce4ef6c 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1334,7 +1334,7 @@ index 3593510d8..7c13845fd 100644 # -allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; -+allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace }; ++allow accountsd_t self:capability { chown dac_read_search setuid setgid sys_ptrace }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; allow accountsd_t self:passwd { rootok passwd chfn chsh }; @@ -1542,7 +1542,7 @@ index 3b41be699..97d99f979 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 90ce63748..8cf712d15 100644 +index 90ce63748..9855b3b11 100644 --- a/afs.te +++ b/afs.te @@ -72,7 +72,7 @@ role system_r types afs_vlserver_t; @@ -1550,7 +1550,7 @@ index 90ce63748..8cf712d15 100644 # -allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config }; -+allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config }; ++allow afs_t self:capability { dac_read_search sys_admin sys_nice sys_tty_config }; allow afs_t self:process { setsched signal }; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket { accept listen }; @@ -1624,7 +1624,7 @@ index 90ce63748..8cf712d15 100644 # -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -+allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice }; ++allow afs_fsserver_t self:capability { kill dac_read_search chown fowner sys_nice }; dontaudit afs_fsserver_t self:capability fsetid; allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; @@ -1810,7 +1810,7 @@ index 01cbb67df..94a4a2406 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 03831e6e5..3d35fff8e 100644 +index 03831e6e5..d97de5ad7 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1826,7 +1826,7 @@ index 03831e6e5..3d35fff8e 100644 # -allow aide_t self:capability { dac_override fowner }; -+allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin }; ++allow aide_t self:capability { dac_read_search fowner ipc_lock sys_admin }; +allow aide_t self:process signal; manage_files_pattern(aide_t, aide_db_t, aide_db_t) @@ -2220,7 +2220,7 @@ index ca8d8cf3b..053a30ad4 100644 ######################################### diff --git a/alsa.te b/alsa.te -index 4b153f179..a799cd394 100644 +index 4b153f179..9a0043caa 100644 --- a/alsa.te +++ b/alsa.te @@ -15,6 +15,9 @@ role alsa_roles types alsa_t; @@ -2253,7 +2253,7 @@ index 4b153f179..a799cd394 100644 -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice }; ++allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice }; +dontaudit alsa_t self:capability { sys_tty_config sys_admin }; +allow alsa_t self:process { getsched setsched signal_perms }; allow alsa_t self:sem create_sem_perms; @@ -2321,7 +2321,7 @@ index 7f4dfbca3..e5c9f45b8 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c7d..89302e2d9 100644 +index 519051c7d..96bbc0825 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2358,7 +2358,7 @@ index 519051c7d..89302e2d9 100644 -allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; -+allow amanda_t self:capability { chown dac_read_search dac_override setuid kill sys_admin }; ++allow amanda_t self:capability { chown dac_read_search setuid kill sys_admin }; +allow amanda_t self:process { getsched setsched setpgid signal }; allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; @@ -2428,7 +2428,7 @@ index 519051c7d..89302e2d9 100644 # -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; -+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override }; ++allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search }; allow amanda_recover_t self:process { sigkill sigstop signal }; allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket create_socket_perms; @@ -2531,7 +2531,7 @@ index 60d4f8c90..18ef0772c 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72ae1..1736250ae 100644 +index 91fa72ae1..2e9b8246a 100644 --- a/amavis.te +++ b/amavis.te @@ -39,14 +39,14 @@ type amavis_quarantine_t; @@ -2547,7 +2547,7 @@ index 91fa72ae1..1736250ae 100644 # -allow amavis_t self:capability { kill chown dac_override setgid setuid }; -+allow amavis_t self:capability { kill chown dac_read_search dac_override setgid setuid }; ++allow amavis_t self:capability { kill chown dac_read_search setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; @@ -3284,7 +3284,7 @@ index 000000000..36251b926 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 000000000..d202f695a +index 000000000..28cdddda9 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,274 @@ @@ -3354,7 +3354,7 @@ index 000000000..d202f695a +# antivirus domain local policy +# + -+allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin }; ++allow antivirus_domain self:capability { dac_read_search chown kill fsetid setgid setuid sys_admin }; +dontaudit antivirus_domain self:capability sys_tty_config; +allow antivirus_domain self:process signal_perms; + @@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..1a0189a44 100644 +index 6649962b6..721dab24b 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6253,7 +6253,7 @@ index 6649962b6..1a0189a44 100644 -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability net_admin; -+allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; ++allow httpd_t self:capability { chown dac_read_search kill setgid setuid sys_nice sys_tty_config sys_chroot }; +dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -7761,7 +7761,7 @@ index 6649962b6..1a0189a44 100644 # -allow httpd_rotatelogs_t self:capability dac_override; -+allow httpd_rotatelogs_t self:capability { dac_read_search dac_override }; ++allow httpd_rotatelogs_t self:capability { dac_read_search }; manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) @@ -8134,7 +8134,7 @@ index f3c0abac6..f6e25eda4 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4ddb..a78dbced6 100644 +index 080bc4ddb..b73cf151d 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t) @@ -8153,7 +8153,7 @@ index 080bc4ddb..a78dbced6 100644 # -allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; -+allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config }; ++allow apcupsd_t self:capability { dac_read_search setgid sys_tty_config }; allow apcupsd_t self:process signal; allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; @@ -8349,7 +8349,7 @@ index 1a7a97e5c..2c7252a39 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431bcd..f944eccf1 100644 +index 7fd431bcd..ffb0792b8 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8365,7 +8365,7 @@ index 7fd431bcd..f944eccf1 100644 # -allow apm_t self:capability { dac_override sys_admin }; -+allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource }; ++allow apm_t self:capability { dac_read_search sys_admin sys_resource }; kernel_read_system_state(apm_t) @@ -8385,7 +8385,7 @@ index 7fd431bcd..f944eccf1 100644 -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource }; -+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; ++dontaudit apmd_t self:capability { setuid dac_read_search sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; @@ -8478,7 +8478,7 @@ index cde81d248..2fe02018a 100644 ') diff --git a/apt.te b/apt.te -index efa853059..ae5d0c9f2 100644 +index efa853059..68f2e3676 100644 --- a/apt.te +++ b/apt.te @@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) @@ -8486,7 +8486,7 @@ index efa853059..ae5d0c9f2 100644 # -allow apt_t self:capability { chown dac_override fowner fsetid }; -+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid }; ++allow apt_t self:capability { chown dac_read_search fowner fsetid }; allow apt_t self:process { signal setpgid fork }; allow apt_t self:fd use; allow apt_t self:fifo_file rw_fifo_file_perms; @@ -8686,7 +8686,7 @@ index 2077053ea..198a02ab4 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 7e4135022..1e0f4c49b 100644 +index 7e4135022..a0ff3fc8f 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -8703,7 +8703,7 @@ index 7e4135022..1e0f4c49b 100644 # -allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; -+allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin }; ++allow asterisk_t self:capability { dac_read_search chown setgid setuid sys_nice net_admin }; dontaudit asterisk_t self:capability { sys_module sys_tty_config }; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; @@ -9046,7 +9046,7 @@ index f24e36960..4484a98da 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f400b..f74f75f1b 100644 +index 27d2f400b..bc3619c20 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -9064,7 +9064,7 @@ index 27d2f400b..f74f75f1b 100644 # -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin }; ++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search sys_admin }; +allow automount_t self:capability2 block_suspend; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; @@ -9210,7 +9210,7 @@ index 9078c3d85..2f6b2503e 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b32f..51ce1b60f 100644 +index b8355b32f..7137937b9 100644 --- a/avahi.te +++ b/avahi.te @@ -13,17 +13,21 @@ type avahi_initrc_exec_t; @@ -9233,7 +9233,7 @@ index b8355b32f..51ce1b60f 100644 # -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; -+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; ++allow avahi_t self:capability { dac_read_search setgid chown fowner kill net_admin net_raw setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; @@ -9345,7 +9345,7 @@ index c1b16c392..ffbf2cb8f 100644 +read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(awstats_script_t) diff --git a/backup.te b/backup.te -index 7811450b6..e78703340 100644 +index 7811450b6..c9da8d3d0 100644 --- a/backup.te +++ b/backup.te @@ -21,7 +21,7 @@ files_type(backup_store_t) @@ -9353,7 +9353,7 @@ index 7811450b6..e78703340 100644 # -allow backup_t self:capability dac_override; -+allow backup_t self:capability { dac_read_search dac_override }; ++allow backup_t self:capability { dac_read_search }; allow backup_t self:process signal; allow backup_t self:fifo_file rw_fifo_file_perms; allow backup_t self:tcp_socket create_socket_perms; @@ -9400,7 +9400,7 @@ index dcd774ee4..c240ffaf6 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b00008..1a7c80f01 100644 +index f16b00008..db82cfb6a 100644 --- a/bacula.te +++ b/bacula.te @@ -27,6 +27,9 @@ type bacula_store_t; @@ -9426,7 +9426,7 @@ index f16b00008..1a7c80f01 100644 # -allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; -+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid}; ++allow bacula_t self:capability { dac_read_search chown fowner fsetid setgid setuid}; allow bacula_t self:process signal; allow bacula_t self:fifo_file rw_fifo_file_perms; allow bacula_t self:tcp_socket { accept listen }; @@ -9950,7 +9950,7 @@ index 531a8f244..3fcf18722 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 124112346..57a8b4484 100644 +index 124112346..6a704537e 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -10092,7 +10092,7 @@ index 124112346..57a8b4484 100644 -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process signal_perms; -+allow ndc_t self:capability { dac_read_search dac_override net_admin }; ++allow ndc_t self:capability { dac_read_search net_admin }; +allow ndc_t self:capability2 block_suspend; +allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; @@ -10174,7 +10174,7 @@ index e73fb799e..2badfc0d9 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48b6..102fa8eae 100644 +index f5c1a48b6..dbc347918 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t) @@ -10182,7 +10182,7 @@ index f5c1a48b6..102fa8eae 100644 # -allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; -+allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice }; ++allow bitlbee_t self:capability { dac_read_search kill setgid setuid sys_nice }; allow bitlbee_t self:process { setsched signal }; + allow bitlbee_t self:fifo_file rw_fifo_file_perms; @@ -10710,7 +10710,7 @@ index c723a0ae0..1c29d21e7 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e55..9db73ae8a 100644 +index 851769e55..45de12d70 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) @@ -10726,7 +10726,7 @@ index 851769e55..9db73ae8a 100644 # -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; -+allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_read_search net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getcap setcap getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; @@ -12062,7 +12062,7 @@ index 8de2ab9c5..3b419455f 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index a3760bc92..22ed920b7 100644 +index a3760bc92..f2fc5b2f3 100644 --- a/cachefilesd.te +++ b/cachefilesd.te @@ -1,52 +1,125 @@ @@ -12138,7 +12138,7 @@ index a3760bc92..22ed920b7 100644 +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# -+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override }; ++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search }; +allow cachefilesd_t self:process signal_perms; +# Allow manipulation of pid file @@ -12200,7 +12200,7 @@ index a3760bc92..22ed920b7 100644 +# This governs what the kernel module is allowed to do the contents of the +# cache. +# -+allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; ++allow cachefiles_kernel_t self:capability { dac_read_search }; -optional_policy(` - rpm_use_script_fds(cachefilesd_t) @@ -12227,7 +12227,7 @@ index cd9c52871..ba793b748 100644 ') diff --git a/calamaris.te b/calamaris.te -index 7e574604b..8d8cd78e5 100644 +index 7e574604b..66915d96c 100644 --- a/calamaris.te +++ b/calamaris.te @@ -23,7 +23,7 @@ files_type(calamaris_www_t) @@ -12235,7 +12235,7 @@ index 7e574604b..8d8cd78e5 100644 # -allow calamaris_t self:capability dac_override; -+allow calamaris_t self:capability { dac_read_search dac_override }; ++allow calamaris_t self:capability { dac_read_search }; allow calamaris_t self:process { signal_perms setsched }; allow calamaris_t self:fifo_file rw_fifo_file_perms; allow calamaris_t self:unix_stream_socket { accept listen }; @@ -12422,7 +12422,7 @@ index fbc20f694..4de4a005c 100644 ps_process_pattern($2, cdrecord_t) ') diff --git a/cdrecord.te b/cdrecord.te -index 16883c9c3..97e9a429e 100644 +index 16883c9c3..96f86d07b 100644 --- a/cdrecord.te +++ b/cdrecord.te @@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; @@ -12430,7 +12430,7 @@ index 16883c9c3..97e9a429e 100644 # -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio }; ++allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search sys_rawio }; allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; allow cdrecord_t self:unix_stream_socket { accept listen }; @@ -12493,9 +12493,18 @@ index 0c53b189b..ef29f6e6c 100644 domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff --git a/certmaster.te b/certmaster.te -index 4a878730b..113f3b32f 100644 +index 4a878730b..59890995f 100644 --- a/certmaster.te +++ b/certmaster.te +@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t) + # Local policy + # + +-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; ++allow certmaster_t self:capability { dac_read_search sys_tty_config }; + allow certmaster_t self:tcp_socket { accept listen }; + + list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) @@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) dev_read_urand(certmaster_t) @@ -12556,7 +12565,7 @@ index 008f8ef26..144c0740a 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287ce..c2433ff15 100644 +index 550b287ce..73104ec93 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) @@ -12575,7 +12584,7 @@ index 550b287ce..c2433ff15 100644 # -allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; -+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; ++allow certmonger_t self:capability { chown dac_read_search setgid setuid kill sys_nice }; dontaudit certmonger_t self:capability sys_tty_config; allow certmonger_t self:capability2 block_suspend; + @@ -12732,7 +12741,7 @@ index 550b287ce..c2433ff15 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 171fafb99..e3986fd2e 100644 +index 171fafb99..38614a0e9 100644 --- a/certwatch.te +++ b/certwatch.te @@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t; @@ -12740,7 +12749,7 @@ index 171fafb99..e3986fd2e 100644 # -allow certwatch_t self:capability sys_nice; -+allow certwatch_t self:capability { dac_read_search dac_override sys_nice }; ++allow certwatch_t self:capability { dac_read_search sys_nice }; allow certwatch_t self:process { setsched getsched }; +allow certwatch_t self:tcp_socket create_stream_socket_perms; @@ -13114,7 +13123,7 @@ index 85ca63f9a..1d1c99c8f 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a27a..514eb47f2 100644 +index 80a88a27a..9d59bfa0e 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -13128,9 +13137,12 @@ index 80a88a27a..514eb47f2 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t) +@@ -40,12 +40,14 @@ files_config_file(cgconfig_etc_t) + # cgclear local policy + # - allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; +-allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; ++allow cgclear_t self:capability { dac_read_search sys_admin }; -allow cgclear_t cgconfig_etc_t:file read_file_perms; +read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) @@ -13147,7 +13159,7 @@ index 80a88a27a..514eb47f2 100644 # -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; -+allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config }; ++allow cgconfig_t self:capability { dac_read_search fowner fsetid chown sys_admin sys_tty_config }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -13168,7 +13180,7 @@ index 80a88a27a..514eb47f2 100644 # # cgred local policy # -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace }; ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search sys_ptrace }; +allow cgred_t self:process signal_perms; -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; @@ -13358,7 +13370,7 @@ index 000000000..aa308eba6 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 000000000..435a5cdc1 +index 000000000..ca526f823 --- /dev/null +++ b/chrome.te @@ -0,0 +1,256 @@ @@ -13396,7 +13408,7 @@ index 000000000..435a5cdc1 +# chrome_sandbox local policy +# +allow chrome_sandbox_t self:capability2 block_suspend; -+allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; ++allow chrome_sandbox_t self:capability { chown dac_read_search fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +dontaudit chrome_sandbox_t self:capability sys_nice; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; @@ -14465,7 +14477,7 @@ index 4cc4a5cd0..a6c632290 100644 + ') diff --git a/clamav.te b/clamav.te -index ce3836acd..10595e6e5 100644 +index ce3836acd..237fc8bf0 100644 --- a/clamav.te +++ b/clamav.te @@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false) @@ -14492,7 +14504,7 @@ index ce3836acd..10595e6e5 100644 # -allow clamd_t self:capability { kill setgid setuid dac_override }; -+allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override }; ++allow clamd_t self:capability { kill setgid setuid dac_read_search }; dontaudit clamd_t self:capability sys_tty_config; allow clamd_t self:process signal; + @@ -14570,7 +14582,7 @@ index ce3836acd..10595e6e5 100644 # -allow freshclam_t self:capability { setgid setuid dac_override }; -+allow freshclam_t self:capability { setgid setuid dac_read_search dac_override }; ++allow freshclam_t self:capability { setgid setuid dac_read_search }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -14598,7 +14610,7 @@ index ce3836acd..10595e6e5 100644 # -allow clamscan_t self:capability { setgid setuid dac_override }; -+allow clamscan_t self:capability { setgid setuid dac_read_search dac_override }; ++allow clamscan_t self:capability { setgid setuid dac_read_search }; allow clamscan_t self:fifo_file rw_fifo_file_perms; allow clamscan_t self:unix_stream_socket create_stream_socket_perms; allow clamscan_t self:unix_dgram_socket create_socket_perms; @@ -14845,7 +14857,7 @@ index 000000000..55fe0d668 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 000000000..73f3eb8a0 +index 000000000..0763656a0 --- /dev/null +++ b/cloudform.te @@ -0,0 +1,250 @@ @@ -14915,7 +14927,7 @@ index 000000000..73f3eb8a0 +# cloud-init local policy +# + -+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override }; ++allow cloud_init_t self:capability { fowner chown fsetid dac_read_search }; + +allow cloud_init_t self:udp_socket create_socket_perms; + @@ -15024,7 +15036,7 @@ index 000000000..73f3eb8a0 +# deltacloudd local policy +# + -+allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid }; ++allow deltacloudd_t self:capability { dac_read_search setuid setgid }; + +allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; +allow deltacloudd_t self:udp_socket create_socket_perms; @@ -15264,7 +15276,7 @@ index c223f8132..8b567c191 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd44..36fb0e4e7 100644 +index 5f306dd44..0a4711b5d 100644 --- a/cobbler.te +++ b/cobbler.te @@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t) @@ -15272,7 +15284,7 @@ index 5f306dd44..36fb0e4e7 100644 # -allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; -+allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice }; ++allow cobblerd_t self:capability { chown dac_read_search fowner fsetid sys_nice }; dontaudit cobblerd_t self:capability sys_tty_config; allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; @@ -15595,7 +15607,7 @@ index 000000000..d5920c061 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 000000000..08aaee4bb +index 000000000..a830e90b5 --- /dev/null +++ b/cockpit.te @@ -0,0 +1,123 @@ @@ -15691,7 +15703,7 @@ index 000000000..08aaee4bb +# + +# cockpit-session changes to the actual logged in user -+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource}; ++allow cockpit_session_t self:capability { sys_admin dac_read_search setuid setgid sys_resource}; +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; + +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) @@ -15925,7 +15937,7 @@ index 954309e64..67801421b 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8c4..90a9319c6 100644 +index 6471fa8c4..90d2b5324 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -15947,7 +15959,7 @@ index 6471fa8c4..90a9319c6 100644 # -allow collectd_t self:capability { ipc_lock sys_nice }; -+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid }; ++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid }; allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; @@ -16121,7 +16133,7 @@ index 8e27a37c1..c69be28b9 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb233..86836f9cd 100644 +index 9f2dfb233..5f29a909f 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -16132,7 +16144,7 @@ index 9f2dfb233..86836f9cd 100644 type colord_tmp_t; files_tmp_file(colord_tmp_t) -@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t) +@@ -18,18 +19,24 @@ files_tmpfs_file(colord_tmpfs_t) type colord_var_lib_t; files_type(colord_var_lib_t) @@ -16142,8 +16154,10 @@ index 9f2dfb233..86836f9cd 100644 ######################################## # # Local policy -@@ -26,10 +30,13 @@ files_type(colord_var_lib_t) - allow colord_t self:capability { dac_read_search dac_override }; + # + +-allow colord_t self:capability { dac_read_search dac_override }; ++allow colord_t self:capability { dac_read_search }; dontaudit colord_t self:capability sys_admin; allow colord_t self:process signal; + @@ -16749,7 +16763,7 @@ index 881d92f35..a2d588a51 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040e2..2a52b429f 100644 +index ce9f040e2..eaefb5a97 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16775,7 +16789,7 @@ index ce9f040e2..2a52b429f 100644 # Global local policy # -+allow condor_domain self:capability { dac_read_search dac_override }; ++allow condor_domain self:capability { dac_read_search }; +allow condor_domain self:capability2 block_suspend; + allow condor_domain self:process signal_perms; @@ -16876,7 +16890,7 @@ index ce9f040e2..2a52b429f 100644 # -allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; -+allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace }; ++allow condor_procd_t self:capability { fowner chown kill dac_read_search sys_ptrace }; +allow condor_procd_t self:cap_userns { sys_ptrace }; allow condor_procd_t condor_domain:process sigkill; @@ -16886,7 +16900,7 @@ index ce9f040e2..2a52b429f 100644 # -allow condor_schedd_t self:capability { setuid chown setgid dac_override }; -+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override }; ++allow condor_schedd_t self:capability { setuid chown setgid dac_read_search }; allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_schedd_t condor_master_t:udp_socket getattr; @@ -16915,7 +16929,7 @@ index ce9f040e2..2a52b429f 100644 # -allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; -+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override }; ++allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search }; allow condor_startd_t self:process execmem; manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) @@ -17342,7 +17356,7 @@ index 5b830ec9c..78025c5e7 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index bd18063f6..94407f854 100644 +index bd18063f6..efa99d8f4 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,21 +19,23 @@ type consolekit_var_run_t; @@ -17358,7 +17372,7 @@ index bd18063f6..94407f854 100644 # -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace }; ++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search sys_nice sys_ptrace }; + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; @@ -17578,7 +17592,7 @@ index 694a037da..d8596812d 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index d5aa1e446..9a2570145 100644 +index d5aa1e446..94ca2cd02 100644 --- a/corosync.te +++ b/corosync.te @@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t) @@ -17594,7 +17608,7 @@ index d5aa1e446..9a2570145 100644 # -allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; -+allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; ++allow corosync_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; # for hearbeat allow corosync_t self:capability { net_raw chown }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; @@ -18189,7 +18203,7 @@ index 10f820fc7..acdb179e8 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index ae3bc70e9..d64452f77 100644 +index ae3bc70e9..3fe942539 100644 --- a/courier.te +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; @@ -18206,7 +18220,7 @@ index ae3bc70e9..d64452f77 100644 # -allow courier_domain self:capability dac_override; -+allow courier_domain self:capability { dac_read_search dac_override }; ++allow courier_domain self:capability { dac_read_search }; dontaudit courier_domain self:capability sys_tty_config; allow courier_domain self:process { setpgid signal_perms }; allow courier_domain self:fifo_file rw_fifo_file_perms; @@ -19620,7 +19634,7 @@ index 1303b3036..f5bd4aee8 100644 + logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..e4c99bdd4 100644 +index 7de385956..f91dd2fe5 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -19845,8 +19859,9 @@ index 7de385956..e4c99bdd4 100644 +# Cron daemon local policy # - allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; +-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; ++allow crond_t self:capability { chown fowner setgid setuid sys_nice dac_read_search }; +dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -20133,7 +20148,8 @@ index 7de385956..e4c99bdd4 100644 +# System cron process domain # - allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; ++allow system_cronjob_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; + allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; @@ -20539,8 +20555,8 @@ index 7de385956..e4c99bdd4 100644 +# crontab common policy +# + -+# dac_override is to create the file in the directory under /tmp -+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search dac_override }; ++# is to create the file in the directory under /tmp ++allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search }; +allow crontab_domain self:process { getcap setsched signal_perms }; +allow crontab_domain self:fifo_file rw_fifo_file_perms; + @@ -20944,7 +20960,7 @@ index b25b01d12..06895f39a 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502e6..b264e198a 100644 +index 001b502e6..8f9d0e50f 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20963,7 +20979,7 @@ index 001b502e6..b264e198a 100644 -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -allow ctdbd_t self:process { setpgid signal_perms setsched }; -+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource }; ++allow ctdbd_t self:capability { chown dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource }; +allow ctdbd_t self:capability2 block_suspend; +allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched }; allow ctdbd_t self:fifo_file rw_fifo_file_perms; @@ -21351,7 +21367,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..e0ba2f7d9 100644 +index c91813ccb..05ea50b72 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21491,7 +21507,7 @@ index c91813ccb..e0ba2f7d9 100644 # -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; @@ -21746,7 +21762,7 @@ index c91813ccb..e0ba2f7d9 100644 # -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; -+allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_read_search sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; -allow cupsd_config_t self:process { getsched signal_perms }; -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -21888,7 +21904,7 @@ index c91813ccb..e0ba2f7d9 100644 -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_fifo_file_perms; -+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override }; ++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search }; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; +allow cups_pdf_t cupsd_rw_etc_t:dir search; @@ -22186,7 +22202,7 @@ index 64775fd37..91a60569c 100644 + admin_pattern($1, cvs_home_t) ') diff --git a/cvs.te b/cvs.te -index 0f7755005..36e4a38cf 100644 +index 0f7755005..3e3f3cd61 100644 --- a/cvs.te +++ b/cvs.te @@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2) @@ -22211,7 +22227,7 @@ index 0f7755005..36e4a38cf 100644 # -allow cvs_t self:capability { setuid setgid }; -+allow cvs_t self:capability { dac_override dac_read_search setuid setgid }; ++allow cvs_t self:capability { dac_read_search setuid setgid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -22259,7 +22275,7 @@ index 0f7755005..36e4a38cf 100644 -tunable_policy(`allow_cvs_read_shadow',` - allow cvs_t self:capability dac_override; +tunable_policy(`cvs_read_shadow',` -+ allow cvs_t self:capability { dac_read_search dac_override }; ++ allow cvs_t self:capability { dac_read_search }; auth_tunable_read_shadow(cvs_t) ') @@ -22349,7 +22365,7 @@ index 83bfda6ed..92d9fb2e7 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2de2..41de1bdf6 100644 +index 4283f2de2..fe348758e 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -22357,7 +22373,7 @@ index 4283f2de2..41de1bdf6 100644 # -allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; -+allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource }; ++allow cyrus_t self:capability { fsetid dac_read_search net_bind_service setgid setuid sys_resource }; dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; @@ -22500,7 +22516,7 @@ index 5a5e2902a..6321a1d0a 100644 fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te -index b60c464f1..3a5246a9b 100644 +index b60c464f1..51bf02f4a 100644 --- a/dbadm.te +++ b/dbadm.te @@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) @@ -22516,7 +22532,7 @@ index b60c464f1..3a5246a9b 100644 # -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; -+allow dbadm_t self:capability { dac_override dac_read_search }; ++allow dbadm_t self:capability { dac_read_search }; files_dontaudit_search_all_dirs(dbadm_t) files_delete_generic_locks(dbadm_t) @@ -23545,7 +23561,7 @@ index 62d22cb46..c0c2ed47d 100644 + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ') diff --git a/dbus.te b/dbus.te -index c9998c80d..d7910970e 100644 +index c9998c80d..328aa81d2 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23601,10 +23617,10 @@ index c9998c80d..d7910970e 100644 # -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; -+# dac_override: /var/run/dbus is owned by messagebus on Debian -+# cjp: dac_override should probably go in a distro_debian ++# : /var/run/dbus is owned by messagebus on Debian ++# cjp: should probably go in a distro_debian +allow system_dbusd_t self:capability2 block_suspend; -+allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid }; ++allow system_dbusd_t self:capability { sys_resource dac_read_search setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; @@ -24746,7 +24762,7 @@ index 8ce99ff48..1bc5d3aea 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003c0..cb628f935 100644 +index 77a5003c0..27f168bb1 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24799,7 +24815,7 @@ index 77a5003c0..cb628f935 100644 # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; + allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; @@ -24902,7 +24918,7 @@ index 77a5003c0..cb628f935 100644 # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -+allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice }; ++allow devicekit_power_t self:capability { dac_read_search net_admin sys_admin sys_tty_config sys_nice }; +#allow devicekit_power_t self:capability2 compromise_kernel; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; @@ -25084,7 +25100,7 @@ index c697edbcd..954c090bd 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b989..d6cb9e7ba 100644 +index 98a24b989..9ded26309 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -25102,7 +25118,7 @@ index 98a24b989..d6cb9e7ba 100644 # -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; -+allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; ++allow dhcpd_t self:capability { chown dac_read_search fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; @@ -25154,7 +25170,7 @@ index 98a24b989..d6cb9e7ba 100644 +') + +ifdef(`distro_gentoo',` -+ allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot }; ++ allow dhcpd_t self:capability { chown dac_read_search setgid setuid sys_chroot }; +') + +optional_policy(` @@ -25415,7 +25431,7 @@ index 000000000..0d4e70492 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 000000000..09223afb3 +index 000000000..583d849ba --- /dev/null +++ b/dirsrv-admin.te @@ -0,0 +1,167 @@ @@ -25456,7 +25472,7 @@ index 000000000..09223afb3 +# + +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; -+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; ++allow dirsrvadmin_t self:capability { dac_read_search sys_tty_config sys_resource }; +allow dirsrvadmin_t self:process { setrlimit signal_perms }; + +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) @@ -25497,7 +25513,7 @@ index 000000000..09223afb3 + apache_content_alias_template(dirsrvadmin, dirsrvadmin) + + allow dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search }; + allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; + allow dirsrvadmin_script_t self:udp_socket create_socket_perms; + allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; @@ -25855,7 +25871,7 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..22cafcd43 +index 000000000..f068532e7 --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,207 @@ @@ -25912,7 +25928,7 @@ index 000000000..22cafcd43 +# dirsrv local policy +# +allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms}; -+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner }; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search fowner }; +allow dirsrv_t self:fifo_file manage_fifo_file_perms; +allow dirsrv_t self:sem create_sem_perms; +allow dirsrv_t self:tcp_socket create_stream_socket_perms; @@ -26027,7 +26043,7 @@ index 000000000..22cafcd43 +# +# dirsrv-snmp local policy +# -+allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; ++allow dirsrv_snmp_t self:capability { dac_read_search }; +allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; + +rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) @@ -26509,7 +26525,7 @@ index 19aa0b80b..a79982cd6 100644 + + diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b30..78c681ce9 100644 +index 37a3b7b30..59eb2b7cb 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t) @@ -26525,7 +26541,7 @@ index 37a3b7b30..78c681ce9 100644 # -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; -+allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw }; ++allow dnsmasq_t self:capability { chown dac_read_search net_admin setgid setuid net_raw }; dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { getcap setcap signal_perms }; allow dnsmasq_t self:fifo_file rw_fifo_file_perms; @@ -27155,7 +27171,7 @@ index d5badb755..c2431fc73 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e66..994752cd2 100644 +index 0aabc7e66..e95d44512 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -27244,7 +27260,7 @@ index 0aabc7e66..994752cd2 100644 # -allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; -+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; ++allow dovecot_t self:capability { dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; -allow dovecot_t self:tcp_socket { accept listen }; @@ -27420,7 +27436,7 @@ index 0aabc7e66..994752cd2 100644 # -allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; -+allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice }; ++allow dovecot_auth_t self:capability { chown dac_read_search ipc_lock setgid setuid sys_nice }; allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; -allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -27598,7 +27614,7 @@ index 0aabc7e66..994752cd2 100644 sendmail_domtrans(dovecot_deliver_t) ') diff --git a/dpkg.te b/dpkg.te -index 50af48c89..5ab49010f 100644 +index 50af48c89..bb58612b0 100644 --- a/dpkg.te +++ b/dpkg.te @@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) @@ -27606,10 +27622,19 @@ index 50af48c89..5ab49010f 100644 # -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -+allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; ++allow dpkg_t self:capability { chown dac_read_search fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; allow dpkg_t self:process { setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; +@@ -202,7 +202,7 @@ optional_policy(` + # Script Local policy + # + +-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; ++allow dpkg_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; + allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow dpkg_script_t self:fd use; + allow dpkg_script_t self:fifo_file rw_fifo_file_perms; diff --git a/drbd.fc b/drbd.fc index 671a3fb6f..47b4958d0 100644 --- a/drbd.fc @@ -27772,7 +27797,7 @@ index 9a2163936..26c59868b 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc07..af2c2ad81 100644 +index f2516cc07..b8c9fe764 100644 --- a/drbd.te +++ b/drbd.te @@ -18,38 +18,72 @@ files_type(drbd_var_lib_t) @@ -27791,7 +27816,7 @@ index f2516cc07..af2c2ad81 100644 # -allow drbd_t self:capability { kill net_admin }; -+allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin }; ++allow drbd_t self:capability { dac_read_search kill net_admin sys_admin }; dontaudit drbd_t self:capability sys_tty_config; allow drbd_t self:fifo_file rw_fifo_file_perms; allow drbd_t self:unix_stream_socket create_stream_socket_perms; @@ -28352,7 +28377,7 @@ index 000000000..4498b1110 + +sysnet_read_config(ejabberd_t) diff --git a/entropyd.te b/entropyd.te -index b8b8328c0..e3dc7c72c 100644 +index b8b8328c0..7e635921e 100644 --- a/entropyd.te +++ b/entropyd.te @@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0) @@ -28369,7 +28394,7 @@ index b8b8328c0..e3dc7c72c 100644 # -allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; -+allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin }; ++allow entropyd_t self:capability { dac_read_search ipc_lock sys_admin }; dontaudit entropyd_t self:capability sys_tty_config; allow entropyd_t self:process signal_perms; @@ -28826,7 +28851,7 @@ index 9bbc6907a..4a8d0536b 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 4086c51b9..3e7a99099 100644 +index 4086c51b9..34c52e39d 100644 --- a/exim.te +++ b/exim.te @@ -55,7 +55,7 @@ type exim_log_t; @@ -28838,6 +28863,15 @@ index 4086c51b9..3e7a99099 100644 type exim_tmp_t; files_tmp_file(exim_tmp_t) +@@ -72,7 +72,7 @@ ifdef(`distro_debian',` + # Local policy + # + +-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; ++allow exim_t self:capability { chown dac_read_search fowner setuid setgid sys_resource }; + allow exim_t self:process { setrlimit setpgid }; + allow exim_t self:fifo_file rw_fifo_file_perms; + allow exim_t self:unix_stream_socket { accept listen }; @@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t) kernel_read_crypto_sysctls(exim_t) kernel_read_kernel_sysctls(exim_t) @@ -29212,14 +29246,16 @@ index 50d0084d4..94e193606 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e56772..7bebd2699 100644 +index cf0e56772..839025a07 100644 --- a/fail2ban.te +++ b/fail2ban.te -@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; +@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t; + # Server Local policy # - allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; +-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; -allow fail2ban_t self:process signal; ++allow fail2ban_t self:capability { dac_read_search sys_tty_config }; +allow fail2ban_t self:process { setsched signal }; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; @@ -29298,7 +29334,7 @@ index cf0e56772..7bebd2699 100644 # -allow fail2ban_client_t self:capability dac_read_search; -+allow fail2ban_client_t self:capability { dac_read_search dac_override }; ++allow fail2ban_client_t self:capability { dac_read_search }; allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -29337,7 +29373,7 @@ index cf0e56772..7bebd2699 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb3f..cdc11a7f9 100644 +index ce358fb3f..f5316ffcf 100644 --- a/fcoe.te +++ b/fcoe.te @@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t) @@ -29345,7 +29381,7 @@ index ce358fb3f..cdc11a7f9 100644 # -allow fcoemon_t self:capability { dac_override kill net_admin }; -+allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override }; ++allow fcoemon_t self:capability { net_admin net_raw dac_read_search }; allow fcoemon_t self:fifo_file rw_fifo_file_perms; allow fcoemon_t self:unix_stream_socket { accept listen }; allow fcoemon_t self:netlink_socket create_socket_perms; @@ -29695,7 +29731,7 @@ index c62c5670a..a74f123da 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3a1..42ee4d39c 100644 +index 98072a3a1..04cd1a61b 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) @@ -29717,7 +29753,7 @@ index 98072a3a1..42ee4d39c 100644 # -allow firewalld_t self:capability { dac_override net_admin }; -+allow firewalld_t self:capability { dac_read_search dac_override net_admin }; ++allow firewalld_t self:capability { dac_read_search net_admin }; dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; @@ -29986,7 +30022,7 @@ index 280f875f0..f3a67c911 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index 5010f04e1..0341ae121 100644 +index 5010f04e1..8d5eae955 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -30022,7 +30058,7 @@ index 5010f04e1..0341ae121 100644 # -allow firstboot_t self:capability { dac_override setgid }; -+allow firstboot_t self:capability { dac_read_search dac_override setgid }; ++allow firstboot_t self:capability { dac_read_search setgid }; allow firstboot_t self:process setfscreate; allow firstboot_t self:fifo_file rw_fifo_file_perms; -allow firstboot_t self:tcp_socket { accept listen }; @@ -30669,7 +30705,7 @@ index 44981434b..84a4858b6 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c202..34a9cedf3 100644 +index 36838c202..952bab750 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -30881,9 +30917,10 @@ index 36838c202..34a9cedf3 100644 ') -tunable_policy(`allow_ftpd_full_access',` -+tunable_policy(`ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; +- allow ftpd_t self:capability { dac_override dac_read_search }; - files_manage_non_auth_files(ftpd_t) ++tunable_policy(`ftpd_full_access',` ++ allow ftpd_t self:capability { dac_read_search }; + files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_files(ftpd_t) +') @@ -32139,7 +32176,7 @@ index 000000000..d745c675f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 000000000..33dbdf7ec +index 000000000..f6bf0a10e --- /dev/null +++ b/gear.te @@ -0,0 +1,136 @@ @@ -32170,7 +32207,7 @@ index 000000000..33dbdf7ec +# +# gear local policy +# -+allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override }; ++allow gear_t self:capability { chown net_admin fowner dac_read_search }; +dontaudit gear_t self:capability sys_ptrace; +allow gear_t self:capability2 block_suspend; +allow gear_t self:process { getattr signal_perms }; @@ -33447,7 +33484,7 @@ index 000000000..450146018 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 000000000..cbcaf9aed +index 000000000..5d279ca35 --- /dev/null +++ b/glusterd.te @@ -0,0 +1,324 @@ @@ -33519,7 +33556,7 @@ index 000000000..cbcaf9aed +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; + +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; @@ -36120,7 +36157,7 @@ index ab09d6195..e591cd040 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb2d..566474488 100644 +index 63893eb2d..58b4cb17f 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -36254,7 +36291,7 @@ index 63893eb2d..566474488 100644 -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) -+allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice }; ++allow gconfdefaultsm_t self:capability { dac_read_search sys_nice }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; @@ -36512,7 +36549,7 @@ index 3f55702fb..25c7ab82c 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 7cd7435e6..8f26e9862 100644 +index 7cd7435e6..eb067c236 100644 --- a/gnomeclock.te +++ b/gnomeclock.te @@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0) @@ -36537,7 +36574,7 @@ index 7cd7435e6..8f26e9862 100644 # -allow gnomeclock_t self:capability { sys_nice sys_time }; -+allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override }; ++allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search }; allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -allow gnomeclock_t self:unix_stream_socket { accept listen }; @@ -37421,7 +37458,7 @@ index 0e97e82f1..4bcee621d 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/gpm.te b/gpm.te -index 69734fd15..a659808d0 100644 +index 69734fd15..8cda8e166 100644 --- a/gpm.te +++ b/gpm.te @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; @@ -37438,7 +37475,7 @@ index 69734fd15..a659808d0 100644 # -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; -+allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config }; ++allow gpm_t self:capability { setpcap setuid dac_read_search sys_admin sys_tty_config }; allow gpm_t self:process { signal signull getcap setcap }; allow gpm_t self:unix_stream_socket { accept listen }; @@ -37464,7 +37501,7 @@ index 69734fd15..a659808d0 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index fe3895ece..a820546e3 100644 +index fe3895ece..1a96553d4 100644 --- a/gpsd.te +++ b/gpsd.te @@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) @@ -37472,7 +37509,7 @@ index fe3895ece..a820546e3 100644 allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -dontaudit gpsd_t self:capability { dac_read_search dac_override }; -+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override }; ++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search }; allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; @@ -37736,7 +37773,7 @@ index 000000000..8a2013af9 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 000000000..79e22c58a +index 000000000..86a4d31a1 --- /dev/null +++ b/gssproxy.te @@ -0,0 +1,74 @@ @@ -37764,7 +37801,7 @@ index 000000000..79e22c58a +# +# gssproxy local policy +# -+allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override }; ++allow gssproxy_t self:capability { setuid setgid dac_read_search }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; @@ -37862,7 +37899,7 @@ index e15137840..04d173d1d 100644 fs_getattr_xattr_fs(zookeeper_server_t) diff --git a/hal.te b/hal.te -index bbccc79f1..b02720214 100644 +index bbccc79f1..ef689e4b8 100644 --- a/hal.te +++ b/hal.te @@ -61,7 +61,6 @@ files_type(hald_var_lib_t) @@ -37873,6 +37910,15 @@ index bbccc79f1..b02720214 100644 miscfiles_read_localization(hald_domain) +@@ -72,7 +71,7 @@ hal_stream_connect(hald_domain) + # Local policy + # + +-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; ++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_read_search mknod sys_rawio sys_tty_config }; + dontaudit hald_t self:capability { sys_ptrace sys_tty_config }; + allow hald_t self:process { getsched getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; @@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) @@ -37887,7 +37933,7 @@ index bbccc79f1..b02720214 100644 # -allow hald_acl_t self:capability { dac_override fowner sys_resource }; -+allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource }; ++allow hald_acl_t self:capability { dac_read_search fowner sys_resource }; allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; @@ -39079,7 +39125,7 @@ index 580b533ce..c267cea58 100644 domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index a9e573a50..9a9245f49 100644 +index a9e573a50..23f8b5d4c 100644 --- a/icecast.te +++ b/icecast.te @@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t) @@ -39087,7 +39133,7 @@ index a9e573a50..9a9245f49 100644 # -allow icecast_t self:capability { dac_override setgid setuid sys_nice }; -+allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice }; ++allow icecast_t self:capability { dac_read_search setgid setuid sys_nice }; allow icecast_t self:process { getsched setsched signal }; allow icecast_t self:fifo_file rw_fifo_file_perms; allow icecast_t self:unix_stream_socket create_stream_socket_perms; @@ -39463,7 +39509,7 @@ index eb87f2341..d3d32c3ad 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc51..2422996ec 100644 +index d39f0cc51..81789dd86 100644 --- a/inn.te +++ b/inn.te @@ -15,6 +15,9 @@ files_config_file(innd_etc_t) @@ -39488,7 +39534,7 @@ index d39f0cc51..2422996ec 100644 # -allow innd_t self:capability { dac_override kill setgid setuid }; -+allow innd_t self:capability { dac_read_search dac_override kill setgid setuid }; ++allow innd_t self:capability { dac_read_search kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; allow innd_t self:fifo_file rw_fifo_file_perms; @@ -40089,7 +40135,7 @@ index 000000000..d611c53d4 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 000000000..99cb86250 +index 000000000..49295fe45 --- /dev/null +++ b/ipa.te @@ -0,0 +1,275 @@ @@ -40186,7 +40232,7 @@ index 000000000..99cb86250 +# + + -+allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown }; ++allow ipa_helper_t self:capability { net_admin dac_read_search chown }; + +#kernel bug +dontaudit ipa_helper_t self:capability2 block_suspend; @@ -41046,7 +41092,7 @@ index 1a354203e..8101022be 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020faa9..c53375b3b 100644 +index ca020faa9..58233a218 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -41073,7 +41119,7 @@ index ca020faa9..c53375b3b 100644 -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; -+allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; ++allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; @@ -42969,7 +43015,7 @@ index 3a00b3a13..92f125fdf 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc211c..794264a1d 100644 +index 715fc211c..e506a7f5d 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -43004,7 +43050,7 @@ index 715fc211c..794264a1d 100644 # -allow kdump_t self:capability { sys_boot dac_override }; -+allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override }; ++allow kdump_t self:capability { sys_admin sys_boot dac_read_search }; +#allow kdump_t self:capability2 compromise_kernel; + +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -43050,7 +43096,7 @@ index 715fc211c..794264a1d 100644 + +kdump_domtrans(kdumpctl_t) + -+allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot }; ++allow kdumpctl_t self:capability { dac_read_search sys_chroot }; allow kdumpctl_t self:process setfscreate; + allow kdumpctl_t self:fifo_file rw_fifo_file_perms; @@ -44354,7 +44400,7 @@ index f6c00d8e6..79ea4d8d2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d596d..9b9eb11ed 100644 +index 8833d596d..3030f9b78 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -44414,7 +44460,7 @@ index 8833d596d..9b9eb11ed 100644 -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; +# Use capabilities. Surplus capabilities may be allowed. -+allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice }; ++allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search sys_nice }; allow kadmind_t self:capability2 block_suspend; +dontaudit kadmind_t self:capability sys_tty_config; allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; @@ -44539,7 +44585,7 @@ index 8833d596d..9b9eb11ed 100644 -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; +# Use capabilities. Surplus capabilities may be allowed. -+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice }; ++allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search sys_nice }; allow krb5kdc_t self:capability2 block_suspend; +dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; @@ -45208,7 +45254,7 @@ index aa2a3379b..7ff229f32 100644 files_search_var_lib($1) admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te -index 8ad0d4d50..01e503790 100644 +index 8ad0d4d50..e4916885b 100644 --- a/kismet.te +++ b/kismet.te @@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) @@ -45216,7 +45262,7 @@ index 8ad0d4d50..01e503790 100644 # -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; -+allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid }; ++allow kismet_t self:capability { dac_read_search kill net_admin net_raw setuid setgid }; allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_fifo_file_perms; allow kismet_t self:packet_socket create_socket_perms; @@ -45870,7 +45916,7 @@ index 52970645f..6ba810834 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 16640364b..ee7a9a1d5 100644 +index 16640364b..a31b9ba5f 100644 --- a/kudzu.te +++ b/kudzu.te @@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) @@ -45878,7 +45924,7 @@ index 16640364b..ee7a9a1d5 100644 # -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -+allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; ++allow kudzu_t self:capability { dac_read_search sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; @@ -46521,7 +46567,7 @@ index 3602712d0..af83a5b6b 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b1110e..8fa1510d7 100644 +index 4c2b1110e..7b306e4bb 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -46534,9 +46580,12 @@ index 4c2b1110e..8fa1510d7 100644 type slapd_keytab_t; files_type(slapd_keytab_t) -@@ -49,7 +52,7 @@ files_pid_file(slapd_var_run_t) +@@ -47,9 +50,9 @@ files_pid_file(slapd_var_run_t) + # Local policy + # - allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; +-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; ++allow slapd_t self:capability { kill setgid setuid net_raw dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; +allow slapd_t self:process { setsched signal } ; @@ -46824,7 +46873,7 @@ index bd20e8cc9..3393a01e6 100644 - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) -') diff --git a/likewise.te b/likewise.te -index d8c2442a8..f5dff3173 100644 +index d8c2442a8..0bd8a29a9 100644 --- a/likewise.te +++ b/likewise.te @@ -26,7 +26,7 @@ type likewise_var_lib_t; @@ -46862,7 +46911,7 @@ index d8c2442a8..f5dff3173 100644 # -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; -+allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time }; ++allow lsassd_t self:capability { fowner chown fsetid dac_read_search sys_time }; allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; @@ -46879,7 +46928,7 @@ index d8c2442a8..f5dff3173 100644 # -allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; -+allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource }; ++allow lwiod_t self:capability { fowner chown fsetid dac_read_search sys_resource }; allow lwiod_t self:process setrlimit; allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; @@ -46888,7 +46937,7 @@ index d8c2442a8..f5dff3173 100644 # -allow netlogond_t self:capability dac_override; -+allow netlogond_t self:capability { dac_read_search dac_override }; ++allow netlogond_t self:capability { dac_read_search }; manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) @@ -47248,7 +47297,7 @@ index dff21a7c4..b6981c846 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87bb6..eecd4c158 100644 +index 483c87bb6..5c41c7557 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -47265,7 +47314,7 @@ index 483c87bb6..eecd4c158 100644 # -allow lircd_t self:capability { chown kill sys_admin }; -+allow lircd_t self:capability { setuid setgid dac_read_search dac_override chown kill sys_admin }; ++allow lircd_t self:capability { setuid setgid dac_read_search chown kill sys_admin }; allow lircd_t self:process signal; allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:tcp_socket { accept listen }; @@ -47494,9 +47543,18 @@ index 2a491d96c..3399d597a 100644 + virt_dgram_send(lldpad_t) +') diff --git a/loadkeys.te b/loadkeys.te -index d2f464375..ecbfa88ff 100644 +index d2f464375..5bacffd37 100644 --- a/loadkeys.te +++ b/loadkeys.te +@@ -17,7 +17,7 @@ role loadkeys_roles types loadkeys_t; + # Local policy + # + +-allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; ++allow loadkeys_t self:capability { dac_read_search setuid sys_tty_config }; + allow loadkeys_t self:fifo_file rw_fifo_file_perms; + + kernel_read_system_state(loadkeys_t) @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) corecmd_exec_bin(loadkeys_t) corecmd_exec_shell(loadkeys_t) @@ -47640,7 +47698,7 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84b3..9ca958706 100644 +index be0ab84b3..af94fb163 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0) @@ -47696,7 +47754,7 @@ index be0ab84b3..9ca958706 100644 -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +# Change ownership on log files. -+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; ++allow logrotate_t self:capability { chown dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; +dontaudit logrotate_t self:capability { sys_resource net_admin }; + +# dontaudited due to systemctl command. @@ -47984,7 +48042,7 @@ index be0ab84b3..9ca958706 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab650340c..dd17cb0c5 100644 +index ab650340c..433d37810 100644 --- a/logwatch.te +++ b/logwatch.te @@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) @@ -47997,6 +48055,15 @@ index ab650340c..dd17cb0c5 100644 type logwatch_cache_t; files_type(logwatch_cache_t) +@@ -37,7 +38,7 @@ role system_r types logwatch_mail_t; + # Local policy + # + +-allow logwatch_t self:capability { dac_override dac_read_search setgid }; ++allow logwatch_t self:capability { dac_read_search setgid }; + allow logwatch_t self:process signal; + allow logwatch_t self:fifo_file rw_fifo_file_perms; + allow logwatch_t self:unix_stream_socket { accept listen }; @@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) @@ -48070,6 +48137,15 @@ index ab650340c..dd17cb0c5 100644 rpc_search_nfs_state_data(logwatch_t) ') +@@ -173,7 +180,7 @@ optional_policy(` + # Mail local policy + # + +-allow logwatch_mail_t self:capability { dac_read_search dac_override }; ++allow logwatch_mail_t self:capability { dac_read_search }; + + allow logwatch_mail_t logwatch_t:fd use; + allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms; @@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -48283,7 +48359,7 @@ index 62563717b..ce2acb881 100644 can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te -index 39d31640e..1ec2cd26e 100644 +index 39d31640e..1648ef3c7 100644 --- a/lpd.te +++ b/lpd.te @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -48300,7 +48376,7 @@ index 39d31640e..1ec2cd26e 100644 # -allow checkpc_t self:capability { setgid setuid dac_override }; -+allow checkpc_t self:capability { setgid setuid dac_read_search dac_override }; ++allow checkpc_t self:capability { setgid setuid dac_read_search }; allow checkpc_t self:process signal_perms; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t self:tcp_socket create_socket_perms; @@ -48329,6 +48405,15 @@ index 39d31640e..1ec2cd26e 100644 optional_policy(` cron_system_entry(checkpc_t, checkpc_exec_t) +@@ -126,7 +124,7 @@ optional_policy(` + # Lpd local policy + # + +-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner }; ++allow lpd_t self:capability { setgid setuid dac_read_search chown fowner }; + dontaudit lpd_t self:capability sys_tty_config; + allow lpd_t self:process signal_perms; + allow lpd_t self:fifo_file rw_fifo_file_perms; @@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t) kernel_read_kernel_sysctls(lpd_t) kernel_read_system_state(lpd_t) @@ -48365,7 +48450,7 @@ index 39d31640e..1ec2cd26e 100644 # -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; -+allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown }; ++allow lpr_t self:capability { setuid dac_read_search net_bind_service chown }; allow lpr_t self:unix_stream_socket { accept listen }; allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; @@ -49222,7 +49307,7 @@ index 108c0f1f5..a2485018e 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index ac81c7fa9..a9faca989 100644 +index ac81c7fa9..b01b07ac3 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0) @@ -49282,7 +49367,7 @@ index ac81c7fa9..a9faca989 100644 -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config }; ++allow mailman_mail_t self:capability { kill dac_read_search setuid setgid sys_nice sys_tty_config }; +allow mailman_mail_t self:process { setsched signal signull }; +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; @@ -49406,7 +49491,7 @@ index 214cb4498..bd1d48e4f 100644 + files_list_pids($1) ') diff --git a/mailscanner.te b/mailscanner.te -index 6b6e2e130..3fb3393ba 100644 +index 6b6e2e130..df90ba417 100644 --- a/mailscanner.te +++ b/mailscanner.te @@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t) @@ -49414,7 +49499,7 @@ index 6b6e2e130..3fb3393ba 100644 # -allow mscan_t self:capability { setuid chown setgid dac_override }; -+allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override }; ++allow mscan_t self:capability { setuid chown setgid dac_read_search }; allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; @@ -50656,7 +50741,7 @@ index cba62db12..562833a81 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f464..48e3f3813 100644 +index 4dc99f464..51867ef79 100644 --- a/milter.te +++ b/milter.te @@ -5,73 +5,117 @@ policy_module(milter, 1.5.0) @@ -50762,7 +50847,7 @@ index 4dc99f464..48e3f3813 100644 +# It removes any existing socket (not owned by root) whilst running as root, +# fixes permissions, renices itself and then calls setgid() and setuid() to +# drop privileges -+allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; ++allow greylist_milter_t self:capability { chown dac_read_search setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; +allow greylist_milter_t self:tcp_socket create_stream_socket_perms; @@ -50818,7 +50903,7 @@ index 4dc99f464..48e3f3813 100644 -allow regex_milter_t self:capability { setuid setgid dac_override }; +# It removes any existing socket (not owned by root) whilst running as root +# and then calls setgid() and setuid() to drop privileges -+allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override }; ++allow regex_milter_t self:capability { setuid setgid dac_read_search }; +# The milter's socket directory lives under /var/spool files_search_spool(regex_milter_t) @@ -51666,7 +51751,7 @@ index 000000000..f5b98e6de +') diff --git a/mock.te b/mock.te new file mode 100644 -index 000000000..f647022cb +index 000000000..4ba88ac4b --- /dev/null +++ b/mock.te @@ -0,0 +1,288 @@ @@ -51716,7 +51801,7 @@ index 000000000..f647022cb +# mock local policy +# + -+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search sys_nice mknod fsetid setgid fowner }; +allow mock_t self:capability2 block_suspend; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment @@ -51874,7 +51959,7 @@ index 000000000..f647022cb +# +# mock_build local policy +# -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace }; ++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search sys_nice mknod fsetid setgid fowner sys_ptrace }; +dontaudit mock_build_t self:capability audit_write; +allow mock_build_t self:process { fork setsched setpgid signal_perms }; +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; @@ -53720,7 +53805,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..7cba596af 100644 +index 11ac8e4fc..28c1c5f16 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54620,7 +54705,7 @@ index 11ac8e4fc..7cba596af 100644 +# mozilla_plugin_config local policy # - allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; @@ -54632,6 +54717,7 @@ index 11ac8e4fc..7cba596af 100644 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) ++allow mozilla_plugin_config_t self:capability { dac_read_search sys_nice setuid setgid }; +allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") @@ -54861,7 +54947,7 @@ index 5fa77c7e6..2e01c7d0a 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index fe7252355..062ad640a 100644 +index fe7252355..68cf0d724 100644 --- a/mpd.te +++ b/mpd.te @@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) @@ -54880,7 +54966,7 @@ index fe7252355..062ad640a 100644 # -allow mpd_t self:capability { dac_override kill setgid setuid }; -+allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid }; ++allow mpd_t self:capability { dac_read_search kill setgid setuid }; allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; allow mpd_t self:fifo_file rw_fifo_file_perms; allow mpd_t self:unix_stream_socket { accept connectto listen }; @@ -56401,7 +56487,7 @@ index ed81cac5a..cd52baf59 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c6a..3f662fbef 100644 +index ff1d68c6a..d04527358 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56519,7 +56605,7 @@ index ff1d68c6a..3f662fbef 100644 - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) +# newalias required this, not sure if it is needed in 'if' file -+allow system_mail_t self:capability { dac_read_search dac_override fowner }; ++allow system_mail_t self:capability { dac_read_search fowner }; +dontaudit system_mail_t self:capability net_admin; allow system_mail_t mail_home_t:file manage_file_perms; @@ -56855,7 +56941,7 @@ index ff1d68c6a..3f662fbef 100644 optional_policy(` - allow user_mail_t self:capability dac_override; -+ allow user_mail_t self:capability {dac_read_search dac_override }; ++ allow user_mail_t self:capability {dac_read_search }; + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write @@ -57209,7 +57295,7 @@ index b744fe35e..cb0e2af61 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b70870816..1ea095ce8 100644 +index b70870816..e2a5280c3 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -57266,7 +57352,7 @@ index b70870816..1ea095ce8 100644 # -allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; -+allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio }; ++allow munin_t self:capability { chown dac_read_search kill setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { accept connectto listen }; @@ -57369,7 +57455,7 @@ index b70870816..1ea095ce8 100644 # -allow mail_munin_plugin_t self:capability dac_override; -+allow mail_munin_plugin_t self:capability { dac_read_search dac_override }; ++allow mail_munin_plugin_t self:capability { dac_read_search }; + +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; @@ -58107,7 +58193,7 @@ index 687af38bb..5381f1b39 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe7c..9c33fb9ac 100644 +index 7584bbe7c..327af4639 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -58163,7 +58249,7 @@ index 7584bbe7c..9c33fb9ac 100644 # -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; -+allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_resource net_bind_service }; ++allow mysqld_t self:capability { dac_read_search ipc_lock setgid setuid sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; @@ -58301,7 +58387,7 @@ index 7584bbe7c..9c33fb9ac 100644 # -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -+allow mysqld_safe_t self:capability { chown dac_read_search dac_override fowner kill sys_nice sys_resource }; ++allow mysqld_safe_t self:capability { chown dac_read_search fowner kill sys_nice sys_resource }; +dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -58376,7 +58462,7 @@ index 7584bbe7c..9c33fb9ac 100644 # -allow mysqlmanagerd_t self:capability { dac_override kill }; -+allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill }; ++allow mysqlmanagerd_t self:capability { dac_read_search kill }; allow mysqlmanagerd_t self:process signal; allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; @@ -59560,7 +59646,7 @@ index 0641e970f..f3b111172 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682e6..00af8b3b9 100644 +index 7b3e682e6..3b5f4e6ec 100644 --- a/nagios.te +++ b/nagios.te @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) @@ -59649,7 +59735,7 @@ index 7b3e682e6..00af8b3b9 100644 # -allow nagios_t self:capability { dac_override setgid setuid }; -+allow nagios_t self:capability { dac_read_search dac_override setgid setuid }; ++allow nagios_t self:capability { dac_read_search setgid setuid }; dontaudit nagios_t self:capability sys_tty_config; allow nagios_t self:process { setpgid signal_perms }; allow nagios_t self:fifo_file rw_fifo_file_perms; @@ -59893,7 +59979,7 @@ index 7b3e682e6..00af8b3b9 100644 -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -allow nagios_mail_plugin_t self:tcp_socket { accept listen }; -+allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override }; ++allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search }; +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_mail_plugin_t self:udp_socket create_socket_perms; @@ -59954,7 +60040,7 @@ index 7b3e682e6..00af8b3b9 100644 # -allow nagios_system_plugin_t self:capability dac_override; -+allow nagios_system_plugin_t self:capability { dac_read_search dac_override }; ++allow nagios_system_plugin_t self:capability { dac_read_search }; dontaudit nagios_system_plugin_t self:capability { setuid setgid }; read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) @@ -60099,7 +60185,7 @@ index 000000000..8d7c75157 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 000000000..814e62e4f +index 000000000..86c327621 --- /dev/null +++ b/namespace.te @@ -0,0 +1,41 @@ @@ -60120,7 +60206,7 @@ index 000000000..814e62e4f +# namespace_init local policy +# + -+allow namespace_init_t self:capability { dac_read_search dac_override}; ++allow namespace_init_t self:capability { dac_read_search }; + +allow namespace_init_t self:fifo_file manage_fifo_file_perms; +allow namespace_init_t self:unix_stream_socket create_stream_socket_perms; @@ -60879,7 +60965,7 @@ index 86dc29dfa..cb39739a5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..3ed3ed0b3 100644 +index 55f20095e..3299cc6c7 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -61333,7 +61419,7 @@ index 55f20095e..3ed3ed0b3 100644 # -allow wpa_cli_t self:capability dac_override; -+allow wpa_cli_t self:capability { dac_read_search dac_override }; ++allow wpa_cli_t self:capability { dac_read_search }; allow wpa_cli_t self:unix_dgram_socket create_socket_perms; allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; @@ -61790,7 +61876,7 @@ index 46e55c3ff..afe399a0e 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b0352e..5145db555 100644 +index 3a6b0352e..062e20c8c 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -61909,7 +61995,7 @@ index 3a6b0352e..5145db555 100644 # -allow yppasswdd_t self:capability dac_override; -+allow yppasswdd_t self:capability { dac_read_search dac_override }; ++allow yppasswdd_t self:capability { dac_read_search }; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { getsched setfscreate signal_perms }; @@ -62186,7 +62272,7 @@ index 000000000..e32832705 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 000000000..2259a5192 +index 000000000..7b45d90d5 --- /dev/null +++ b/nova.te @@ -0,0 +1,203 @@ @@ -62257,7 +62343,7 @@ index 000000000..2259a5192 +# nova general domain local policy +# + -+allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service }; ++allow nova_domain self:capability { dac_read_search net_admin net_bind_service }; +allow nova_domain self:process { getcap setcap signal_perms setfscreate }; +allow nova_domain self:fifo_file rw_fifo_file_perms; +allow nova_domain self:tcp_socket create_stream_socket_perms; @@ -63050,7 +63136,7 @@ index a9c60ff87..ad4f14ad6 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d204..1e5567367 100644 +index 47bb1d204..56874943b 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -63091,7 +63177,7 @@ index 47bb1d204..1e5567367 100644 # -allow nsd_t self:capability { chown dac_override kill setgid setuid }; -+allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin }; ++allow nsd_t self:capability { chown dac_read_search kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; +allow nsd_t self:tcp_socket create_stream_socket_perms; @@ -63177,7 +63263,7 @@ index 47bb1d204..1e5567367 100644 -allow nsd_crond_t self:capability { dac_override kill }; +# kill capability for root cron job and non-root daemon -+allow nsd_crond_t self:capability { dac_read_search dac_override kill }; ++allow nsd_crond_t self:capability { dac_read_search kill }; dontaudit nsd_crond_t self:capability sys_nice; allow nsd_crond_t self:process { setsched signal_perms }; allow nsd_crond_t self:fifo_file rw_fifo_file_perms; @@ -63376,7 +63462,7 @@ index 97df768d9..852d1c6c7 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a56..1be3b6b30 100644 +index 421bf1a56..7b7c4a983 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -63390,7 +63476,7 @@ index 421bf1a56..1be3b6b30 100644 -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; ++allow nslcd_t self:capability { chown dac_read_search setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; @@ -63934,7 +64020,7 @@ index 000000000..bceb5271e +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 000000000..7d839fe6e +index 000000000..69a09ce2a --- /dev/null +++ b/nsplugin.te @@ -0,0 +1,318 @@ @@ -64164,7 +64250,7 @@ index 000000000..7d839fe6e +# nsplugin_config local policy +# + -+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; ++allow nsplugin_config_t self:capability { dac_read_search sys_nice setuid setgid }; +allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; +#execing pulseaudio +dontaudit nsplugin_t self:process { getcap setcap }; @@ -64257,7 +64343,7 @@ index 000000000..7d839fe6e + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 8ec78595b..c696f6765 100644 +index 8ec78595b..828398142 100644 --- a/ntop.te +++ b/ntop.te @@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t) @@ -64265,7 +64351,7 @@ index 8ec78595b..c696f6765 100644 # -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; -+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override }; ++allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; allow ntop_t self:fifo_file rw_fifo_file_perms; @@ -64566,7 +64652,7 @@ index e96a309a5..42453089c 100644 +') + diff --git a/ntp.te b/ntp.te -index f81b113c7..4e9e52e1c 100644 +index f81b113c7..06a05a689 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -64584,7 +64670,7 @@ index f81b113c7..4e9e52e1c 100644 # -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -+allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; ++allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; @@ -65014,7 +65100,7 @@ index 57c0161ed..c554eb6e1 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d59..605b54b72 100644 +index 5b2cb0d59..0b0be0a36 100644 --- a/nut.te +++ b/nut.te @@ -7,154 +7,155 @@ policy_module(nut, 1.3.0) @@ -65058,7 +65144,7 @@ index 5b2cb0d59..605b54b72 100644 # -allow nut_domain self:capability { setgid setuid dac_override kill }; -+allow nut_domain self:capability { setgid setuid dac_read_search dac_override }; ++allow nut_domain self:capability { setgid setuid dac_read_search }; + allow nut_domain self:process signal_perms; -allow nut_domain self:fifo_file rw_fifo_file_perms; @@ -65805,7 +65891,7 @@ index c87bd2a30..6180fba1f 100644 + allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te -index e403097c6..c60887de2 100644 +index e403097c6..cba01335f 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -65877,7 +65963,7 @@ index e403097c6..c60887de2 100644 # -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override }; ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search }; allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; -allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; @@ -66416,7 +66502,7 @@ index 000000000..7581b52a0 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 000000000..5a3c62b83 +index 000000000..8479af48a --- /dev/null +++ b/openfortivpn.te @@ -0,0 +1,67 @@ @@ -66444,7 +66530,7 @@ index 000000000..5a3c62b83 +# + +# User certificates are typically not world-readable and are owned by the user -+allow openfortivpn_t self:capability { dac_read_search dac_override }; ++allow openfortivpn_t self:capability { dac_read_search }; + +# Talking to pppd via the PTY +allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; @@ -67541,7 +67627,7 @@ index 000000000..c20cac397 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 000000000..a98990f3a +index 000000000..3ff5b7610 --- /dev/null +++ b/openshift.te @@ -0,0 +1,634 @@ @@ -68097,7 +68183,7 @@ index 000000000..a98990f3a +# +# openshift_cron local policy +# -+allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin }; ++allow openshift_cron_t self:capability { dac_read_search net_admin sys_admin }; +allow openshift_cron_t self:process signal_perms; +allow openshift_cron_t self:tcp_socket create_stream_socket_perms; +allow openshift_cron_t self:udp_socket create_socket_perms; @@ -68583,7 +68669,7 @@ index 6837e9a2b..8d6e33b00 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a362..91dead6e7 100644 +index 63957a362..1a037b974 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -68624,7 +68710,7 @@ index 63957a362..91dead6e7 100644 # -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; -+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; ++allow openvpn_t self:capability { dac_read_search ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; @@ -69486,7 +69572,7 @@ index 000000000..6ae382cb9 + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 000000000..41f3e07b1 +index 000000000..16365762c --- /dev/null +++ b/oracleasm.te @@ -0,0 +1,66 @@ @@ -69515,7 +69601,7 @@ index 000000000..41f3e07b1 +# oracleasm local policy +# + -+allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown }; ++allow oracleasm_t self:capability { dac_read_search fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + @@ -70024,7 +70110,7 @@ index 9682d9af8..f1f421f9e 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 6e6efb642..d56c04963 100644 +index 6e6efb642..9ab075fb4 100644 --- a/pacemaker.te +++ b/pacemaker.te @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0) @@ -70071,7 +70157,7 @@ index 6e6efb642..d56c04963 100644 # -allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; -+allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid }; ++allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search setuid }; +allow pacemaker_t self:capability2 block_suspend; allow pacemaker_t self:process { setrlimit signal setpgid }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; @@ -70151,7 +70237,7 @@ index 6e097c919..503c97a2d 100644 domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; diff --git a/pads.te b/pads.te -index 078adc478..f0c65e5de 100644 +index 078adc478..c1f2a1072 100644 --- a/pads.te +++ b/pads.te @@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t) @@ -70159,7 +70245,7 @@ index 078adc478..f0c65e5de 100644 # -allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:capability { dac_read_search dac_override net_raw }; ++allow pads_t self:capability { dac_read_search net_raw }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; allow pads_t self:packet_socket create_socket_perms; allow pads_t self:socket create_socket_perms; @@ -70385,7 +70471,7 @@ index bf59ef731..0e333279c 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33bf2..e73b8a63d 100644 +index 08ec33bf2..e175fc6a9 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -70414,7 +70500,7 @@ index 08ec33bf2..e73b8a63d 100644 -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; -allow passenger_t self:process { setpgid setsched sigkill signal }; -+allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; ++allow passenger_t self:capability { chown dac_read_search fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +allow passenger_t self:capability2 block_suspend; +allow passenger_t self:process { setpgid setsched getsession signal_perms }; allow passenger_t self:fifo_file rw_fifo_file_perms; @@ -70516,9 +70602,18 @@ index 08ec33bf2..e73b8a63d 100644 + rpm_read_db(passenger_t) ') diff --git a/pcmcia.te b/pcmcia.te -index 8176e4aa4..2df178919 100644 +index 8176e4aa4..311e311b3 100644 --- a/pcmcia.te +++ b/pcmcia.te +@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t; + # Local policy + # + +-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; ++allow cardmgr_t self:capability { dac_read_search setuid net_admin sys_admin sys_nice sys_tty_config mknod }; + dontaudit cardmgr_t self:capability sys_tty_config; + allow cardmgr_t self:process signal_perms; + allow cardmgr_t self:fifo_file rw_fifo_file_perms; @@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) logging_send_syslog_msg(cardmgr_t) @@ -70748,7 +70843,7 @@ index 000000000..abb250dba +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 000000000..372915272 +index 000000000..140ec0d3a --- /dev/null +++ b/pcp.te @@ -0,0 +1,313 @@ @@ -70803,7 +70898,7 @@ index 000000000..372915272 +# pcp domain local policy +# + -+allow pcp_domain self:capability { setuid setgid dac_read_search dac_override }; ++allow pcp_domain self:capability { setuid setgid dac_read_search }; +allow pcp_domain self:process signal_perms; +allow pcp_domain self:tcp_socket create_stream_socket_perms; +allow pcp_domain self:udp_socket create_socket_perms; @@ -71088,14 +71183,16 @@ index 43d50f95b..6b1544f62 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb196410..a8026bdbf 100644 +index 1fb196410..f502f33d6 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") +@@ -21,11 +21,13 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + # Local policy # - allow pcscd_t self:capability { dac_override dac_read_search fsetid }; +-allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; ++allow pcscd_t self:capability { dac_read_search fsetid }; +allow pcscd_t self:capability2 { wake_alarm }; +allow pcscd_t self:process { signal signull }; allow pcscd_t self:fifo_file rw_fifo_file_perms; @@ -71503,7 +71600,7 @@ index d2fc677c1..86dce34a2 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454d8..8cccfd762 100644 +index 608f454d8..8f0f5fd9c 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -71583,7 +71680,7 @@ index 608f454d8..8cccfd762 100644 +# pegasus openlmi account local policy +# + -+allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid }; ++allow pegasus_openlmi_account_t self:capability { chown dac_read_search fowner fsetid }; +allow pegasus_openlmi_account_t self:process setfscreate; + +auth_manage_passwd(pegasus_openlmi_account_t) @@ -71620,7 +71717,7 @@ index 608f454d8..8cccfd762 100644 +# pegasus openlmi logicalfile local policy +# + -+allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override }; ++allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search }; +files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) +files_manage_non_security_files(pegasus_openlmi_logicalfile_t) + @@ -71847,7 +71944,7 @@ index 608f454d8..8cccfd762 100644 # -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; -+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace }; ++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search net_admin net_bind_service sys_ptrace }; dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; +allow pegasus_t self:process { setsched signal }; @@ -73700,7 +73797,7 @@ index 000000000..f69ae0298 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 000000000..9c27847b2 +index 000000000..701ebda54 --- /dev/null +++ b/pki.te @@ -0,0 +1,285 @@ @@ -73778,7 +73875,7 @@ index 000000000..9c27847b2 +# pki-tomcat local policy +# + -+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid }; ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid }; +dontaudit pki_tomcat_t self:capability net_admin; +allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate }; + @@ -73913,7 +74010,7 @@ index 000000000..9c27847b2 +# + + -+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown}; ++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown}; +allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; + +allow pki_apache_domain self:sem all_sem_perms; @@ -74331,7 +74428,7 @@ index 30e751f18..61feb3a81 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce905..ac0b7a546 100644 +index 3078ce905..a1f9e1aa1 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -74354,7 +74451,7 @@ index 3078ce905..ac0b7a546 100644 allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:capability2 block_suspend; -+dontaudit plymouthd_t self:capability{ dac_read_search dac_override }; ++dontaudit plymouthd_t self:capability{ dac_read_search }; allow plymouthd_t self:process { signal getsched }; +allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms; allow plymouthd_t self:fifo_file rw_fifo_file_perms; @@ -74452,7 +74549,7 @@ index 3078ce905..ac0b7a546 100644 hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index 9123f7152..232e28a75 100644 +index 9123f7152..77e5b9b59 100644 --- a/podsleuth.te +++ b/podsleuth.te @@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) @@ -74461,7 +74558,7 @@ index 9123f7152..232e28a75 100644 -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -+allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio }; ++allow podsleuth_t self:capability { kill dac_read_search sys_admin sys_rawio }; +allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; + allow podsleuth_t self:fifo_file rw_fifo_file_perms; @@ -74776,7 +74873,7 @@ index 032a84d1c..be00a65f1 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778f7..fb9b69ae9 100644 +index ee91778f7..24c0eefd6 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -74831,7 +74928,8 @@ index ee91778f7..fb9b69ae9 100644 +# policykit local policy # - allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; +-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; ++allow policykit_t self:capability { dac_read_search setgid setuid sys_nice sys_ptrace }; allow policykit_t self:process { getsched setsched signal }; -allow policykit_t self:unix_stream_socket { accept connectto listen }; +allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -75632,7 +75730,7 @@ index 9764bfef8..8870de713 100644 -miscfiles_read_localization(polipo_daemon) diff --git a/portage.if b/portage.if -index 67e8c12c4..058c99481 100644 +index 67e8c12c4..e76feca9b 100644 --- a/portage.if +++ b/portage.if @@ -67,9 +67,10 @@ interface(`portage_compile_domain',` @@ -75643,12 +75741,12 @@ index 67e8c12c4..058c99481 100644 ') - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; -+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw }; ++ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search net_raw }; dontaudit $1 self:capability sys_chroot; allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/portage.te b/portage.te -index b410c67c1..f1ec41d39 100644 +index b410c67c1..27d6cc52a 100644 --- a/portage.te +++ b/portage.te @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) @@ -75664,7 +75762,7 @@ index b410c67c1..f1ec41d39 100644 allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; -+allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown }; ++allow portage_fetch_t self:capability { dac_read_search fowner fsetid chown }; allow portage_fetch_t self:fifo_file rw_fifo_file_perms; allow portage_fetch_t self:tcp_socket { accept listen }; allow portage_fetch_t self:unix_stream_socket create_socket_perms; @@ -75767,9 +75865,18 @@ index 5ad529154..7f1ae2a78 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 00b01e2ea..10b45127a 100644 +index 00b01e2ea..1ef4b9938 100644 --- a/portreserve.te +++ b/portreserve.te +@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t) + # Local policy + # + +-allow portreserve_t self:capability { dac_read_search dac_override }; ++allow portreserve_t self:capability { dac_read_search }; + allow portreserve_t self:fifo_file rw_fifo_file_perms; + allow portreserve_t self:unix_stream_socket create_stream_socket_perms; + allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } corecmd_getattr_bin_files(portreserve_t) @@ -75903,7 +76010,7 @@ index c0e878537..3070aa066 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec3a..db49c5774 100644 +index ded95ec3a..210018ce4 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -75997,7 +76104,7 @@ index ded95ec3a..db49c5774 100644 - # - # Declarations - # -+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override }; ++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search }; + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; @@ -76055,7 +76162,7 @@ index ded95ec3a..db49c5774 100644 - # - - allow postfix_$1_t self:capability dac_override; -+ allow postfix_$1_t self:capability { dac_read_search dac_override }; ++ allow postfix_$1_t self:capability { dac_read_search }; domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) @@ -76788,7 +76895,7 @@ index ded95ec3a..db49c5774 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83eca..87a1d852a 100644 +index 5cfb83eca..708c908d1 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -76981,7 +77088,7 @@ index 5cfb83eca..87a1d852a 100644 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +dontaudit postfix_master_t self:capability { net_admin }; +# chown is to set the correct ownership of queue dirs -+allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config }; ++allow postfix_master_t self:capability { chown dac_read_search kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; + allow postfix_master_t self:process setrlimit; @@ -77306,7 +77413,7 @@ index 5cfb83eca..87a1d852a 100644 -# Map local policy +# Postfix map local policy # -+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; ++allow postfix_map_t self:capability { dac_read_search setgid setuid }; +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +allow postfix_map_t self:tcp_socket create_stream_socket_perms; @@ -77833,7 +77940,7 @@ index b9e71b537..a7502cd0e 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805e5..248d22985 100644 +index fd58805e5..593a05367 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -77850,7 +77957,7 @@ index fd58805e5..248d22985 100644 # -allow postgrey_t self:capability { chown dac_override setgid setuid }; -+allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid }; ++allow postgrey_t self:capability { chown dac_read_search setgid setuid }; dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:fifo_file create_fifo_file_perms; @@ -78451,7 +78558,7 @@ index cd8b8b9cb..2cfa88a2d 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3e3..0b38ca5d6 100644 +index d616ca3e3..0ad15efea 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -78535,7 +78642,7 @@ index d616ca3e3..0b38ca5d6 100644 # -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; -+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search sys_nice sys_chroot }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; +dontaudit pppd_t self:capability2 block_suspend; @@ -78711,7 +78818,8 @@ index d616ca3e3..0b38ca5d6 100644 +# PPTP Local policy # - allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; +-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; ++allow pptp_t self:capability { dac_read_search net_raw net_admin }; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; @@ -78975,7 +79083,7 @@ index 20d469793..e6605c100 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index 8e262163b..c1d33acdf 100644 +index 8e262163b..c23cec013 100644 --- a/prelink.te +++ b/prelink.te @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) @@ -78997,7 +79105,7 @@ index 8e262163b..c1d33acdf 100644 # -allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; -+allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource }; ++allow prelink_t self:capability { chown dac_read_search fowner fsetid setfcap sys_resource }; allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; @@ -79365,7 +79473,7 @@ index c83a838d7..f41a4f7dd 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index 8f4460928..dd7065356 100644 +index 8f4460928..d3b9f0dd3 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -79382,7 +79490,7 @@ index 8f4460928..dd7065356 100644 # -allow prelude_t self:capability { dac_override sys_tty_config }; -+allow prelude_t self:capability { dac_read_search dac_override sys_tty_config }; ++allow prelude_t self:capability { dac_read_search sys_tty_config }; allow prelude_t self:fifo_file rw_fifo_file_perms; allow prelude_t self:unix_stream_socket { accept listen }; allow prelude_t self:tcp_socket { accept listen }; @@ -79416,7 +79524,7 @@ index 8f4460928..dd7065356 100644 # -allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; -+allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap }; ++allow prelude_audisp_t self:capability { dac_read_search ipc_lock setpcap }; allow prelude_audisp_t self:process { getcap setcap }; allow prelude_audisp_t self:fifo_file rw_fifo_file_perms; allow prelude_audisp_t self:unix_stream_socket { accept listen }; @@ -79449,7 +79557,7 @@ index 8f4460928..dd7065356 100644 # -allow prelude_correlator_t self:capability dac_override; -+allow prelude_correlator_t self:capability { dac_read_search dac_override }; ++allow prelude_correlator_t self:capability { dac_read_search }; allow prelude_correlator_t self:tcp_socket { accept listen }; manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) @@ -79481,7 +79589,7 @@ index 8f4460928..dd7065356 100644 # -allow prelude_lml_t self:capability dac_override; -+allow prelude_lml_t self:capability { dac_read_search dac_override }; ++allow prelude_lml_t self:capability { dac_read_search }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; @@ -79755,7 +79863,7 @@ index 00edeab17..166e9c333 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e62a..91a1f537e 100644 +index cc426e62a..ee83a78ce 100644 --- a/procmail.te +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; @@ -79772,7 +79880,7 @@ index cc426e62a..91a1f537e 100644 # -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; -+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override }; ++allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search }; allow procmail_t self:process { setsched signal signull }; allow procmail_t self:fifo_file rw_fifo_file_perms; -allow procmail_t self:tcp_socket { accept listen }; @@ -80230,7 +80338,7 @@ index 000000000..8231f4ff5 +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 000000000..5a9f1d42c +index 000000000..06eb94871 --- /dev/null +++ b/prosody.te @@ -0,0 +1,99 @@ @@ -80272,7 +80380,7 @@ index 000000000..5a9f1d42c +# +# prosody local policy +# -+allow prosody_t self:capability { setuid setgid dac_read_search dac_override }; ++allow prosody_t self:capability { setuid setgid dac_read_search }; +allow prosody_t self:process { signal_perms execmem }; +allow prosody_t self:tcp_socket create_stream_socket_perms; + @@ -80493,7 +80601,7 @@ index d4dcf782c..3cce82e50 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index b5d717b09..9fd153b1c 100644 +index b5d717b09..99f6fddac 100644 --- a/psad.te +++ b/psad.te @@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) @@ -80501,7 +80609,7 @@ index b5d717b09..9fd153b1c 100644 # -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; -+allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override }; ++allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search }; dontaudit psad_t self:capability sys_tty_config; allow psad_t self:process signal_perms; allow psad_t self:fifo_file rw_fifo_file_perms; @@ -80549,7 +80657,7 @@ index 28d2abc03..c2cfb5eaa 100644 -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) diff --git a/publicfile.te b/publicfile.te -index 3246befff..dd66a21cb 100644 +index 3246befff..edce6258a 100644 --- a/publicfile.te +++ b/publicfile.te @@ -17,7 +17,7 @@ files_type(publicfile_content_t) @@ -80557,7 +80665,7 @@ index 3246befff..dd66a21cb 100644 # -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; -+allow publicfile_t self:capability { dac_read_search dac_override setgid setuid sys_chroot }; ++allow publicfile_t self:capability { dac_read_search setgid setuid sys_chroot }; allow publicfile_t publicfile_content_t:dir list_dir_perms; allow publicfile_t publicfile_content_t:file read_file_perms; @@ -81672,7 +81780,7 @@ index 7cb8b1f9c..bef72173b 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfeed..d5d0cfcb8 100644 +index 618dcfeed..5bd88a99d 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -81838,7 +81946,7 @@ index 618dcfeed..d5d0cfcb8 100644 - -tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) -+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config }; ++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search sys_nice sys_tty_config }; +allow puppetagent_t self:process { signal signull getsched setsched }; +allow puppetagent_t self:fifo_file rw_fifo_file_perms; +allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms; @@ -82015,7 +82123,7 @@ index 618dcfeed..d5d0cfcb8 100644 # -allow puppetca_t self:capability { dac_override setgid setuid }; -+allow puppetca_t self:capability { dac_read_search dac_override setgid setuid }; ++allow puppetca_t self:capability { dac_read_search setgid setuid }; allow puppetca_t self:fifo_file rw_fifo_file_perms; -allow puppetca_t puppet_etc_t:dir list_dir_perms; @@ -82065,7 +82173,8 @@ index 618dcfeed..d5d0cfcb8 100644 +# Pupper master personal policy # - allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; ++allow puppetmaster_t self:capability { dac_read_search setuid setgid fowner chown fsetid sys_tty_config }; allow puppetmaster_t self:process { signal_perms getsched setsched }; allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket nlmsg_write; @@ -82956,7 +83065,7 @@ index 86ea53ce1..a2dcf7bb2 100644 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if -index eaf56b8b0..889472688 100644 +index eaf56b8b0..408cdccaf 100644 --- a/qemu.if +++ b/qemu.if @@ -1,19 +1,21 @@ @@ -82987,7 +83096,7 @@ index eaf56b8b0..889472688 100644 # type $1_t; -@@ -22,9 +24,12 @@ template(`qemu_domain_template',` +@@ -22,12 +24,15 @@ template(`qemu_domain_template',` type $1_tmp_t; files_tmp_file($1_tmp_t) @@ -83000,7 +83109,11 @@ index eaf56b8b0..889472688 100644 + # Local Policy # - allow $1_t self:capability { dac_read_search dac_override }; +- allow $1_t self:capability { dac_read_search dac_override }; ++ allow $1_t self:capability { dac_read_search }; + allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:shm create_shm_perms; @@ -39,9 +44,12 @@ template(`qemu_domain_template',` manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) @@ -84769,7 +84882,7 @@ index afc00688d..589a7fdde 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b3f..97a9b7e76 100644 +index 8644d8b3f..62bdc516a 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) @@ -84859,7 +84972,7 @@ index 8644d8b3f..97a9b7e76 100644 - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; ++allow neutron_t self:capability { chown dac_read_search sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + @@ -85302,7 +85415,7 @@ index da6421861..3fb8575ca 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e81f..ba74734da 100644 +index f47c8e81f..ffee08201 100644 --- a/quota.te +++ b/quota.te @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -85335,7 +85448,7 @@ index f47c8e81f..ba74734da 100644 # -allow quota_t self:capability { sys_admin dac_override }; -+allow quota_t self:capability { sys_admin dac_read_search dac_override }; ++allow quota_t self:capability { sys_admin dac_read_search }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; @@ -85769,7 +85882,7 @@ index 44605825c..4c66c2502 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fed1..193195e3c 100644 +index 403a4fed1..5357a7e46 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -85799,7 +85912,7 @@ index 403a4fed1..193195e3c 100644 # -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; ++allow radiusd_t self:capability { chown dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; @@ -85958,7 +86071,7 @@ index ac7058d1e..48739ac1b 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index 6d162e4e6..502ca16ba 100644 +index 6d162e4e6..01b5af0e0 100644 --- a/radvd.te +++ b/radvd.te @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t) @@ -85966,7 +86079,7 @@ index 6d162e4e6..502ca16ba 100644 # -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; -+allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search dac_override }; ++allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search }; dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:fifo_file rw_fifo_file_perms; @@ -86224,7 +86337,7 @@ index 951db7f1b..00e699da4 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f2c..55294acec 100644 +index c99753f2c..082d5f686 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -86258,7 +86371,7 @@ index c99753f2c..55294acec 100644 -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { getsched setsched signal_perms }; -+allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock }; ++allow mdadm_t self:capability { dac_read_search sys_admin ipc_lock }; +dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -87304,7 +87417,7 @@ index 661bb88fd..06f69c4ad 100644 +') + diff --git a/readahead.te b/readahead.te -index c0b02c91c..af81d71a7 100644 +index c0b02c91c..df24ae78e 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -87315,6 +87428,15 @@ index c0b02c91c..af81d71a7 100644 init_daemon_run_dir(readahead_var_run_t, "readahead") ######################################## +@@ -22,7 +23,7 @@ init_daemon_run_dir(readahead_var_run_t, "readahead") + # Local policy + # + +-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; ++allow readahead_t self:capability { sys_admin fowner dac_read_search }; + dontaudit readahead_t self:capability { net_admin sys_tty_config }; + allow readahead_t self:process { setsched signal_perms }; + @@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) @@ -88146,7 +88268,7 @@ index a9ce68e33..92520aa92 100644 + allow $1 remote_login_t:process signull; ') diff --git a/remotelogin.te b/remotelogin.te -index ae308717f..15a669cd4 100644 +index ae308717f..c627cdf7d 100644 --- a/remotelogin.te +++ b/remotelogin.te @@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t) @@ -88163,7 +88285,7 @@ index ae308717f..15a669cd4 100644 # -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -+allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; ++allow remote_login_t self:capability { dac_read_search dac_read_search chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; @@ -88262,7 +88384,7 @@ index ae308717f..15a669cd4 100644 ') diff --git a/resmgr.te b/resmgr.te -index f6eb358ad..b6319191c 100644 +index f6eb358ad..472496379 100644 --- a/resmgr.te +++ b/resmgr.te @@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t) @@ -88270,7 +88392,7 @@ index f6eb358ad..b6319191c 100644 # -allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; -+allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio }; ++allow resmgrd_t self:capability { dac_read_search sys_admin sys_rawio }; dontaudit resmgrd_t self:capability sys_tty_config; allow resmgrd_t self:process signal_perms; @@ -88518,7 +88640,7 @@ index 1c2f9aa12..a4133dc92 100644 + allow $1 rgmanager_var_lib_t:dir search_dir_perms; +') diff --git a/rgmanager.te b/rgmanager.te -index c8a1e16e4..f9d6fb341 100644 +index c8a1e16e4..8804d048a 100644 --- a/rgmanager.te +++ b/rgmanager.te @@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0) @@ -88554,7 +88676,7 @@ index c8a1e16e4..f9d6fb341 100644 # -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; -+allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; ++allow rgmanager_t self:capability { dac_read_search net_raw sys_resource sys_admin sys_nice ipc_lock }; allow rgmanager_t self:process { setsched signal }; + allow rgmanager_t self:fifo_file rw_fifo_file_perms; @@ -89754,7 +89876,7 @@ index c8bdea28d..beb2872e3 100644 + allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c449..0dbfae6d5 100644 +index 6cf79c449..14be26dce 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -89874,7 +89996,7 @@ index 6cf79c449..0dbfae6d5 100644 +# cluster domain local policy +# + -+allow cluster_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; ++allow cluster_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; +# for hearbeat +allow cluster_t self:capability { net_raw chown }; +allow cluster_t self:capability2 block_suspend; @@ -90094,7 +90216,7 @@ index 6cf79c449..0dbfae6d5 100644 # -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; -+allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource }; ++allow dlm_controld_t self:capability { dac_read_search net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; +files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) @@ -90296,7 +90418,7 @@ index 6cf79c449..0dbfae6d5 100644 +# + +# bug in haproxy and process vs pid owner -+allow haproxy_t self:capability { dac_read_search dac_override kill }; ++allow haproxy_t self:capability { dac_read_search kill }; + +allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw }; +allow haproxy_t self:capability2 block_suspend; @@ -91591,7 +91713,7 @@ index 2ab3ed1d4..23d579cde 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 0ba2569a5..161850d41 100644 +index 0ba2569a5..98b952398 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) @@ -91697,7 +91819,7 @@ index 0ba2569a5..161850d41 100644 # -allow ricci_modservice_t self:capability { dac_override sys_nice }; -+allow ricci_modservice_t self:capability {dac_read_search dac_override sys_nice }; ++allow ricci_modservice_t self:capability {dac_read_search sys_nice }; allow ricci_modservice_t self:process setsched; allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; @@ -92089,7 +92211,7 @@ index 050479dea..0e1b364fb 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index ee2794858..34d2ee96f 100644 +index ee2794858..248d080f6 100644 --- a/rlogin.te +++ b/rlogin.te @@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t) @@ -92097,7 +92219,7 @@ index ee2794858..34d2ee96f 100644 # -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; ++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; -allow rlogind_t self:tcp_socket { accept listen }; @@ -93077,7 +93199,7 @@ index 0bf13c220..79a2a9c48 100644 + allow $1 gssd_t:process { noatsecure rlimitinh }; +') diff --git a/rpc.te b/rpc.te -index 2da9fca2f..49c37e8ea 100644 +index 2da9fca2f..9099c9800 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -93201,7 +93323,7 @@ index 2da9fca2f..49c37e8ea 100644 # -allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; -+allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid }; ++allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search setgid setuid }; allow rpcd_t self:capability2 block_suspend; + allow rpcd_t self:process { getcap setcap }; @@ -93282,10 +93404,12 @@ index 2da9fca2f..49c37e8ea 100644 ') ######################################## -@@ -202,41 +232,63 @@ optional_policy(` +@@ -201,42 +231,64 @@ optional_policy(` + # NFSD local policy # - allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; +-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; ++allow nfsd_t self:capability { dac_read_search sys_admin sys_resource }; +dontaudit nfsd_t self:capability sys_rawio; allow nfsd_t exports_t:file read_file_perms; @@ -93384,7 +93508,7 @@ index 2da9fca2f..49c37e8ea 100644 # -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; -+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; ++allow gssd_t self:capability { dac_read_search setuid setgid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; @@ -94476,7 +94600,7 @@ index ef3b22507..79518530e 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e60..219964375 100644 +index 6fc360e60..32a4ca12d 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -94539,7 +94663,7 @@ index 6fc360e60..219964375 100644 -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability2 block_suspend; -+allow rpm_t self:capability { chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; ++allow rpm_t self:capability { chown dac_read_search fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -94732,10 +94856,12 @@ index 6fc360e60..219964375 100644 ') ######################################## -@@ -239,18 +252,20 @@ optional_policy(` +@@ -238,19 +251,21 @@ optional_policy(` + # rpm-script Local policy # - allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; +-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; ++allow rpm_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; @@ -95010,7 +95136,7 @@ index 7ad29c046..2e87d76b4 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index 864e089a0..f919bc537 100644 +index 864e089a0..f9ad3ab47 100644 --- a/rshd.te +++ b/rshd.te @@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1) @@ -95035,7 +95161,7 @@ index 864e089a0..f919bc537 100644 - -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms setsched setpgid setexec }; -+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search dac_override }; ++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search }; +allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; @@ -95434,7 +95560,7 @@ index f1140efe4..642e062f4 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302a7..b27a47979 100644 +index abeb302a7..55ee48de0 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0) @@ -95524,8 +95650,12 @@ index abeb302a7..b27a47979 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) - allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; +@@ -83,18 +62,28 @@ files_pid_file(rsync_var_run_t) + # Local policy + # + +-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; ++allow rsync_t self:capability { chown dac_read_search fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; -allow rsync_t self:tcp_socket { accept listen }; @@ -95624,7 +95754,7 @@ index abeb302a7..b27a47979 100644 +') + +tunable_policy(`rsync_full_access',` -+ allow rsync_t self:capability { dac_override dac_read_search }; ++ allow rsync_t self:capability { dac_read_search }; + files_manage_non_auth_files(rsync_t) ') @@ -97090,7 +97220,7 @@ index 50d07fb2e..a34db489c 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..5d52fba0f 100644 +index 2b7c441e7..8f17d3b19 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -97318,7 +97448,8 @@ index 2b7c441e7..5d52fba0f 100644 +# Samba net local policy # - - allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; +-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; ++allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search }; allow samba_net_t self:capability2 block_suspend; allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_stream_socket { accept listen }; @@ -97407,7 +97538,7 @@ index 2b7c441e7..5d52fba0f 100644 # -allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin }; ++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_read_search net_admin }; dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; +dontaudit smbd_t self:capability2 block_suspend; @@ -97740,7 +97871,7 @@ index 2b7c441e7..5d52fba0f 100644 +userdom_home_filetrans_user_home_dir(smbd_t) + +tunable_policy(`samba_export_all_ro',` -+ allow nmbd_t self:capability { dac_read_search dac_override }; ++ allow nmbd_t self:capability { dac_read_search }; + fs_read_noxattr_fs_files(smbd_t) + files_read_non_security_files(smbd_t) + files_dontaudit_list_security_dirs(smbd_t) @@ -97754,7 +97885,7 @@ index 2b7c441e7..5d52fba0f 100644 +') + +tunable_policy(`samba_export_all_rw',` -+ allow nmbd_t self:capability { dac_read_search dac_override }; ++ allow nmbd_t self:capability { dac_read_search }; + fs_manage_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) + files_manage_non_security_dirs(smbd_t) @@ -97959,7 +98090,7 @@ index 2b7c441e7..5d52fba0f 100644 -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; -allow smbmount_t self:process signal_perms; -allow smbmount_t self:tcp_socket { accept listen }; -+allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search dac_override chown }; # FIXME: is all of this really necessary? ++allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search chown }; # FIXME: is all of this really necessary? +allow smbmount_t self:process { fork signal_perms }; +allow smbmount_t self:tcp_socket create_stream_socket_perms; +allow smbmount_t self:udp_socket connect; @@ -98056,7 +98187,7 @@ index 2b7c441e7..5d52fba0f 100644 # -allow swat_t self:capability { dac_override setuid setgid sys_resource }; -+allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource }; ++allow swat_t self:capability { dac_read_search setuid setgid sys_resource }; +allow swat_t self:capability2 block_suspend; allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; @@ -98196,7 +98327,7 @@ index 2b7c441e7..5d52fba0f 100644 -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -dontaudit winbind_t self:capability sys_tty_config; -+allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability { kill dac_read_search ipc_lock setuid sys_nice }; +allow winbind_t self:capability2 block_suspend; +dontaudit winbind_t self:capability { net_admin sys_tty_config }; allow winbind_t self:process { signal_perms getsched setsched }; @@ -98441,7 +98572,7 @@ index 2b7c441e7..5d52fba0f 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index e18b0a284..1b1db014d 100644 +index e18b0a284..fc24be67c 100644 --- a/sambagui.te +++ b/sambagui.te @@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t; @@ -98449,7 +98580,7 @@ index e18b0a284..1b1db014d 100644 # -allow sambagui_t self:capability dac_override; -+allow sambagui_t self:capability { dac_read_search dac_override }; ++allow sambagui_t self:capability { dac_read_search }; allow sambagui_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(sambagui_t) @@ -98496,9 +98627,18 @@ index f0236d67d..37665a1b6 100644 ######################################## diff --git a/samhain.te b/samhain.te -index c41ce4bff..8837e4c41 100644 +index c41ce4bff..4b010abe6 100644 --- a/samhain.te +++ b/samhain.te +@@ -48,7 +48,7 @@ ifdef(`enable_mls',` + # Common samhain domain local policy + # + +-allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; ++allow samhain_domain self:capability { dac_read_search fowner ipc_lock }; + dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; + allow samhain_domain self:fd use; + allow samhain_domain self:process { setsched setrlimit signull }; @@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) init_read_utmp(samhain_domain) @@ -99891,7 +100031,7 @@ index cd6c213d2..6d3cdc4d9 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465a0..ee3b9930a 100644 +index 0045465a0..8bd1398d1 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0) @@ -99968,7 +100108,7 @@ index 0045465a0..ee3b9930a 100644 # - -allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; -+allow sanlock_t self:capability { chown dac_read_search dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; ++allow sanlock_t self:capability { chown dac_read_search ipc_lock kill setgid setuid sys_nice sys_resource }; allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; @@ -100071,7 +100211,7 @@ index 0045465a0..ee3b9930a 100644 +# sanlk_resetd local policy +# + -+allow sanlk_resetd_t self:capability { dac_read_search dac_override }; ++allow sanlk_resetd_t self:capability { dac_read_search }; +allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms; +allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto; + @@ -100145,7 +100285,7 @@ index 8c3c151cb..93b722789 100644 domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; diff --git a/sasl.te b/sasl.te -index 6c3bc2059..eb05a4920 100644 +index 6c3bc2059..accb664a4 100644 --- a/sasl.te +++ b/sasl.te @@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1) @@ -100240,7 +100380,7 @@ index 6c3bc2059..eb05a4920 100644 -tunable_policy(`allow_saslauthd_read_shadow',` - allow saslauthd_t self:capability dac_override; +tunable_policy(`saslauthd_read_shadow',` -+ allow saslauthd_t self:capability { dac_read_search dac_override }; ++ allow saslauthd_t self:capability { dac_read_search }; auth_tunable_read_shadow(saslauthd_t) ') @@ -100406,7 +100546,7 @@ index 000000000..7a058a82a +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 000000000..55576aaf6 +index 000000000..01266ebaf --- /dev/null +++ b/sbd.te @@ -0,0 +1,55 @@ @@ -100431,7 +100571,7 @@ index 000000000..55576aaf6 +# +# sbd local policy +# -+allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_boot sys_nice sys_admin}; ++allow sbd_t self:capability { dac_read_search ipc_lock sys_boot sys_nice sys_admin}; +allow sbd_t self:process { fork setsched signal_perms }; +allow sbd_t self:fifo_file rw_fifo_file_perms; +allow sbd_t self:unix_stream_socket create_stream_socket_perms; @@ -100675,7 +100815,7 @@ index 98c9e0a88..562666e06 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756bc8..5719ae912 100644 +index 299756bc8..936d9c0dd 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -100757,7 +100897,7 @@ index 299756bc8..5719ae912 100644 -allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:process signal; -+allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace }; ++allow sblim_gatherd_t self:capability { dac_read_search sys_nice sys_ptrace }; +allow sblim_gatherd_t self:process { setsched signal }; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; @@ -101009,7 +101149,7 @@ index be5cce2d3..b81f5dfef 100644 +') + diff --git a/screen.te b/screen.te -index 5466a7327..33598f3b3 100644 +index 5466a7327..0ae2eef60 100644 --- a/screen.te +++ b/screen.te @@ -5,9 +5,7 @@ policy_module(screen, 2.6.0) @@ -101045,7 +101185,7 @@ index 5466a7327..33598f3b3 100644 -allow screen_domain self:capability { setuid setgid fsetid }; +allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; -+dontaudit screen_domain self:capability { dac_read_search dac_override }; ++dontaudit screen_domain self:capability { dac_read_search }; allow screen_domain self:process signal_perms; -allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; @@ -101193,7 +101333,7 @@ index c78a569c3..900745118 100644 - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/sectoolm.te b/sectoolm.te -index 4bc8c13ea..e05d74d48 100644 +index 4bc8c13ea..c30b36dbc 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0) @@ -101214,7 +101354,7 @@ index 4bc8c13ea..e05d74d48 100644 # -allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -+allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace }; ++allow sectoolm_t self:capability { dac_read_search net_admin sys_nice sys_ptrace }; allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; @@ -101597,7 +101737,7 @@ index 35ad2a733..afdc7da29 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b413..8ba299515 100644 +index 12700b413..debacc88b 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -101609,7 +101749,7 @@ index 12700b413..8ba299515 100644 # -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; -+allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++allow sendmail_t self:capability { dac_read_search setuid setgid net_bind_service sys_nice chown sys_tty_config }; +dontaudit sendmail_t self:capability net_admin; +dontaudit sendmail_t self:capability2 block_suspend; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; @@ -102376,7 +102516,7 @@ index 000000000..c9d2d9c42 + diff --git a/sge.te b/sge.te new file mode 100644 -index 000000000..1c1ec06e5 +index 000000000..0b167701a --- /dev/null +++ b/sge.te @@ -0,0 +1,196 @@ @@ -102426,7 +102566,7 @@ index 000000000..1c1ec06e5 +# sge_execd local policy +# + -+allow sge_execd_t self:capability { dac_read_search dac_override kill setuid chown setgid }; ++allow sge_execd_t self:capability { dac_read_search kill setuid chown setgid }; +allow sge_execd_t self:process { setsched signal setpgid }; + +allow sge_execd_t sge_shepherd_t:process signal; @@ -102459,7 +102599,7 @@ index 000000000..1c1ec06e5 +# sge_shepherd local policy +# + -+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search dac_override }; ++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search }; +allow sge_shepherd_t self:process { setsched setrlimit setpgid }; +allow sge_shepherd_t self:process signal_perms; + @@ -102760,7 +102900,7 @@ index 1aeef8ac3..d5ce40a96 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index 7710b9f76..04af4ec4d 100644 +index 7710b9f76..fbf1ac1a0 100644 --- a/shorewall.te +++ b/shorewall.te @@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t) @@ -102768,7 +102908,7 @@ index 7710b9f76..04af4ec4d 100644 # -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; -+allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; ++allow shorewall_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_nice sys_admin }; dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:process signal_perms; allow shorewall_t self:fifo_file rw_fifo_file_perms; @@ -102996,7 +103136,7 @@ index d1706bf87..3aa7c9fd1 100644 ## ## diff --git a/shutdown.te b/shutdown.te -index e2544e147..2196974f5 100644 +index e2544e147..4f0e2a974 100644 --- a/shutdown.te +++ b/shutdown.te @@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t) @@ -103004,7 +103144,7 @@ index e2544e147..2196974f5 100644 # -allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; -+allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config }; ++allow shutdown_t self:capability { dac_read_search kill setuid sys_nice sys_tty_config }; allow shutdown_t self:process { setsched signal signull }; allow shutdown_t self:fifo_file manage_fifo_file_perms; allow shutdown_t self:unix_stream_socket create_stream_socket_perms; @@ -103045,9 +103185,18 @@ index e2544e147..2196974f5 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index 7292dc064..26fc8f4bc 100644 +index 7292dc064..bd269f1f2 100644 --- a/slocate.te +++ b/slocate.te +@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t) + # Local policy + # + +-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; ++allow locate_t self:capability { chown dac_read_search fowner fsetid }; + allow locate_t self:process { execmem execheap execstack signal setsched }; + allow locate_t self:fifo_file rw_fifo_file_perms; + allow locate_t self:unix_stream_socket create_socket_perms; @@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t) dev_getattr_all_chr_files(locate_t) @@ -103233,7 +103382,7 @@ index e0644b5cf..ea347ccd5 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582d2..052179c3f 100644 +index 9cf6582d2..730889136 100644 --- a/smartmon.te +++ b/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` @@ -103241,7 +103390,7 @@ index 9cf6582d2..052179c3f 100644 # -allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; -+allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin }; ++allow fsdaemon_t self:capability { dac_read_search kill setpcap setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -103344,13 +103493,15 @@ index 1fa51c11f..82e111c80 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index ec031a031..61a9f8c08 100644 +index ec031a031..26325cbda 100644 --- a/smokeping.te +++ b/smokeping.te -@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) +@@ -23,7 +23,8 @@ files_type(smokeping_var_lib_t) + # Local policy # - dontaudit smokeping_t self:capability { dac_read_search dac_override }; +-dontaudit smokeping_t self:capability { dac_read_search dac_override }; ++dontaudit smokeping_t self:capability { dac_read_search }; +allow smokeping_t self:process signal_perms; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:unix_stream_socket { accept listen }; @@ -104009,7 +104160,7 @@ index 000000000..88490d5c6 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 000000000..5c2cbe02d +index 000000000..11b39923c --- /dev/null +++ b/snapper.te @@ -0,0 +1,83 @@ @@ -104038,7 +104189,7 @@ index 000000000..5c2cbe02d +# snapperd local policy +# + -+allow snapperd_t self:capability { dac_read_search dac_override sys_admin }; ++allow snapperd_t self:capability { dac_read_search sys_admin }; +allow snapperd_t self:process setsched; + +allow snapperd_t self:fifo_file rw_fifo_file_perms; @@ -104261,7 +104412,7 @@ index 7a9cc9df7..23cb6589e 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb875..e8446db05 100644 +index 9dcaeb875..9cc669708 100644 --- a/snmp.te +++ b/snmp.te @@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t) @@ -104269,7 +104420,7 @@ index 9dcaeb875..e8446db05 100644 # -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; -+allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; ++allow snmpd_t self:capability { chown dac_read_search kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -104394,7 +104545,7 @@ index 7d86b3485..5f581804e 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df55..d545f2aea 100644 +index 1af72df55..dc8379039 100644 --- a/snort.te +++ b/snort.te @@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t) @@ -104402,7 +104553,7 @@ index 1af72df55..d545f2aea 100644 # -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; -+allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override }; ++allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; +allow snort_t self:netlink_route_socket create_netlink_socket_perms; @@ -104495,7 +104646,7 @@ index 634c6b4fa..f6db7a796 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507dae..0ac6752b4 100644 +index f2f507dae..7429d39a0 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -104522,7 +104673,7 @@ index f2f507dae..0ac6752b4 100644 # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override }; ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search }; dontaudit sosreport_t self:capability sys_ptrace; -allow sosreport_t self:process { setsched signull }; +allow sosreport_t self:process { setpgid setsched signal_perms }; @@ -104733,7 +104884,7 @@ index a5abc5a8d..b9eff74cb 100644 domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index 0919e0c86..df28aadba 100644 +index 0919e0c86..afe83dbf7 100644 --- a/soundserver.te +++ b/soundserver.te @@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t) @@ -104741,7 +104892,7 @@ index 0919e0c86..df28aadba 100644 # -allow soundd_t self:capability dac_override; -+allow soundd_t self:capability { dac_read_search dac_override }; ++allow soundd_t self:capability { dac_read_search }; dontaudit soundd_t self:capability sys_tty_config; allow soundd_t self:process { setpgid signal_perms }; allow soundd_t self:shm create_shm_perms; @@ -105291,7 +105442,7 @@ index 1499b0bbf..e695a62f3 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e3578..85e9f5961 100644 +index cc58e3578..befb6796c 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -105643,7 +105794,7 @@ index cc58e3578..85e9f5961 100644 +spamassassin_filetrans_home_content(spamc_t) +spamassassin_filetrans_admin_home_content(spamc_t) +# for /root/.pyzor -+allow spamc_t self:capability { dac_read_search dac_override }; ++allow spamc_t self:capability { dac_read_search }; list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) @@ -105768,7 +105919,7 @@ index cc58e3578..85e9f5961 100644 +# setuids to the user running spamc. Comment this if you are not +# using this ability. + -+allow spamd_t self:capability { kill setuid setgid dac_read_search dac_override sys_tty_config }; ++allow spamd_t self:capability { kill setuid setgid dac_read_search sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -106017,7 +106168,7 @@ index cc58e3578..85e9f5961 100644 ') optional_policy(` -@@ -474,32 +584,32 @@ optional_policy(` +@@ -474,32 +584,31 @@ optional_policy(` ######################################## # @@ -106029,7 +106180,6 @@ index cc58e3578..85e9f5961 100644 allow spamd_update_t self:fifo_file manage_fifo_file_perms; allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; +allow spamd_update_t self:capability dac_read_search; -+dontaudit spamd_update_t self:capability dac_override; manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) @@ -106060,7 +106210,7 @@ index cc58e3578..85e9f5961 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -106424,7 +106574,7 @@ index 5e1f0534c..e7820bce3 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed9b..9148ef5ae 100644 +index 03472ed9b..deade60a1 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -106464,7 +106614,7 @@ index 03472ed9b..9148ef5ae 100644 # -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; -+allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource }; ++allow squid_t self:capability { setgid kill setuid dac_read_search sys_resource }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_fifo_file_perms; @@ -107396,7 +107546,7 @@ index a24045518..47530e258 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1fa3..a9de15cf6 100644 +index 2d8db1fa3..3bf241d0c 100644 --- a/sssd.te +++ b/sssd.te @@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t) @@ -107418,7 +107568,7 @@ index 2d8db1fa3..a9de15cf6 100644 # -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -+allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; ++allow sssd_t self:capability { ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:capability2 block_suspend; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid}; @@ -107771,7 +107921,7 @@ diff --git a/systemtap.te b/stapserver.te similarity index 63% rename from systemtap.te rename to stapserver.te -index ffde36864..f33142fd5 100644 +index ffde36864..e2f0d931f 100644 --- a/systemtap.te +++ b/stapserver.te @@ -1,4 +1,4 @@ @@ -107812,7 +107962,7 @@ index ffde36864..f33142fd5 100644 +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; + -+allow stapserver_t self:capability { dac_read_search dac_override kill sys_ptrace}; ++allow stapserver_t self:capability { dac_read_search kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + allow stapserver_t self:fifo_file rw_fifo_file_perms; @@ -108567,9 +108717,18 @@ index 000000000..6e39c4fff + + diff --git a/sxid.te b/sxid.te -index 01a9d0acd..154872e4b 100644 +index 01a9d0acd..4a6834400 100644 --- a/sxid.te +++ b/sxid.te +@@ -20,7 +20,7 @@ files_tmp_file(sxid_tmp_t) + # Local policy + # + +-allow sxid_t self:capability { dac_override dac_read_search fsetid }; ++allow sxid_t self:capability { dac_read_search fsetid }; + dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; + allow sxid_t self:process signal_perms; + allow sxid_t self:fifo_file rw_fifo_file_perms; @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) corecmd_exec_bin(sxid_t) corecmd_exec_shell(sxid_t) @@ -108597,7 +108756,7 @@ index 01a9d0acd..154872e4b 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index b92f6775a..a2690e315 100644 +index b92f6775a..46c689d97 100644 --- a/sysstat.te +++ b/sysstat.te @@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t) @@ -108605,7 +108764,7 @@ index b92f6775a..a2690e315 100644 # -allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; -+allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config }; ++allow sysstat_t self:capability { dac_read_search sys_admin sys_resource sys_tty_config }; allow sysstat_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) @@ -109066,7 +109225,7 @@ index b42ec1d83..91b8f71dc 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index b26d44a8c..5a79afdb5 100644 +index b26d44a8c..3d950454a 100644 --- a/tcsd.te +++ b/tcsd.te @@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t) @@ -109074,7 +109233,7 @@ index b26d44a8c..5a79afdb5 100644 # -allow tcsd_t self:capability { dac_override setuid }; -+allow tcsd_t self:capability { dac_read_search dac_override setuid }; ++allow tcsd_t self:capability { dac_read_search setuid }; allow tcsd_t self:process { signal sigkill }; allow tcsd_t self:tcp_socket { accept listen }; @@ -110139,7 +110298,7 @@ index 9afcbc95c..7b8ddb489 100644 xserver_rw_xdm_pipes(telepathy_domain) ') diff --git a/telnet.te b/telnet.te -index d7c863369..0d3d4392a 100644 +index d7c863369..78e6fccc2 100644 --- a/telnet.te +++ b/telnet.te @@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t) @@ -110147,7 +110306,7 @@ index d7c863369..0d3d4392a 100644 # -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; ++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; -allow telnetd_t self:tcp_socket { accept listen }; @@ -110513,7 +110672,7 @@ index 9957e300d..51af58690 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index cfaa2a19c..a9bc6f1ff 100644 +index cfaa2a19c..ed8204d13 100644 --- a/tftp.te +++ b/tftp.te @@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0) @@ -110643,7 +110802,7 @@ index cfaa2a19c..a9bc6f1ff 100644 -tunable_policy(`tftp_enable_homedir',` - allow tftpd_t self:capability { dac_override dac_read_search }; +tunable_policy(`tftp_home_dir',` -+ allow tftpd_t self:capability { dac_override dac_read_search }; ++ allow tftpd_t self:capability { dac_read_search }; + # allow access to /home files_list_home(tftpd_t) @@ -110709,7 +110868,7 @@ index 5406b6ee8..dc5b46e28 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d01096386..7308fa94b 100644 +index d01096386..ae473b2b2 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) @@ -110718,7 +110877,7 @@ index d01096386..7308fa94b 100644 -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:capability2 block_suspend; -+allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin }; ++allow tgtd_t self:capability { dac_read_search ipc_lock sys_resource sys_rawio sys_admin }; +allow tgtd_t self:capability2 { block_suspend wake_alarm }; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; @@ -110851,7 +111010,7 @@ index 000000000..5e3637e63 +') diff --git a/thin.te b/thin.te new file mode 100644 -index 000000000..e66fc8c34 +index 000000000..78550f3b3 --- /dev/null +++ b/thin.te @@ -0,0 +1,115 @@ @@ -110930,7 +111089,7 @@ index 000000000..e66fc8c34 +# thin local policy +# + -+allow thin_t self:capability { setuid kill setgid dac_read_search dac_override }; ++allow thin_t self:capability { setuid kill setgid dac_read_search }; +allow thin_t self:capability2 block_suspend; + +allow thin_t self:netlink_route_socket r_netlink_socket_perms; @@ -111367,9 +111526,18 @@ index 5e867da56..b25ea6e08 100644 ifndef(`enable_mls',` fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te -index 97cd15589..49321a5bf 100644 +index 97cd15589..7c0a19c8a 100644 --- a/timidity.te +++ b/timidity.te +@@ -18,7 +18,7 @@ files_tmpfs_file(timidity_tmpfs_t) + # Local policy + # + +-allow timidity_t self:capability { dac_override dac_read_search }; ++allow timidity_t self:capability { dac_read_search }; + dontaudit timidity_t self:capability sys_tty_config; + allow timidity_t self:process { signal_perms getsched }; + allow timidity_t self:shm create_shm_perms; @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f kernel_read_kernel_sysctls(timidity_t) kernel_read_system_state(timidity_t) @@ -111677,10 +111845,10 @@ index 000000000..761cc35b0 + mount_domtrans(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f95..a7cb3263d 100644 +index 585a77f95..9858c8b8d 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) +@@ -5,20 +5,46 @@ policy_module(tmpreaper, 1.7.1) # Declarations # @@ -111715,7 +111883,12 @@ index 585a77f95..a7cb3263d 100644 ######################################## # -@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; + # Local Policy + # + +-allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; ++allow tmpreaper_t self:capability { dac_read_search fowner }; + allow tmpreaper_t self:fifo_file rw_fifo_file_perms; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -112248,7 +112421,7 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..31baf3bb8 +index 000000000..d503f1b51 --- /dev/null +++ b/tomcat.te @@ -0,0 +1,124 @@ @@ -112309,7 +112482,7 @@ index 000000000..31baf3bb8 +# tomcat domain local policy +# + -+allow tomcat_t self:capability { dac_override setuid kill }; ++allow tomcat_t self:capability { setuid kill }; + +allow tomcat_t self:process { execmem setcap setsched signal signull }; + @@ -112460,7 +112633,7 @@ index 61c2e07d6..3b860953c 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde8c..a3959403d 100644 +index 5ceacde8c..363931dc2 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,20 @@ policy_module(tor, 1.9.0) @@ -112553,7 +112726,7 @@ index 5ceacde8c..a3959403d 100644 +') + +tunable_policy(`tor_can_onion_services',` -+ allow tor_t self:capability { dac_read_search dac_override }; ++ allow tor_t self:capability { dac_read_search }; +') + optional_policy(` @@ -112588,7 +112761,7 @@ index 34973ee4c..1c9a4c613 100644 userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te -index 03aa6b7f0..53c0c7366 100644 +index 03aa6b7f0..d262808fc 100644 --- a/tripwire.te +++ b/tripwire.te @@ -47,7 +47,7 @@ role twprint_roles types twprint_t; @@ -112596,7 +112769,7 @@ index 03aa6b7f0..53c0c7366 100644 # -allow tripwire_t self:capability { setgid setuid dac_override }; -+allow tripwire_t self:capability { setgid setuid dac_read_search dac_override }; ++allow tripwire_t self:capability { setgid setuid dac_read_search }; allow tripwire_t tripwire_etc_t:dir list_dir_perms; allow tripwire_t tripwire_etc_t:file read_file_perms; @@ -112659,7 +112832,7 @@ index e29db63a2..061fb983c 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a33073..76390e2f6 100644 +index 393a33073..1664e51c0 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -112680,7 +112853,7 @@ index 393a33073..76390e2f6 100644 -dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; +allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; -+dontaudit tuned_t self:capability { dac_read_search dac_override sys_tty_config }; ++dontaudit tuned_t self:capability { dac_read_search sys_tty_config }; +allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -113310,7 +113483,7 @@ index b68bd49ff..da0c6912f 100644 userdom_dontaudit_search_user_home_dirs(uml_switch_t) diff --git a/updfstab.te b/updfstab.te -index 5ceb91249..232e9ac93 100644 +index 5ceb91249..793032477 100644 --- a/updfstab.te +++ b/updfstab.te @@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t) @@ -113318,7 +113491,7 @@ index 5ceb91249..232e9ac93 100644 # -allow updfstab_t self:capability dac_override; -+allow updfstab_t self:capability { dac_read_search dac_override }; ++allow updfstab_t self:capability { dac_read_search }; dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; allow updfstab_t self:process signal_perms; allow updfstab_t self:fifo_file rw_fifo_file_perms; @@ -113579,7 +113752,7 @@ index c416a833e..cd83b89ee 100644 +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 98b51fd0b..c7e44cada 100644 +index 98b51fd0b..d33d87f30 100644 --- a/userhelper.if +++ b/userhelper.if @@ -1,4 +1,4 @@ @@ -113628,7 +113801,7 @@ index 98b51fd0b..c7e44cada 100644 - # Consolehelper local policy + # Local policy # -+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search dac_override chown sys_tty_config }; ++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search chown sys_tty_config }; + allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_userhelper_t self:process setexec; + allow $1_userhelper_t self:fd use; @@ -113905,7 +114078,7 @@ index 98b51fd0b..c7e44cada 100644 ## ## Execute the consolehelper program diff --git a/userhelper.te b/userhelper.te -index 42cfce06e..b7e3e2532 100644 +index 42cfce06e..b9f267a10 100644 --- a/userhelper.te +++ b/userhelper.te @@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1) @@ -113938,7 +114111,7 @@ index 42cfce06e..b7e3e2532 100644 -dontaudit consolehelper_type userhelper_conf_t:file audit_access; -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) +allow consolehelper_domain self:shm create_shm_perms; -+allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; ++allow consolehelper_domain self:capability { setgid setuid dac_read_search sys_nice }; +allow consolehelper_domain self:process { signal_perms getsched setsched }; -domain_use_interactive_fds(consolehelper_type) @@ -114124,7 +114297,7 @@ index 7deec55cf..c542887da 100644 ') diff --git a/usernetctl.te b/usernetctl.te -index f973af82b..860643991 100644 +index f973af82b..5e354edc5 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0) @@ -114145,7 +114318,7 @@ index f973af82b..860643991 100644 # -allow usernetctl_t self:capability { setuid setgid dac_override }; -+allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override }; ++allow usernetctl_t self:capability { setuid setgid dac_read_search }; allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow usernetctl_t self:fd use; allow usernetctl_t self:fifo_file rw_fifo_file_perms; @@ -114338,7 +114511,7 @@ index f8e52fc97..b283c25f7 100644 -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te -index acdc78ae7..9e5ee472d 100644 +index acdc78ae7..7f295e597 100644 --- a/uwimap.te +++ b/uwimap.te @@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t) @@ -114346,7 +114519,7 @@ index acdc78ae7..9e5ee472d 100644 # -allow imapd_t self:capability { dac_override setgid setuid sys_resource }; -+allow imapd_t self:capability { dac_read_search dac_override setgid setuid sys_resource }; ++allow imapd_t self:capability { dac_read_search setgid setuid sys_resource }; dontaudit imapd_t self:capability sys_tty_config; allow imapd_t self:process signal_perms; allow imapd_t self:fifo_file rw_fifo_file_perms; @@ -114414,7 +114587,7 @@ index 1c35171d8..2cba4dfea 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cbb0..e73bd982c 100644 +index 9d4d8cbb0..80e6c6fb4 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -114439,7 +114612,7 @@ index 9d4d8cbb0..e73bd982c 100644 # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -+allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid }; ++allow varnishd_t self:capability { kill dac_read_search ipc_lock setuid setgid chown fowner fsetid }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; @@ -114464,7 +114637,7 @@ index 9d4d8cbb0..e73bd982c 100644 tunable_policy(`varnishd_connect_any',` corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 2a61f7526..fa84e40b9 100644 +index 2a61f7526..99b151a18 100644 --- a/vbetool.te +++ b/vbetool.te @@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t; @@ -114472,7 +114645,7 @@ index 2a61f7526..fa84e40b9 100644 # -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -+allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin }; ++allow vbetool_t self:capability { dac_read_search sys_tty_config sys_admin }; +#allow vbetool_t self:capability2 compromise_kernel; allow vbetool_t self:process execmem; @@ -114648,7 +114821,7 @@ index 22edd58f8..c3a536427 100644 domain_system_change_exemption($1) role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te -index 3d11c6a3d..c5d84287e 100644 +index 3d11c6a3d..3590f3ef9 100644 --- a/vhostmd.te +++ b/vhostmd.te @@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) @@ -114656,7 +114829,7 @@ index 3d11c6a3d..c5d84287e 100644 # -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; -+allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid }; ++allow vhostmd_t self:capability { dac_read_search ipc_lock setuid setgid }; allow vhostmd_t self:process { setsched getsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; @@ -117063,7 +117236,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..cf9950e36 100644 +index f03dcf567..6b27ef4c9 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -117737,7 +117910,7 @@ index f03dcf567..cf9950e36 100644 # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -+allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; ++allow virtd_t self:capability { chown dac_read_search fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +#allow virtd_t self:capability2 compromise_kernel; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` @@ -118447,7 +118620,7 @@ index f03dcf567..cf9950e36 100644 -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; -+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; ++allow virsh_t self:capability { setpcap dac_read_search ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; @@ -118612,7 +118785,7 @@ index f03dcf567..cf9950e36 100644 -# Lxc local policy +# virt_lxc local policy # -+allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; ++allow virtd_lxc_t self:capability { dac_read_search net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; +#allow virtd_lxc_t self:capability2 compromise_kernel; @@ -119062,7 +119235,7 @@ index f03dcf567..cf9950e36 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execstack execmem }; @@ -119370,7 +119543,7 @@ index f03dcf567..cf9950e36 100644 +virt_sandbox_domain_template(svirt_kvm_net) +typeattribute svirt_kvm_net_t sandbox_net_domain; + -+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_kvm_net_t self:capability2 block_suspend; + +tunable_policy(`virt_sandbox_use_netlink',` @@ -119450,8 +119623,8 @@ index f03dcf567..cf9950e36 100644 + systemd_dbus_chat_logind(sandbox_net_domain) +') + -+allow sandbox_caps_domain self:capability { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; -+allow sandbox_caps_domain self:cap_userns { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++allow sandbox_caps_domain self:capability { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++allow sandbox_caps_domain self:cap_userns { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) @@ -119736,7 +119909,7 @@ index 20a1fb296..470ea9528 100644 allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; diff --git a/vmware.te b/vmware.te -index 4ad18944a..b5891580a 100644 +index 4ad18944a..c3b3f8c0c 100644 --- a/vmware.te +++ b/vmware.te @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` @@ -119745,7 +119918,7 @@ index 4ad18944a..b5891580a 100644 -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { net_admin sys_module }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override }; ++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -119816,7 +119989,7 @@ index 4ad18944a..b5891580a 100644 # -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; -+allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; ++allow vmware_t self:capability { dac_read_search setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; dontaudit vmware_t self:capability sys_tty_config; allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow vmware_t self:process { execmem execstack }; @@ -120024,7 +120197,7 @@ index 7a7f34297..afedcba80 100644 ## ## diff --git a/vpn.te b/vpn.te -index 95b26d126..3d74e70cc 100644 +index 95b26d126..ac16df363 100644 --- a/vpn.te +++ b/vpn.te @@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) @@ -120035,7 +120208,12 @@ index 95b26d126..3d74e70cc 100644 type vpnc_t; type vpnc_exec_t; -@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n +@@ -24,13 +25,17 @@ files_pid_file(vpnc_var_run_t) + # Local policy + # + +-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; ++allow vpnc_t self:capability { dac_read_search net_admin ipc_lock net_raw setuid }; allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; @@ -120563,7 +120741,7 @@ index 4815a93f4..24dcf5174 100644 + rhcs_rw_cluster_tmpfs(wdmd_t) ') diff --git a/webadm.te b/webadm.te -index 2a6cae773..d2752d9bb 100644 +index 2a6cae773..0b771ed70 100644 --- a/webadm.te +++ b/webadm.te @@ -25,12 +25,21 @@ role webadm_r; @@ -120579,7 +120757,7 @@ index 2a6cae773..d2752d9bb 100644 # -allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; -+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource }; ++allow webadm_t self:capability { dac_read_search kill sys_nice sys_resource }; + +manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) @@ -120628,7 +120806,7 @@ index 64baf679e..76c753b1a 100644 -/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) +/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) diff --git a/webalizer.te b/webalizer.te -index ae919b9a5..cdd9359d1 100644 +index ae919b9a5..12097d0e4 100644 --- a/webalizer.te +++ b/webalizer.te @@ -33,7 +33,7 @@ files_type(webalizer_write_t) @@ -120636,7 +120814,7 @@ index ae919b9a5..cdd9359d1 100644 # -allow webalizer_t self:capability dac_override; -+allow webalizer_t self:capability { dac_read_search dac_override }; ++allow webalizer_t self:capability { dac_read_search }; allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow webalizer_t self:fd use; allow webalizer_t self:fifo_file rw_fifo_file_perms; @@ -121605,7 +121783,7 @@ index f93558c5a..16e29c141 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 6f736a993..c1ba3ba4b 100644 +index 6f736a993..ca29783fb 100644 --- a/xen.te +++ b/xen.te @@ -4,39 +4,31 @@ policy_module(xen, 1.13.0) @@ -121848,7 +122026,7 @@ index 6f736a993..c1ba3ba4b 100644 -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { setrlimit signal sigkill }; -dontaudit xend_t self:process ptrace; -+allow xend_t self:capability { dac_read_search dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; ++allow xend_t self:capability { dac_read_search ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; +allow xend_t self:process { signal sigkill }; + +# needed by qemu_dm @@ -122049,7 +122227,7 @@ index 6f736a993..c1ba3ba4b 100644 # -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; -+allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock }; ++allow xenconsoled_t self:capability { dac_read_search fsetid ipc_lock }; allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -122101,7 +122279,7 @@ index 6f736a993..c1ba3ba4b 100644 -allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket { accept listen }; -+allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource }; ++allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource }; +allow xenstored_t self:unix_stream_socket create_stream_socket_perms; +allow xenstored_t self:unix_dgram_socket create_socket_perms; @@ -122305,7 +122483,7 @@ index 6f736a993..c1ba3ba4b 100644 - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/xfs.te b/xfs.te -index 0928c5d6a..b9bcf8824 100644 +index 0928c5d6a..99a430031 100644 --- a/xfs.te +++ b/xfs.te @@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t) @@ -122313,7 +122491,7 @@ index 0928c5d6a..b9bcf8824 100644 # -allow xfs_t self:capability { dac_override setgid setuid }; -+allow xfs_t self:capability { dac_read_search dac_override setgid setuid }; ++allow xfs_t self:capability { dac_read_search setgid setuid }; dontaudit xfs_t self:capability sys_tty_config; allow xfs_t self:process { signal_perms setpgid }; allow xfs_t self:unix_stream_socket { accept listen }; @@ -122656,7 +122834,7 @@ index 04096a050..98a8205a7 100644 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te -index 2695db25c..c1ec89384 100644 +index 2695db25c..311159866 100644 --- a/yam.te +++ b/yam.te @@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) @@ -122664,7 +122842,7 @@ index 2695db25c..c1ec89384 100644 # -allow yam_t self:capability { chown fowner fsetid dac_override }; -+allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override }; ++allow yam_t self:capability { chown fowner fsetid dac_read_search }; allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow yam_t self:fd use; allow yam_t self:fifo_file rw_fifo_file_perms; @@ -122875,7 +123053,7 @@ index dd63de028..38ce6208e 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c617..bf2ae51d0 100644 +index 7f496c617..ad28abbc1 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -122969,7 +123147,7 @@ index 7f496c617..bf2ae51d0 100644 -allow zabbix_t self:sem create_sem_perms; -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; -+allow zabbix_t self:capability { dac_read_search dac_override }; ++allow zabbix_t self:capability { dac_read_search }; + +manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) @@ -123423,7 +123601,7 @@ index 36e32df6d..3d089626e 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index 3fded1c4d..8bea5e820 100644 +index 3fded1c4d..7bcf05a6c 100644 --- a/zarafa.te +++ b/zarafa.te @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) @@ -123634,7 +123812,7 @@ index 3fded1c4d..8bea5e820 100644 +# + +# bad permission on /etc/zarafa -+allow zarafa_domain self:capability { kill dac_read_search dac_override chown setgid setuid }; ++allow zarafa_domain self:capability { kill dac_read_search chown setgid setuid }; +allow zarafa_domain self:process { signal_perms }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket { accept listen }; @@ -124374,7 +124552,7 @@ index 000000000..fb0519ebf + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 000000000..c9ad1b330 +index 000000000..ba9ab9a8a --- /dev/null +++ b/zoneminder.te @@ -0,0 +1,187 @@ @@ -124435,7 +124613,7 @@ index 000000000..c9ad1b330 +# +# zoneminder local policy +# -+allow zoneminder_t self:capability { chown dac_read_search dac_override }; ++allow zoneminder_t self:capability { chown dac_read_search }; +allow zoneminder_t self:process { signal_perms setpgid }; +allow zoneminder_t self:shm create_shm_perms; +allow zoneminder_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 110607f..c66eaa8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 287%{?dist} +Release: 288%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,9 @@ exit 0 %endif %changelog +* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288 +- Remove all unnecessary dac_override capability in SELinux modules + * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287 - Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)